+SP-01 Documentation, Communication and Provision of Policies and Procedures
---+SP-01.01B
---+SP-01.02B
---+SP-01.03B
---+SP-01.04B
|
1. Übersicht
SP-01 Documentation, Communication and Provision of Policies and Procedures
-
| Bezeichnung |
Standard |
|
SP-01.01B
|
Policies and procedures (incl. frameworks and guidelines) are derived from the information security policy and are documented according to a uniform structure. The policies and procedures describe at least the following aspects:
1. Objectives;
2. Scope;
3. Roles and responsibilities, including personnel qualification requirements and the establishment of substitution rules;
4. Roles and dependencies on other organisations (especially cloud service customers and subservice organisations);
5. Steps for the execution of the security strategy; and
6. Applicable legal and regulatory requirements.
Policies and procedures are required for the following basic criteria in which the content is specified in more detail:
1. Information Security Policy (OIS-02)
2. Risk Management Policy (OIS-07);
3. Remote Working - Policy (HR-07);
4. Asset Management Framework (AM-01);
5. Policy for the Proper and Secure Use of Assets (AM-05);
6. Physical Security and Environmental Control Requirements (PS-01);
7. Physical Site Access Control (PS-04);
8. Workplace Security Requirements (PS-08);
9. Protection Against Malware - Policies and Procedures (OPS-04);
10. Data Backup and Recovery - Policies and Procedures (OPS-06);
11. Logging and Monitoring - Policies and Procedures (OPS-10);
12. Logging and Monitoring - Policies and Procedures for Handling Cloud Service Derived Data and Account Data (OPS-11);
13. Managing Vulnerabilities - Policies and Procedures (OPS-18);
14. Managing Incidents and Crashes - Policies and Procedures (OPS-19);
15. Managing Vulnerabilities - Patch Management Policies and Procedures (OPS-27);
16. Separation of Datasets - Policies and Procedures (OPS-30);
17. Confidential Computing - Policies and Procedures (OPS-32);
18. Container Management - Policies and Procedures (OPS-34);
19. Policy for Identities and Access Rights (IAM-01);
20. Authentication Mechanisms (authentication policy) (IAM-08);
21. Policy for the Use of Cryptographic Mechanisms (CRY-01);
22. Technical Safeguards (COS-01);
23. Policies for Data Transmission (COS-08);
24. Policies for the Development/Procurement of System Components (DEV-01);
25. Policies for Changes to System Components (DEV-03);
26. Secure Use of Third Party Hardware and Software (policies and procedures for the use of third party and open source software) (DEV-14);
27. Policies and Procedures for Controlling and Monitoring Service Organisations (SSO-01);
28. Controlling Exchanges with Suppliers of Functional Components (SSO-08);
29. Policy for Security Incident Management (SIM-01);
30. Business Continuity and Emergency Management System (BCM-01);
31. Policy for Planning and Conducting Audits (COM-02); and
32. Communication of Technical Procedures for Data Disclosure in Investigation Requests (INQ-04).
|
|
SP-01.02B
|
The policies and procedures are communicated and made available to all relevant internal and external personnel of the cloud service provider in an appropriate manner.
The appropriateness of the demand-oriented communication and provision should be assessed against the size and complexity of the cloud service provider's organisation and the type of cloud service offered. Possible criteria are:
1. Integration of guidelines and procedures in the onboarding of new personnel;
2. Training and information campaigns when adopting new or revising existing policies and procedures; and
3. Form of provision.
|
|
SP-01.03B
|
The policies and procedures are subject to version control.
|
|
SP-01.04B
|
The policies and procedures are approved by the top management of the cloud service provider or an authorised body.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|