BSI C5 v2020
Cloud Computing Compliance Criteria Catalogue - German Federal Office for Information Security
This is a reference tool, not an authoritative source. For official documentation, visit www.bsi.bund.de.
Framework data extracted from the German BSI vC5:2020 Set Theory Relationship Mapping (STRM) files, licensed under Public Domain . Attribution required per license terms.
121 All
AM — Asset Management (AM) (6 criteria)
BCM — Business Continuity Management (BCM) (4 criteria)
COM — Compliance (COM) (4 criteria)
COS — Communication Security (COS) (8 criteria)
COS-01Technical safeguards
COS-02Security requirements for connections in the Cloud Service Provider's network
COS-03Monitoring of connections in the Cloud Service Provider's network
COS-04Cross-network access
COS-05Networks for administration
COS-06Segregation of data traffic in jointly used network environments
COS-07Documentation of the network topology
COS-08Policies for data transmission
CRY — Cryptography and Key Management (CRY) (4 criteria)
DEV — Procurement, Development and Modification of Information Systems (DEV) (10 criteria)
DEV-01Policies for the development/procurement of information systems
DEV-02Outsourcing of the development
DEV-03Policies for changes to information systems
DEV-04Safety training and awareness programme regarding continuous software delivery and associated systems, components or tools.
DEV-05Risk assessment, categorisation and prioritisation of changes
DEV-06Testing changes
DEV-07Logging of changes
DEV-08Version Control
DEV-09Approvals for provision in the production environment
DEV-10Separation of environments
HR — Personnel (HR) (6 criteria)
IDM — Identity and Access Management (IDM) (9 criteria)
IDM-01Policy for user accounts and access rights
IDM-02Granting and change of user accounts and access rights
IDM-03Locking and withdrawal of user accounts in the event of inactivity or multiple failed logins
IDM-04Withdraw or adjust access rights as the task area changes
IDM-05Regular review of access rights
IDM-06Privileged access rights
IDM-07Access to cloud customer data
IDM-08Confidentiality of authentication information
IDM-09Authentication mechanisms
INQ — Dealing with investigation requests from government agencies (INQ) (4 criteria)
OIS — Organisation of Information Security (OIS) (7 criteria)
OPS — Operations (OPS) (24 criteria)
OPS-01Capacity Management - Planning
OPS-02Capacity Management - Monitoring
OPS-03Capacity Management - Controlling of Resources
OPS-04Protection Against Malware - Concept
OPS-05Protection Against Malware - Implementation
OPS-06Data Protection and Recovery - Concept
OPS-07Data Backup and Recovery - Monitoring
OPS-08Data Backup and Recovery - Regular Testing
OPS-09Data Backup and Recovery - Storage
OPS-10Logging and Monitoring - Concept
OPS-11Logging and Monitoring - Metadata Management Concept
OPS-12Logging and Monitoring - Access, Storage and Deletion
OPS-13Logging and Monitoring - Identification of Events
OPS-14Logging and Monitoring - Storage of the Logging Data
OPS-15Logging and Monitoring - Accountability
OPS-16Logging and Monitoring - Configuration
OPS-17Logging and Monitoring - Availability of the Monitoring Software
OPS-18Managing Vulnerabilities, Malfunctions and Errors - Concept
OPS-19Managing Vulnerabilities, Malfunctions and Errors - Penetration Tests
OPS-20Managing Vulnerabilities, Malfunctions and Errors - Measurements, Analyses and Assessments of Procedures
OPS-21Involvement of Cloud customers in the event of incidents
OPS-22Testing and Documentation of known Vulnerabilities
OPS-23Managing Vulnerabilities, Malfunctions and Errors - System Hardening
OPS-24Separation of Datasets in the Cloud Infrastructure
PI — Portability and Interoperability (PI) (3 criteria)
PS — Physical Security (PS) (7 criteria)
PS-01Physical Security and Environmental Control Requirements
PS-02Redundancy model
PS-03Perimeter Protection
PS-04Physical site access control
PS-05Protection from fire and smoke
PS-06Protection against interruptions caused by power failures and other such risks
PS-07Surveillance of operational and environmental parameters
PSS — Product Safety and Security (PSS) (12 criteria)
PSS-01Guidelines and Recommendations for Cloud Customers
PSS-02Identification of Vulnerabilities of the Cloud Service
PSS-03Online Register of Known Vulnerabilities
PSS-04Error handling and Logging Mechanisms
PSS-05Authentication Mechanisms
PSS-06Session Management
PSS-07Confidentiality of Authentication Information
PSS-08Roles and Rights Concept
PSS-09Authorisation Mechanisms
PSS-10Software Defined Networking
PSS-11Images for Virtual Machines and Containers
PSS-12Locations of Data Processing and Storage