(Created page with "{| class="wikitable" |+C5 Internal audit status |ID |Guideline |Comment |Audit state |- |C5-01-OIS-01 |ISM:Information Security Management System (OIS-01) |ISMS is in effect, but not all requirements of C5 are implemented |Partially implemented |- |C5-01-OIS-02 |ISM:Information Security Policy (OIS-02) |Security policy is available, but needs improvement |Partially implemented |- |C5-01-OIS-03 |ISM:Interfaces and Dependencies (OIS-03) | |Fully implemented |- |C5-01-OIS...") |
No edit summary |
||
(5 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
{| class="wikitable" | == Overview == | ||
[https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/kriterienkatalog-c5_node.html '''For more info:''' Cloud computing <abbr>C5</abbr> criteria catalogue] | |||
Current phase of the internal audit: Initial audit | |||
Fully implemented C5 guidelines: 92% | |||
Partially implemented C5 guidelines: 66% | |||
== List of guidelines == | |||
{| class="wikitable sortable" | |||
|+C5 Internal audit status | |+C5 Internal audit status | ||
!ID | |||
!Guideline | |||
!Comment | |||
!Audit state | |||
|- | |- | ||
|C5-01-OIS-01 | |C5-01-OIS-01 | ||
|ISM:Information Security Management System (OIS-01) | |ISM:Information Security Management System (OIS-01) | ||
|ISMS is in effect, but not all requirements of C5 are implemented | |ISMS is in effect, but not all requirements of C5 are implemented | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-01-OIS-02 | |C5-01-OIS-02 | ||
|ISM:Information Security Policy (OIS-02) | |ISM:Information Security Policy (OIS-02) | ||
|Security policy is available, but needs improvement | |Security policy is available, but needs improvement | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-01-OIS-03 | |C5-01-OIS-03 | ||
|ISM:Interfaces and Dependencies (OIS-03) | |ISM:Interfaces and Dependencies (OIS-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-01-OIS-04 | |C5-01-OIS-04 | ||
|ISM:Segregation of Duties (OIS-04) | |ISM:Segregation of Duties (OIS-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-01-OIS-05 | |C5-01-OIS-05 | ||
|ISM:Contact with Relevant Government Agencies and Interest Groups (OIS-05) | |ISM:Contact with Relevant Government Agencies and Interest Groups (OIS-05) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-01-OIS-06 | |C5-01-OIS-06 | ||
|ISM:Risk Management Policy (OIS-06) | |ISM:Risk Management Policy (OIS-06) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-01-OIS-07 | |C5-01-OIS-07 | ||
|ISM:Application of the Risk Management Policy (OIS-07) | |ISM:Application of the Risk Management Policy (OIS-07) | ||
|The process is described, but not well established | |The process is described, but not well established | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-03-SA-01 | |C5-03-SA-01 | ||
|ISM:Documentation, communication and provision of policies and instructions (SA-01) | |ISM:Documentation, communication and provision of policies and instructions (SA-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-03-SA-02 | |C5-03-SA-02 | ||
|ISM:Review and approval of policies and instructions (SA-02) | |ISM:Review and approval of policies and instructions (SA-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-03-SA-03 | |C5-03-SA-03 | ||
|ISM:Deviations from existing policies and instructions (SA-03) | |ISM:Deviations from existing policies and instructions (SA-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-04-HR-01 | |C5-04-HR-01 | ||
|ISM:Security check of the background information (HR-01) | |ISM:Security check of the background information (HR-01) | ||
|Given the small size of the company, trust is established on a personal basis | |Given the small size of the company, trust is established on a personal basis | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-04-HR-02 | |C5-04-HR-02 | ||
|ISM:Employment agreements (HR-02) | |ISM:Employment agreements (HR-02) | ||
|We do bind our employees contractually to data protection and privacy. Security is only mentioned implicitly here. | |We do bind our employees contractually to data protection and privacy. Security is only mentioned implicitly here. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-04-HR-03 | |C5-04-HR-03 | ||
|ISM:Security training and awareness-raising programme (HR-03) | |ISM:Security training and awareness-raising programme (HR-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-04-HR-04 | |C5-04-HR-04 | ||
|ISM:Disciplinary measures (HR-04) | |ISM:Disciplinary measures (HR-04) | ||
|There is no specific mention of security issues. However, standard disciplinary measures apply. | |There is no specific mention of security issues. However, standard disciplinary measures apply. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-04-HR-05 | |C5-04-HR-05 | ||
