+SSO-05.02B

1. Übersicht

SSO-05.02B

Monitoring includes a regular review of the following information to the extent that such information is to be provided by service organisations in accordance with the contractual agreements:

1. Reports on the quality of the service provided;
2. Certificates of the management systems' compliance with international standards;
3. Records of the service organisations on the handling of vulnerabilities, security incidents and incidents;
4. Independent third party reports on the design and operation of their service-related system of internal control; and
5. If service organisations used by the cloud service provider themselves use subcontractors, the compliance of their subcontractors with relevant contractual, legal and regulatory requirements.

Information obtained for monitoring of the design and operations of the service-related system of internal control typically includes reports in accordance with ISAE 3402, IDW PS 951, SOC 2 or BSI C5, ANSSI SecNumCloud or CSA CCM. Second party audits based on such frameworks may be useful here. For analysing BSI C5 reports in a structured manner, BSI has published an Excel-based evaluation guideline.

If such reports are provided by the service organisations, the cloud service provider reviews, for example, the following aspects and, if necessary, incorporates the findings into the risk assessment in order to derive and initiate mitigating actions:

1. The scope and the validity respectively the period covered by the report;
2. Modifications of the opinion, deviations/exceptions noted and management's response thereon;
3. Complementary User Entity Controls (CUEC) to be designed and operated by the cloud service provider;
4. Disclosed subservice organisations incl. any changes among those (e.g. additional subservice organisations); and
5. Stated security incidents.

Information on CSOC has to be obtained for subservice organisations only. Not every service organisation is a subservice organisation, cf. section 'Consideration of Subservice Organisations'). Appropriate procedures may comprise the review of independent third party reports, or audit procedures performed by the cloud service provider at the subservice organisation.

The automated monitoring procedures outlined in the additional criterion are only applicable to service organisations for which monitoring automation is feasible based on the nature of the services provided to the cloud service provider.

When reviewing the information provided by the service organisation, the cloud service provider should distinguish between flawed information that was produced in good faith (such as reports about perceived security concerns that eventually turned out to be ill-founded), and deliberately false or malicious information.

Monitoring of subcontractors can occur via audits, certifications and third party reports (cf. SSO-05) and may be performed by the service organisations of the cloud service provider. The cloud service provider remains responsible for reviewing the results of compliance monitoring and assessing the risk.

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html