+COM-02.02B

1. Overview

COM-02.02B

Risk-based policies and procedures for planning and conducting audits are documented, communicated and made available in accordance with SP-01 and address the following aspects in order to prevent adversal effects on the operation of the cloud service from the audit:

1. Restriction to read-only access to system components in accordance with the agreed audit plan and as necessary to perform the activities;
2. Activities that may result in outages, degradations of the cloud service or breaches of contractual requirements are performed during scheduled maintenance windows or outside peak periods;
3. Logging and monitoring of activities;
4. Review of server and network equipment configurations under the responsibility of the cloud service provider;
5. Intrusion testing for external access points; and
6. Source code reviews of internally developed security features.

See DEV-05 for further explanation on security features.

Summary	Standard

1.1 References

1.2 Identified Requirements

1.2 Related Regulation

2. Identified Requirements

Requirements
Source	Requirement

3. Related Regulations

Regulations
Source	Regulation

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html