+SSO-05.04B

1. Übersicht

SSO-05.04B

If a service organisation is considered to be a subservice organisation, the cloud service provider assesses this relationship and carries out appropriate procedures to ensure that the applicable C5 criteria are met. Appropriate procedures provide reasonable assurance:

1. That the subservice organisation has designed and operated relevant controls; and
2. That the subservice organisation's controls correspond to the expected complementary subservice organisation controls (CSOCs) assumed in the design of the cloud service providers controls.

Information obtained for monitoring of the design and operations of the service-related system of internal control typically includes reports in accordance with ISAE 3402, IDW PS 951, SOC 2 or BSI C5, ANSSI SecNumCloud or CSA CCM. Second party audits based on such frameworks may be useful here. For analysing BSI C5 reports in a structured manner, BSI has published an Excel-based evaluation guideline.

If such reports are provided by the service organisations, the cloud service provider reviews, for example, the following aspects and, if necessary, incorporates the findings into the risk assessment in order to derive and initiate mitigating actions:

1. The scope and the validity respectively the period covered by the report;
2. Modifications of the opinion, deviations/exceptions noted and management's response thereon;
3. Complementary User Entity Controls (CUEC) to be designed and operated by the cloud service provider;
4. Disclosed subservice organisations incl. any changes among those (e.g. additional subservice organisations); and
5. Stated security incidents.

Information on CSOC has to be obtained for subservice organisations only. Not every service organisation is a subservice organisation, cf. section 'Consideration of Subservice Organisations'). Appropriate procedures may comprise the review of independent third party reports, or audit procedures performed by the cloud service provider at the subservice organisation.

The automated monitoring procedures outlined in the additional criterion are only applicable to service organisations for which monitoring automation is feasible based on the nature of the services provided to the cloud service provider.

Bezeichnung	Standard

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen
Source	Anforderung

3. Related Regulations

Regulations
Source	Regulierung

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html