+OIS-01 Information Security Management System (ISMS)
---+OIS-01.01B
---+OIS-01.02B
---+OIS-01.03B
---+OIS-01.01AC
---+OIS-01.01AS

1. Übersicht

OIS-01 Information Security Management System (ISMS)

-
OIS-01.01B The cloud service provider maintains an ISO/IEC 27001-compliant information security management system (ISMS). The scope of the ISMS covers the cloud service provider's organisational units, locations, zones, regions and procedures relevant to the development and operation of the cloud service.

The basic criterion can also be fulfilled without valid certification of the ISMS according to ISO/IEC 27001 or ISO 27001 based on BSI IT-Grundschutz, if the submitted documentation meets the requirements of ISO/IEC 27001. The auditor has to evaluate whether the documentation meets the referenced requirements of the ISO standard. This does not require a full certification audit of the management system in accordance with ISO 17021, but a focused inspection of the related documentation.

Cross-sectional functions do not need to be integrated into a single ISMS. Instead, multiple ISMS can be established to cover both, cloud service-specific internal control systems and organisation-wide/central functions effectively.

The scope of the ISMS may go beyond the scope of the cloud service provider's system of internal control for the cloud service in scope of an assurance engagement with this criteria catalogue. If the scope of the ISMS is broader than the scope of the assurance engagement, evidence to be obtained about the design and operation of the ISMS can be limited to records that are applicable to the cloud service in scope of the assurance engagement.
OIS-01.02B The measures for setting up, implementing, maintaining and continuously improving the ISMS are documented. The documentation includes:

1. Context of the cloud service provider;
2. Scope of the ISMS (section 4.3 of ISO/IEC 27001);
3. Statement of applicability (section 6.1.3 of ISO/IEC 27001);
4. Overview of how activities in the ISMS cover the cloud service;
5. Description of how the cloud service provider maintains and improves the cloud service's security; and
6. Results of the last management review (section 9.3 of ISO/IEC 27001).
OIS-01.03B Additionally, the cloud service provider documents the scope and boundaries of the cloud service under its operational control, including any exclusions or shared-responsibility areas.
OIS-01.01AC Existing valid certifications according to ISO/IEC 27001 are issued and recognised by an accredited certification body.
OIS-01.01AS The Information Security Management System (ISMS) has a valid certification according to ISO/IEC 27001 or ISO 27001 based on BSI IT-Grundschutz. The scope of the certification covers the cloud service provider's organisational units, locations, zones, regions, and procedures relevant to the development and operation of the cloud service.

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen

3. Related Regulations

Regulations
Impressum