|ISM:Termination of the employment relationship or changes to the responsibilities (HR-05) | |ISM:Termination of the employment relationship or changes to the responsibilities (HR-05) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-05-AM-01 | |C5-05-AM-01 | ||
|ISM:Asset inventory (AM-01) | |ISM:Asset inventory (AM-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-05-AM-02 | |C5-05-AM-02 | ||
|ISM:Assignment of persons responsible for assets (AM-02) | |ISM:Assignment of persons responsible for assets (AM-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-05-AM-03 | |C5-05-AM-03 | ||
|ISM:Instruction manuals for assets (AM-03) | |ISM:Instruction manuals for assets (AM-03) | ||
|In our internal wiki, we document the handling of specific assets. However, there is no systematic approach | |In our internal wiki, we document the handling of specific assets. However, there is no systematic approach | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-05-AM-04 | |C5-05-AM-04 | ||
|ISM:Handing in and returning assets (AM-04) | |ISM:Handing in and returning assets (AM-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-05-AM-05 | |C5-05-AM-05 | ||
|ISM:Classification of information (AM-05) | |ISM:Classification of information (AM-05) | ||
|We classify services, but there is no classification scheme for data. All customer data is treated as sensitive. | |We classify services, but there is no classification scheme for data. All customer data is treated as sensitive. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-05-AM-06 | |C5-05-AM-06 | ||
|ISM:Labelling of information and handling of assets (AM-06) | |ISM:Labelling of information and handling of assets (AM-06) | ||
|We currently do not label information. As a standard, all customer data is treated as sensitive. | |We currently do not label information. As a standard, all customer data is treated as sensitive. | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-05-AM-07 | |C5-05-AM-07 | ||
|ISM:Management of data media (AM-07) | |ISM:Management of data media (AM-07) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-05-AM-08 | |C5-05-AM-08 | ||
|ISM:Transfer and removal of assets (AM-08) | |ISM:Transfer and removal of assets (AM-08) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-06-PS-01 | |C5-06-PS-01 | ||
|ISM:Perimeter protection (PS-01) | |ISM:Perimeter protection (PS-01) | ||
|Data center locations, where our cloud data is located, do all comply with ISO 27001 and do have according perimeter protection. | |Data center locations, where our cloud data is located, do all comply with ISO 27001 and do have according perimeter protection. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-06-PS-02 | |C5-06-PS-02 | ||
|ISM:Physical site access control (PS-02) | |ISM:Physical site access control (PS-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-06-PS-03 | |C5-06-PS-03 | ||
|ISM:Protection against threats from outside and from the environment (PS-03) | |ISM:Protection against threats from outside and from the environment (PS-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-06-PS-04 | |C5-06-PS-04 | ||
|ISM:Protection against interruptions caused by power failures and other such risks (PS-04) | |ISM:Protection against interruptions caused by power failures and other such risks (PS-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-06-PS-05 | |C5-06-PS-05 | ||
|ISM:Maintenance of infrastructure and devices (PS-05) | |ISM:Maintenance of infrastructure and devices (PS-05) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-01 | |C5-07-OPS-01 | ||
|Planning (OPS-01) | |Planning (OPS-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-02 | |C5-07-OPS-02 | ||
|Monitoring (OPS-02) | |Monitoring (OPS-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-03 | |C5-07-OPS-03 | ||
|Controlling of Resources (OPS-03) | |Controlling of Resources (OPS-03) | ||
|Here, it is required to make resource data available to the customer for their planning. This is currently out of scope. | |Here, it is required to make resource data available to the customer for their planning. This is currently out of scope. | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-07-OPS-04 | |C5-07-OPS-04 | ||
|Concept (OPS-04) | |Concept (OPS-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-orange-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-05 | |C5-07-OPS-05 | ||
|Implementation (OPS-05) | |Implementation (OPS-05) | ||
| | | | ||
|Fully implemented | | style="" class="col-orange-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-06 | |C5-07-OPS-06 | ||
|Concept (OPS-06) | |Concept (OPS-06) | ||
| | | | ||
|Fully implemented | | style="" class="col-orange-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-07 | |C5-07-OPS-07 | ||
|Monitoring (OPS-07) | |Monitoring (OPS-07) | ||
| | | | ||
|Fully implemented | | style="" class="col-orange-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-08 | |C5-07-OPS-08 | ||
|Regular Testing (OPS-08) | |Regular Testing (OPS-08) | ||
