+OPS-22.07B

1. Übersicht

OPS-22.07B

Actions for remediation or mitigation are taken in accordance with the time frames as defined in the policies for managing vulnerabilities (cf. OPS-18).

See section '1.2 Definitions' for the terms 'penetration test' and 'significant change'.

In contrast to vulnerability scans, which analyse code, penetration tests as referred to in this criterion mainly aim at probing the live system to uncover real-world vulnerabilities or weaknesses that only show up in the actual operation of the cloud service, thus creating the connection to criterion OPS-18.

There are three types of penetration tests:

1. Black-box testing: Testing performed without prior knowledge of the internal structure/design/implementation of the object being tested;
2. Grey-box testing: Testing performed with partial knowledge of the internal structure/design/implementation of the object being tested; and
3. White-box testing: Testing performed with knowledge of the internal structure/design/implementation of the object being tested.

It can further be distinguished between

1. Pre-launch penetration testing: Testing already performed as part of the software development process during the test phase of the cloud service (cf. DEV-07); and
2. Post-launch penetration testing: Testing carried out during the regular operations of the cloud service.

Significant changes may include, but are not limited to, the following events:

1. Replacing core cloud infrastructure technologies or performing major version upgrades;
2. Moving between service organisations, such as switching to a new IaaS or data centre provider;
3. Material changes in the way cloud service customer data is processed and stored, such as new backup technologies or new regions from which the service is operated;
4. Replacing or performing major upgrades on security technologies such as authentication workflows, network security mechanisms or monitoring mechanisms; and
5. Material changes to the cloud service model or of functionality made available to the cloud service customer.

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html