+Operations (OPS)
---+OPS-01 Capacity Management - Planning
------+OPS-01.01B
------+OPS-01.02B
------+OPS-01.03B
------+OPS-01.01AC
------+OPS-01 Supplementary Information - Complementary Customer Criteria
---+OPS-02 Capacity Management - Monitoring
------+OPS-02.01B
------+OPS-02.02B
------+OPS-02.01AC
------+OPS-02 Supplementary Information - Complementary Customer Criteria
---+OPS-03 Capacity Management - Controlling of Resources
------+OPS-03.01B
------+OPS-03.02B
------+OPS-03 Supplementary Information - Complementary Customer Criteria
---+OPS-04 Protection Against Malware - Policies and Procedures
------+OPS-04.01B
---+OPS-05 Protection Against Malware - Implementation
------+OPS-05.01B
------+OPS-05.02B
------+OPS-05.03B
------+OPS-05.01AC
------+OPS-05.02AC
------+OPS-05.03AC
------+OPS-05.02AS
------+OPS-05 Supplementary Information - Complementary Customer Criteria
---+OPS-06 Data Backup and Recovery - Policies and Procedures
------+OPS-06.01B
------+OPS-06.01AS
------+OPS-06 Supplementary Information - Complementary Customer Criteria
---+OPS-07 Data Backup and Recovery - Monitoring
------+OPS-07.01B
------+OPS-07.02B
------+OPS-07.01AC
------+OPS-07 Supplementary Information - Complementary Customer Criteria
---+OPS-08 Data Backup and Recovery - Regular Testing
------+OPS-08.01B
------+OPS-08.02B
------+OPS-08.03B
------+OPS-08.04B
------+OPS-08.05B
------+OPS-08.01AC
------+OPS-08.02AC
------+OPS-08 Supplementary Information - Complementary Customer Criteria
---+OPS-09 Data Backup and Recovery - Storage
------+OPS-09.01B
------+OPS-09.02B
------+OPS-09.03B
------+OPS-09.04B
------+OPS-09.05B
---+OPS-10 Logging and Monitoring - Policies and Procedures
------+OPS-10.01B
------+OPS-10 Supplementary Information - Complementary Customer Criteria
---+OPS-11 Logging and Monitoring - Policies and Procedures for Handling Cloud Service Derived Data and Account Data
------+OPS-11.01B
------+OPS-11.02B
------+OPS-11.01AC
------+OPS-11.02AC
------+OPS-11 Supplementary Information - Complementary Customer Criteria
---+OPS-12 Logging and Monitoring - Access, Retention and Deletion
------+OPS-12.01B
---+OPS-13 Logging and Monitoring - Security Information and Event Management
------+OPS-13.01B
------+OPS-13.02B
------+OPS-13.01AC
------+OPS-13.02AC
------+OPS-13.03AC
---+OPS-14 Logging and Monitoring - Retention of the Logging Data
------+OPS-14.01B
------+OPS-14.02B
------+OPS-14.03B
------+OPS-14 Supplementary Information - Complementary Customer Criteria
---+OPS-15 Logging and Monitoring - Accountability
------+OPS-15.01B
------+OPS-15.02B
------+OPS-15.03B
------+OPS-15.01AC
------+OPS-15.02AC
------+OPS-15 Supplementary Information - Complementary Customer Criteria
---+OPS-16 Logging and Monitoring - Configuration
------+OPS-16.01B
------+OPS-16.02B
---+OPS-17 Logging and Monitoring - Availability of the Monitoring Software
------+OPS-17.01B
------+OPS-17.02B
------+OPS-17.01AC
------+OPS-17.02AC
---+OPS-18 Managing Vulnerabilities - Policies and Procedures
------+OPS-18.01B
------+OPS-18.02B
------+OPS-18.03B
------+OPS-18.04B
------+OPS-18.05B
------+OPS-18 Supplementary Information - Complementary Customer Criteria
---+OPS-19 Managing Incidents and Crashes - Policies and Procedures
------+OPS-19.01B
---+OPS-20 Managing Incidents - Implementation
------+OPS-20.01B
---+OPS-21 Managing Crashes - Implementation
------+OPS-21.01B
---+OPS-22 Managing Vulnerabilities, Incidents and Crashes - Penetration Tests
------+OPS-22.01B
------+OPS-22.02B
------+OPS-22.03B
------+OPS-22.04B
------+OPS-22.05B
------+OPS-22.06B
------+OPS-22.07B
------+OPS-22.08B
------+OPS-22.01AC
------+OPS-22.02AC
------+OPS-22.03AC
------+OPS-22.04AC
------+OPS-22.05AC
------+OPS-22.01AS
------+OPS-22.02AS
------+OPS-22.03AS
---+OPS-23 Managing Vulnerabilities, Incidents and Crashes - Measurements, Analyses and Assessments of Procedures
------+OPS-23.01B
------+OPS-23.02B
---+OPS-24 Involvement of Cloud Service Customers in the Event of Incidents
------+OPS-24.01B
------+OPS-24.02B
------+OPS-24.01AC
------+OPS-24 Supplementary Information - Complementary Customer Criteria
---+OPS-25 Managing Vulnerabilities, Incidents and Crashes - Vulnerability Scans
------+OPS-25.01B
------+OPS-25.02B
------+OPS-25.03B
------+OPS-25.04B
------+OPS-25.01AC
------+OPS-25.01AS
------+OPS-25.02AS
------+OPS-25 Supplementary Information - Complementary Customer Criteria
---+OPS-26 Managing Vulnerabilities, Incidents and Crashes - System Hardening
------+OPS-26.01B
------+OPS-26.02B
------+OPS-26.03B
------+OPS-26.04B
------+OPS-26.05B
------+OPS-26.06B
------+OPS-26.05AS
------+OPS-26 Supplementary Information - Complementary Customer Criteria
---+OPS-27 Managing Vulnerabilities - Patch Management Policies and Procedures
------+OPS-27.01B
------+OPS-27.02B
------+OPS-27.03B
------+OPS-27.04B
------+OPS-27.03AS
---+OPS-28 Managing Vulnerabilities - Patch Management Implementation
------+OPS-28.01B
---+OPS-29 Managing Vulnerabilities, Incidents and Crashes - Externally Sourced Components
------+OPS-29.01B
---+OPS-30 Separation of Datasets - Policies and Procedures
------+OPS-30.01B
---+OPS-31 Separation of Datasets - Implementation
------+OPS-31.01B
------+OPS-31.02B
------+OPS-31.03B
------+OPS-31 Supplementary Information - Complementary Customer Criteria
---+OPS-32 Confidential Computing - Policies and Procedures
------+OPS-32.01B
------+OPS-32.02B
------+OPS-32.03B
------+OPS-32.01AC
---+OPS-33 Confidential Computing - Remote Attestation
------+OPS-33.01B
------+OPS-33.02B
------+OPS-33.03B
------+OPS-33.01AC
------+OPS-33.02AC
---+OPS-34 Container Management - Policies and Procedures
------+OPS-34.01B
------+OPS-34.02B
------+OPS-34.01AC
---+OPS-35 Container Management - Implementation
------+OPS-35.01B