| | | | ||
|Fully implemented | | style="" class="col-orange-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-09 | |C5-07-OPS-09 | ||
|Storage (OPS-09) | |Storage (OPS-09) | ||
| | | | ||
|Fully implemented | | style="" class="col-orange-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-10 | |C5-07-OPS-10 | ||
|Concept (OPS-10) | |Concept (OPS-10) | ||
| | | | ||
|Fully implemented | | style="" class="col-orange-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-11 | |C5-07-OPS-11 | ||
|Metadata Management Concept (OPS-11) | |Metadata Management Concept (OPS-11) | ||
|Is currently covered in OPS-10 | |Is currently covered in OPS-10 | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-07-OPS-12 | |C5-07-OPS-12 | ||
|Access, Storage and Deletion (OPS-12) | |Access, Storage and Deletion (OPS-12) | ||
|Is currently covered by OPS-10 | |Is currently covered by OPS-10 | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-07-OPS-13 | |C5-07-OPS-13 | ||
|Identification of Events (OPS-13) | |Identification of Events (OPS-13) | ||
|Is currently covered by OPS-10 | |Is currently covered by OPS-10 | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-07-OPS-14 | |C5-07-OPS-14 | ||
|Storage of the Logging Data (OPS-14) | |Storage of the Logging Data (OPS-14) | ||
|Log data is stored centrally on a logging server. | |Log data is stored centrally on a logging server. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-07-OPS-15 | |C5-07-OPS-15 | ||
|Accountability (OPS-15) | |Accountability (OPS-15) | ||
|Application logs are available. Access logs are stored without IP address | |Application logs are available. Access logs are stored without IP address | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-07-OPS-16 | |C5-07-OPS-16 | ||
|Configuration (OPS-16) | |Configuration (OPS-16) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-17 | |C5-07-OPS-17 | ||
|Availability of the Monitoring Software (OPS-17) | |Availability of the Monitoring Software (OPS-17) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-18 | |C5-07-OPS-18 | ||
|Concept (OPS-18) | |Concept (OPS-18) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-19 | |C5-07-OPS-19 | ||
|Penetration Tests (OPS-19) | |Penetration Tests (OPS-19) | ||
|We currently do not perform any external or internal penetration tests. However, some of our customers did. No major issues were found. | |We currently do not perform any external or internal penetration tests. However, some of our customers did. No major issues were found. | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-07-OPS-20 | |C5-07-OPS-20 | ||
|Measurements, Analyses and Assessment of Procedures (OPS-20) | |Measurements, Analyses and Assessment of Procedures (OPS-20) | ||
|There is no regular process for this yet. | |There is no regular process for this yet. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-07-OPS-21 | |C5-07-OPS-21 | ||
|ISM:Involvement of Cloud Customers in the Event of Incidents (OPS-21) | |ISM:Involvement of Cloud Customers in the Event of Incidents (OPS-21) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-22 | |C5-07-OPS-22 | ||
|ISM:Testing and Documentation of Known Vulnerabilities (OPS-22) | |ISM:Testing and Documentation of Known Vulnerabilities (OPS-22) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-07-OPS-23 | |C5-07-OPS-23 | ||
|System Hardening (OPS-23) | |System Hardening (OPS-23) | ||
|We adhere to industry standards. There is currently no documentation per system. | |We adhere to industry standards. There is currently no documentation per system. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-07-OPS-24 | |C5-07-OPS-24 | ||
|ISM:Separation of Datasets in the Cloud Infrastructure (OPS-24) | |ISM:Separation of Datasets in the Cloud Infrastructure (OPS-24) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-08-IDM-01 | |C5-08-IDM-01 | ||
|ISM:Policy for user accounts and access rights (IDM-01) | |ISM:Policy for user accounts and access rights (IDM-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-08-IDM-02 | |C5-08-IDM-02 | ||
|ISM:Granting and change of user accounts and access rights (IDM-02) | |ISM:Granting and change of user accounts and access rights (IDM-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-08-IDM-03 | |C5-08-IDM-03 | ||
|ISM:Locking and withdrawal of user accounts in the event of inactivity or multiple failed logins (IDM-03) | |ISM:Locking and withdrawal of user accounts in the event of inactivity or multiple failed logins (IDM-03) | ||
|Some of our systems implement this. The rest is managed automatically. | |Some of our systems implement this. The rest is managed automatically. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-08-IDM-04 | |C5-08-IDM-04 | ||
|ISM:Withdraw or adjust access rights as the task area changes (IDM-04) | |ISM:Withdraw or adjust access rights as the task area changes (IDM-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-08-IDM-05 | |C5-08-IDM-05 | ||
