+PS-04.01B

1. Übersicht

PS-04.01B

Preventive and detective physical access controls in premises and buildings related to the cloud service provided are implemented. They are in accordance with the cloud service provider's security requirements (cf. PS-01) and based on the principles defined in IAM-01 to prevent unauthorised access. They are documented and communicated in a policy or framework in accordance with SP-01 and include the following aspects:

1. Specified procedure for the granting and modifying of user accounts and access rights (cf. IAM-02) based on the 'least-privilege-principle' and the 'need-to-know-principle';
2. Revocation of access authorisations if they have not been used for a period of two months. Exceptions are only made for well-founded individual cases and follow a defined exception process according to SP-03;
3. Authentication with at least one factor for access to any non-public area;
4. Multi-factor authentication for access to areas hosting system components that process cloud service customer data;
5. Existence and nature of access logging that enables the cloud service provider, in the sense of an effectiveness audit, to check whether only defined personnel have entered the premises and buildings related to the cloud service provided;
6. Physical access control exceptions applicable in case of emergency, including an analysis procedure following every use of these exceptions; and
7. For visitors and external personnel, measures that ensure identification and tracking of every individual such that their activities are traceable and - in case of activities that infringe information security - stoppable in an appropriate reaction time. These measures are appropriate and proportional to the sensitivity of the zone the visitors or external personnel are in. The appropriate reaction time frame is determined based on a risk assessment (cf. OIS-07).

For implementing access control based on the need-to-know-principle, a zoning framework can be deployed with each on-premises area having separate access permissions. If a zoning framework is implemented, each on-premises area should be physically separated with its own access control system. Examples for zoning on-premises can be:

1. Green zone: Public area, contains no resources that are relevant to the provisioning of the cloud service;
2. Yellow zone: Private area, contains means for supporting the cloud service such as development, administration and supervision; and
3. Red zone: Sensitive area for production systems such as the server rooms.

Examples for reasonable exceptions to the revocation of access authorisations after two months of inactivity are e.g. cases where personnel with specific roles, such as management positions or supervisors, requires only occasional but crucial entry. The rationale for the exceptions should be documented and during the review critically assessed if they are still necessary.

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html