+Identity and Access Management (IAM)
---+IAM-01 Policy for Identities and Access Rights
------+IAM-01.01B
------+IAM-01.02B
------+IAM-01.03B
------+IAM-01.01AC
---+IAM-02 Granting and Change of Identities and Access Rights
------+IAM-02.01B
------+IAM-02.02B
------+IAM-02.03B
---+IAM-03 Risk-Based Procedure for Locking and Withdrawal of Identities
------+IAM-03.01B
------+IAM-03.02B
------+IAM-03.03B
------+IAM-03.04B
------+IAM-03.01AC
------+IAM-03.02AC
------+IAM-03.03AC
------+IAM-03.03AS
---+IAM-04 Withdrawal or Adjustment of Access Rights as the Task Area Changes
------+IAM-04.01B
------+IAM-04.02B
------+IAM-04.03B
------+IAM-04.04B
------+IAM-04.05B
---+IAM-05 Regular Review of Access Rights
------+IAM-05.01B
------+IAM-05.02B
------+IAM-05.03B
------+IAM-05.04B
------+IAM-05.05B
------+IAM-05.01AC
---+IAM-06 Privileged Access Rights
------+IAM-06.01B
------+IAM-06.02B
------+IAM-06.03B
------+IAM-06.04B
------+IAM-06.05B
------+IAM-06.06B
------+IAM-06.07B
------+IAM-06.08B
------+IAM-06.09B
------+IAM-06.01AC
------+IAM-06.02AC
------+IAM-06.03AC
------+IAM-06.04AC
---+IAM-07 Access to Cloud Service Customer Data
------+IAM-07.01B
------+IAM-07.02B
------+IAM-07.03B
------+IAM-07.04B
------+IAM-07.05B
------+IAM-07.06B
------+IAM-07.01AC
------+IAM-07.02AC
------+IAM-07.03AC
------+IAM-07.04AC
------+IAM-07.03AS
------+IAM-07.04AS
------+IAM-07.06AS
------+IAM-07 Supplementary Information - Complementary Customer Criteria
---+IAM-08 Authentication Mechanisms
------+IAM-08.01B
------+IAM-08.02B
------+IAM-08.03B
------+IAM-08.04B
------+IAM-08.05B
------+IAM-08.06B
------+IAM-08.07B
------+IAM-08.02AS
------+IAM-08.03AS
---+IAM-09 Confidentiality of Authentication Information
------+IAM-09.01B
------+IAM-09.02B
------+IAM-09.03B
------+IAM-09.04B
------+IAM-09.05B
------+IAM-09.06B
------+IAM-09.07B
------+IAM-09.01AC

1. Overview

Identity and Access Management (IAM)

Objective: Secure the authorisation and authentication of users of the cloud service provider to prevent unauthorised access.

Summary	Standard
IAM-01 Policy for Identities and Access Rights	-
IAM-02 Granting and Change of Identities and Access Rights	-
IAM-03 Risk-Based Procedure for Locking and Withdrawal of Identities	-
IAM-04 Withdrawal or Adjustment of Access Rights as the Task Area Changes	-
IAM-05 Regular Review of Access Rights	-
IAM-06 Privileged Access Rights	-
IAM-07 Access to Cloud Service Customer Data	-
IAM-08 Authentication Mechanisms	-
IAM-09 Confidentiality of Authentication Information	-

1.1 References

1.2 Identified Requirements

1.2 Related Regulation

2. Identified Requirements

Requirements
Source	Requirement

3. Related Regulations

Regulations
Source	Regulation

Cloud Computing Compliance Criteria Catalogue (C5:2026) -
Copyright by Bundesamt für Sicherheit in der Informationstechnik (https://www.bsi.bund.de/)

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_2025/C5_2025_node.html