|ISM:Regular review of access rights (IDM-05) | |ISM:Regular review of access rights (IDM-05) | ||
|This is currently only done for the most critical systems | |This is currently only done for the most critical systems | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-08-IDM-06 | |C5-08-IDM-06 | ||
|ISM:Privileged access rights (IDM-06) | |ISM:Privileged access rights (IDM-06) | ||
|Mostly implemented, but we do not revoke privileges on a limited time basis | |Mostly implemented, but we do not revoke privileges on a limited time basis | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-08-IDM-07 | |C5-08-IDM-07 | ||
|ISM:Access to cloud customer data (IDM-07) | |ISM:Access to cloud customer data (IDM-07) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-08-IDM-08 | |C5-08-IDM-08 | ||
|ISM:Confidentiality of authentication information (IDM-08) | |ISM:Confidentiality of authentication information (IDM-08) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-08-IDM-09 | |C5-08-IDM-09 | ||
|ISM:Authentication Mechanisms (IDM-09) | |ISM:Authentication Mechanisms (IDM-09) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-09-CRY-01 | |C5-09-CRY-01 | ||
|ISM:Policy for the use of encryption procedures and key management (CRY-01) | |ISM:Policy for the use of encryption procedures and key management (CRY-01) | ||
|There are some guidelines, but no approved policy yet. | |There are some guidelines, but no approved policy yet. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-09-CRY-02 | |C5-09-CRY-02 | ||
|ISM:Encryption of data for transmission (transport encryption) (CRY-02) | |ISM:Encryption of data for transmission (transport encryption) (CRY-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-09-CRY-03 | |C5-09-CRY-03 | ||
|ISM:Encryption of sensitive data for storage (CRY-03) | |ISM:Encryption of sensitive data for storage (CRY-03) | ||
|Customer data is encrypted at rest. Backups are encrypted | |Customer data is encrypted at rest. Backups are encrypted | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-09-CRY-04 | |C5-09-CRY-04 | ||
|ISM:Secure key management (CRY-04) | |ISM:Secure key management (CRY-04) | ||
|There is no centralized key management. Guidelines exist. | |There is no centralized key management. Guidelines exist. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-10-COS-01 | |C5-10-COS-01 | ||
|ISM:Technical safeguards (COS-01) | |ISM:Technical safeguards (COS-01) | ||
|We do not run any intrusion detection system. However, we monitor network patterns and will be informed on major irregularities, like DDOS attacks. | |We do not run any intrusion detection system. However, we monitor network patterns and will be informed on major irregularities, like DDOS attacks. | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-10-COS-02 | |C5-10-COS-02 | ||
|ISM:Security requirements for connections in the Cloud Service Provider’s network (COS-02) | |ISM:Security requirements for connections in the Cloud Service Provider’s network (COS-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-10-COS-03 | |C5-10-COS-03 | ||
|ISM:Monitoring of connections in the Cloud Service Provider’s network (COS-03) | |ISM:Monitoring of connections in the Cloud Service Provider’s network (COS-03) | ||
|All access to the cloud network is logged. | |All access to the cloud network is logged. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-10-COS-04 | |C5-10-COS-04 | ||
|ISM:Cross-network access (COS-04) | |ISM:Cross-network access (COS-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-10-COS-05 | |C5-10-COS-05 | ||
|ISM:Networks for administration (COS-05) | |ISM:Networks for administration (COS-05) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-10-COS-06 | |C5-10-COS-06 | ||
|ISM:Segregation of data traffic in jointly used network environments (COS-06) | |ISM:Segregation of data traffic in jointly used network environments (COS-06) | ||
|Internal traffic segregated, but not encrypted. | |Internal traffic segregated, but not encrypted. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-10-COS-07 | |C5-10-COS-07 | ||
|ISM:Documentation of the network topology (COS-07) | |ISM:Documentation of the network topology (COS-07) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-10-COS-08 | |C5-10-COS-08 | ||
|ISM:Policies for data transmission (COS-08) | |ISM:Policies for data transmission (COS-08) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-11-PI-01 | |C5-11-PI-01 | ||
|ISM:Documentation and safety of input and output interfaces (PI-01) | |ISM:Documentation and safety of input and output interfaces (PI-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-11-PI-02 | |C5-11-PI-02 | ||
|ISM:Contractual agreements for the provision of data (PI-02) | |ISM:Contractual agreements for the provision of data (PI-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-11-PI-03 | |C5-11-PI-03 | ||
