+OPS-31.02B

1. Übersicht

OPS-31.02B

Cloud service customer data stored and processed on shared virtual and physical resources is securely and strictly separated according to a documented approach based on OIS-07 risk assessment and following policies on cryptography (cf. CRY-01) to ensure the confidentiality and integrity of this data.

Shared resources include CPU, RAM, storage space and networks. The separation of cloud service customer data on shared resources can take place, for example, in accordance with cloud layers described in the *CISA Cloud Security Technical Reference Architecture*. The separation on each shared resource is implemented as deemed appropriate based on the conducted risk assessment, which might also include not implementing a cryptographic separation for certain shared resources.

Where the adequacy and effectiveness of separation cannot be assessed with reasonable assurance (e.g. due to complex implementation), evidence may also be provided through expert third-party review results (e.g. penetration tests to validate the policies and procedures).

The separation of transmitted data is subject to criterion COS-06.

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html