+SP-01.01B

1. Übersicht

SP-01.01B

Policies and procedures (incl. frameworks and guidelines) are derived from the information security policy and are documented according to a uniform structure. The policies and procedures describe at least the following aspects:

1. Objectives;
2. Scope;
3. Roles and responsibilities, including personnel qualification requirements and the establishment of substitution rules;
4. Roles and dependencies on other organisations (especially cloud service customers and subservice organisations);
5. Steps for the execution of the security strategy; and
6. Applicable legal and regulatory requirements.

Policies and procedures are required for the following basic criteria in which the content is specified in more detail:

1. Information Security Policy (OIS-02)
2. Risk Management Policy (OIS-07);
3. Remote Working - Policy (HR-07);
4. Asset Management Framework (AM-01);
5. Policy for the Proper and Secure Use of Assets (AM-05);
6. Physical Security and Environmental Control Requirements (PS-01);
7. Physical Site Access Control (PS-04);
8. Workplace Security Requirements (PS-08);
9. Protection Against Malware - Policies and Procedures (OPS-04);
10. Data Backup and Recovery - Policies and Procedures (OPS-06);
11. Logging and Monitoring - Policies and Procedures (OPS-10);
12. Logging and Monitoring - Policies and Procedures for Handling Cloud Service Derived Data and Account Data (OPS-11);
13. Managing Vulnerabilities - Policies and Procedures (OPS-18);
14. Managing Incidents and Crashes - Policies and Procedures (OPS-19);
15. Managing Vulnerabilities - Patch Management Policies and Procedures (OPS-27);
16. Separation of Datasets - Policies and Procedures (OPS-30);
17. Confidential Computing - Policies and Procedures (OPS-32);
18. Container Management - Policies and Procedures (OPS-34);
19. Policy for Identities and Access Rights (IAM-01);
20. Authentication Mechanisms (authentication policy) (IAM-08);
21. Policy for the Use of Cryptographic Mechanisms (CRY-01);
22. Technical Safeguards (COS-01);
23. Policies for Data Transmission (COS-08);
24. Policies for the Development/Procurement of System Components (DEV-01);
25. Policies for Changes to System Components (DEV-03);
26. Secure Use of Third Party Hardware and Software (policies and procedures for the use of third party and open source software) (DEV-14);
27. Policies and Procedures for Controlling and Monitoring Service Organisations (SSO-01);
28. Controlling Exchanges with Suppliers of Functional Components (SSO-08);
29. Policy for Security Incident Management (SIM-01);
30. Business Continuity and Emergency Management System (BCM-01);
31. Policy for Planning and Conducting Audits (COM-02); and
32. Communication of Technical Procedures for Data Disclosure in Investigation Requests (INQ-04).

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html