+SP-03 Exceptions from Existing Policies and Procedures
---+SP-03.01B
---+SP-03.02B
---+SP-03.03B
---+SP-03.04B
---+SP-03.05B
---+SP-03.01AC
---+SP-03.02AC
---+SP-03.03AC
---+SP-03 Supplementary Information - Complementary Customer Criteria
|
1. Übersicht
SP-03 Exceptions from Existing Policies and Procedures
-
| Bezeichnung |
Standard |
|
SP-03.01B
|
All exceptions to policies and procedures for information security are maintained in a list, including also the controls associated with the exceptions.
During an ISO 27001 certification audit, the controls to this criteria are most likely also tested. If it is a joint audit (C5 and ISO), efficiency of audit-once-certify-many may be gained here. If it is a separate audit, the auditor of the C5 attestation engagement can choose to inspect the ISO report instead of testing the control again, if the provided evidence is conclusive enough.
Exceptions in the sense of the criterion can have organisational or technical causes, such as:
1. An organisational unit should deviate from the intended processes and procedures in order to meet the requirements of a cloud service customer; and
2. A system component lacks technical properties to configure it according to the applicable requirements.
|
|
SP-03.02B
|
Exceptions to the policies and procedures for information security as well as respective controls go through risk management procedures in accordance with OIS-07, including approval of these exceptions and acceptance of the associated risks by the risk owners.
Exceptions in the sense of the criterion can have organisational or technical causes, such as:
1. An organisational unit should deviate from the intended processes and procedures in order to meet the requirements of a cloud service customer; and
2. A system component lacks technical properties to configure it according to the applicable requirements.
|
|
SP-03.03B
|
The risk management procedures in accordance with OIS-07, also take into account the aggregated risk from a combination of single exceptions.
Exceptions in the sense of the criterion can have organisational or technical causes, such as:
1. An organisational unit should deviate from the intended processes and procedures in order to meet the requirements of a cloud service customer; and
2. A system component lacks technical properties to configure it according to the applicable requirements.
|
|
SP-03.04B
|
The approvals of exceptions are documented, with a defined validity and reviewed for appropriateness at least annually by the risk owners or by the top management. This review also takes into account the aggregated risk from a combination of single exceptions.
Exceptions in the sense of the criterion can have organisational or technical causes, such as:
1. An organisational unit should deviate from the intended processes and procedures in order to meet the requirements of a cloud service customer; and
2. A system component lacks technical properties to configure it according to the applicable requirements.
|
|
SP-03.05B
|
Exceptions in information security policies and procedures that would result in a deviation (cf. 3.4.12) from any applicable C5 criterion within the scope of an assurance engagement (cf. 3.4.1) are not permitted.
This criterion addresses policies and procedures and demands that on this level, no codified deviations from applicable C5 criteria are permitted.
Exceptions in the sense of the criterion can have organisational or technical causes, such as:
1. An organisational unit should deviate from the intended processes and procedures in order to meet the requirements of a cloud service customer; and
2. A system component lacks technical properties to configure it according to the applicable requirements.
|
|
SP-03.01AC
|
The exceptions to policies or procedures are approved by the appropriate level of management.
Exceptions in the sense of the criterion can have organisational or technical causes, such as:
1. An organisational unit should deviate from the intended processes and procedures in order to meet the requirements of a cloud service customer; and
2. A system component lacks technical properties to configure it according to the applicable requirements.
Appropriate level of management for approval are in most cases either the level of management that approved the policies or procedures or the level of management to whom this task is delegated.
|
|
SP-03.02AC
|
The cloud service provider monitors the list of exceptions to prevent the expiration of approved exceptions and ensure the up-to-dateness of all reviews and approvals.
Exceptions in the sense of the criterion can have organisational or technical causes, such as:
1. An organisational unit should deviate from the intended processes and procedures in order to meet the requirements of a cloud service customer; and
2. A system component lacks technical properties to configure it according to the applicable requirements.
|
|
SP-03.03AC
|
Any exceptions for which deviations were identified during monitoring are addressed through timely and appropriate remediation measures.
Exceptions in the sense of the criterion can have organisational or technical causes, such as:
1. An organisational unit should deviate from the intended processes and procedures in order to meet the requirements of a cloud service customer; and
2. A system component lacks technical properties to configure it according to the applicable requirements.
|
|
SP-03 Supplementary Information - Complementary Customer Criteria
|
Cloud service customers ensure with suitable controls that they obtain information from the cloud service provider about exceptions to information security policies and procedures in order to assess and appropriately manage the associated risks to their own information security.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|