1. Übersicht

Operations (OPS)

Objective: Ensure proper and regular operation, including appropriate measures for planning and monitoring capacity, protection against malware, logging and monitoring events, and dealing with vulnerabilities, malfunctions and failures.

Bezeichnung	Standard
OPS-01 Capacity Management - Planning	-
OPS-02 Capacity Management - Monitoring	-
OPS-03 Capacity Management - Controlling of Resources	-
OPS-04 Protection Against Malware - Policies and Procedures	-
OPS-05 Protection Against Malware - Implementation	-
OPS-06 Data Backup and Recovery - Policies and Procedures	-
OPS-07 Data Backup and Recovery - Monitoring	-
OPS-08 Data Backup and Recovery - Regular Testing	-
OPS-09 Data Backup and Recovery - Storage	-
OPS-10 Logging and Monitoring - Policies and Procedures	-
OPS-11 Logging and Monitoring - Policies and Procedures for Handling Cloud Service Derived Data and Account Data	-
OPS-12 Logging and Monitoring - Access, Retention and Deletion	-
OPS-13 Logging and Monitoring - Security Information and Event Management	-
OPS-14 Logging and Monitoring - Retention of the Logging Data	-
OPS-15 Logging and Monitoring - Accountability	-
OPS-16 Logging and Monitoring - Configuration	-
OPS-17 Logging and Monitoring - Availability of the Monitoring Software	-
OPS-18 Managing Vulnerabilities - Policies and Procedures	-
OPS-19 Managing Incidents and Crashes - Policies and Procedures	-
OPS-20 Managing Incidents - Implementation	-
OPS-21 Managing Crashes - Implementation	-
OPS-22 Managing Vulnerabilities, Incidents and Crashes - Penetration Tests	-
OPS-23 Managing Vulnerabilities, Incidents and Crashes - Measurements, Analyses and Assessments of Procedures	-
OPS-24 Involvement of Cloud Service Customers in the Event of Incidents	-
OPS-25 Managing Vulnerabilities, Incidents and Crashes - Vulnerability Scans	-
OPS-26 Managing Vulnerabilities, Incidents and Crashes - System Hardening	-
OPS-27 Managing Vulnerabilities - Patch Management Policies and Procedures	-
OPS-28 Managing Vulnerabilities - Patch Management Implementation	-
OPS-29 Managing Vulnerabilities, Incidents and Crashes - Externally Sourced Components	-
OPS-30 Separation of Datasets - Policies and Procedures	-
OPS-31 Separation of Datasets - Implementation	-
OPS-32 Confidential Computing - Policies and Procedures	-
OPS-33 Confidential Computing - Remote Attestation	-
OPS-34 Container Management - Policies and Procedures	-
OPS-35 Container Management - Implementation	-

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html

Impressum