+SP-02 Review and Approval of Policies and Procedures
---+SP-02.01B
---+SP-02.02B

1. Übersicht

SP-02 Review and Approval of Policies and Procedures

-
SP-02.01B Information security policies and procedures are reviewed for adequacy by the cloud service provider's subject matter experts at least annually, and in case of significant changes to the cloud service. The review shall consider at least the following aspects:

1. Organisational and technical changes in the procedures for providing the cloud service; and
2. Legal and regulatory changes in the cloud service provider's environment.


During an ISO 27001 certification audit, the controls to this criteria are most likely also tested. If it is a joint audit (C5 and ISO), efficiency of audit-once-certify-many may be gained here. If it is a separate audit, the auditor of the C5 attestation engagement can choose to inspect the ISO report instead of testing the control again, if the provided evidence is conclusive enough.
SP-02.02B Revised policies and procedures are approved by the appropriate level of management before they become effective and are communicated and made available to internal and external personnel.

Significant changes include, but are not limited to, any circumstances or events that materially affect the scope, effectiveness, or objectives of the information security policy. Specifically, significant changes are e.g.:

1. Major technical or architectural changes to the cloud platform (e.g., adoption of new infrastructure services, cloud migration, introduction of a new service offering);
2. Substantial updates to national or international laws, regulations, or sector-specific standards (e.g., NIS2, DORA, GDPR) that impact information security obligations;
3. Reorganisation or merger/acquisition of organisational units that affect leadership, decision-making, or key responsibilities related to security;
4. Significant changes in contractual requirements, risk assessments, operational processes, or threat landscape (e.g., new threat intelligence indicating emerging risks, supply chain incidents);
5. Major security incidents or breaches requiring incident response revision;
6. Launch or decommissioning of service components impacting customer data or trust boundaries; and
7. Changes in the composition or responsibilities of top management or the information security steering committee.

For an efficient review the cloud service provider can document the nature of each significant change, the rationale for review, and the result of policy adjustments. Automated tracking of policy changes and manual verification of content can also be integrated into the review workflow.

The top level management is an appropriate level of management for approving the information security policy.

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen

3. Related Regulations

Regulations
Impressum