+AM-11 Transfer of Hardware
---+AM-11.01B
---+AM-11.02B
---+AM-11.03B

1. Overview

AM-11 Transfer of Hardware

-

Summary	Standard
AM-11.01B	Based on a risk assessment (cf. OIS-07), the cloud service provider ensures the secure and controlled transfer of hardware objects used in the cloud service production environment to an offsite or alternate location.
AM-11.02B	The transfer of hardware is authorised by designated personnel. Authorisation ensures that hardware object transfers, whether internal or external, are controlled, traceable, and compliant with organisational policies. This is particularly important for assets containing sensitive data or used in production environments. The process typically includes: 1. Verification of asset ownership and classification; 2. Assessment of associated risks; 3. Documentation of the transfer request and approval; and 4. Confirmation of secure handling during transit.
AM-11.03B	The cloud service provider ensures that all transfers of hardware objects used in the cloud service production environment are conducted using secure, documented methods designed to prevent unauthorised access, tampering, data leakage, or loss during transit. These methods include physical protection, chain-of-custody tracking, and verification upon receipt.

1.1 References

1.2 Identified Requirements

1.2 Related Regulation

2. Identified Requirements

Requirements
Source	Requirement

3. Related Regulations

Regulations
Source	Regulation

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html

Impressum