+OPS-22.05B

1. Übersicht

OPS-22.05B

If penetration tests follow multi-year test plans, each relevant system component is subjected to at least one penetration test within a maximum period of three years.

See section '1.2 Definitions' for the terms 'penetration test' and 'significant change'.

In contrast to vulnerability scans, which analyse code, penetration tests as referred to in this criterion mainly aim at probing the live system to uncover real-world vulnerabilities or weaknesses that only show up in the actual operation of the cloud service, thus creating the connection to criterion OPS-18.

There are three types of penetration tests:

1. Black-box testing: Testing performed without prior knowledge of the internal structure/design/implementation of the object being tested;
2. Grey-box testing: Testing performed with partial knowledge of the internal structure/design/implementation of the object being tested; and
3. White-box testing: Testing performed with knowledge of the internal structure/design/implementation of the object being tested.

It can further be distinguished between

1. Pre-launch penetration testing: Testing already performed as part of the software development process during the test phase of the cloud service (cf. DEV-07); and
2. Post-launch penetration testing: Testing carried out during the regular operations of the cloud service.

Significant changes may include, but are not limited to, the following events:

1. Replacing core cloud infrastructure technologies or performing major version upgrades;
2. Moving between service organisations, such as switching to a new IaaS or data centre provider;
3. Material changes in the way cloud service customer data is processed and stored, such as new backup technologies or new regions from which the service is operated;
4. Replacing or performing major upgrades on security technologies such as authentication workflows, network security mechanisms or monitoring mechanisms; and
5. Material changes to the cloud service model or of functionality made available to the cloud service customer.

System components relevant to the provision of the cloud service in the area of responsibility of the cloud service provider can comprise such system components that are exposed at the external perimeter of the network or components accessible only from inside the network.

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html