|ISM:Secure deletion of data (PI-03) | |ISM:Secure deletion of data (PI-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-12-DEV-01 | |C5-12-DEV-01 | ||
|ISM:Policies for the development and procurement of information systems (DEV-01) | |ISM:Policies for the development and procurement of information systems (DEV-01) | ||
|We apply the coding guidelines which are followed in the Wikimedia ecosystem | |We apply the coding guidelines which are followed in the Wikimedia ecosystem | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-12-DEV-02 | |C5-12-DEV-02 | ||
|ISM:Outsourcing of the development (DEV-02) | |ISM:Outsourcing of the development (DEV-02) | ||
|Contractual agreements are in place but need updating. However, third parties do not have access to our production cloud or to production code. | |Contractual agreements are in place but need updating. However, third parties do not have access to our production cloud or to production code. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-12-DEV-03 | |C5-12-DEV-03 | ||
|ISM:Policies for changes to information systems (DEV-03) | |ISM:Policies for changes to information systems (DEV-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-12-DEV-04 | |C5-12-DEV-04 | ||
|ISM:Safety training and awareness programme regarding continuous software delivery and associated systems, components or tools (DEV-04) | |ISM:Safety training and awareness programme regarding continuous software delivery and associated systems, components or tools (DEV-04) | ||
|Training is done on the job and on an annual basis in combination with GDPR compliance training | |Training is done on the job and on an annual basis in combination with GDPR compliance training | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-12-DEV-05 | |C5-12-DEV-05 | ||
|ISM:Risk assessment, categorisation and prioritisation of changes (DEV-05) | |ISM:Risk assessment, categorisation and prioritisation of changes (DEV-05) | ||
|Any changes are assessed within the team. A formal risk assessment is not applied yet. | |Any changes are assessed within the team. A formal risk assessment is not applied yet. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-12-DEV-06 | |C5-12-DEV-06 | ||
|ISM:Testing changes (DEV-06) | |ISM:Testing changes (DEV-06) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-12-DEV-07 | |C5-12-DEV-07 | ||
|ISM:Logging of changes (DEV-07) | |ISM:Logging of changes (DEV-07) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-12-DEV-08 | |C5-12-DEV-08 | ||
|ISM:Version Control (DEV-08) | |ISM:Version Control (DEV-08) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-12-DEV-09 | |C5-12-DEV-09 | ||
|ISM:Approvals for provision in the production environment (DEV-09) | |ISM:Approvals for provision in the production environment (DEV-09) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-12-DEV-10 | |C5-12-DEV-10 | ||
|ISM:Separation of environments (DEV-10) | |ISM:Separation of environments (DEV-10) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-13-SSO-01 | |C5-13-SSO-01 | ||
|ISM:Policies and instructions for controlling and monitoring third parties (SSO-01) | |ISM:Policies and instructions for controlling and monitoring third parties (SSO-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-13-SSO-02 | |C5-13-SSO-02 | ||
|ISM:Risk assessment of service providers and suppliers (SSO-02) | |ISM:Risk assessment of service providers and suppliers (SSO-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-13-SSO-03 | |C5-13-SSO-03 | ||
|ISM:Directory of service providers and suppliers (SSO-03) | |ISM:Directory of service providers and suppliers (SSO-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-13-SSO-04 | |C5-13-SSO-04 | ||
|ISM:Monitoring of compliance with requirements (SSO-04) | |ISM:Monitoring of compliance with requirements (SSO-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-13-SSO-05 | |C5-13-SSO-05 | ||
|ISM:Exit strategy for the receipt of benefit (SSO-05) | |ISM:Exit strategy for the receipt of benefit (SSO-05) | ||
|There is no documented exit strategy. | |There is no documented exit strategy. | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-14-SIM-01 | |C5-14-SIM-01 | ||
|ISM:Policy for security incident management (SIM-01) | |ISM:Policy for security incident management (SIM-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-14-SIM-02 | |C5-14-SIM-02 | ||
|ISM:Processing of security incidents (SIM-02) | |ISM:Processing of security incidents (SIM-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-14-SIM-03 | |C5-14-SIM-03 | ||
|ISM:Documentation and reporting of security incidents (SIM-03) | |ISM:Documentation and reporting of security incidents (SIM-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-14-SIM-04 | |C5-14-SIM-04 | ||
|ISM:Duty of the users to report security incidents to a central body (SIM-04) | |ISM:Duty of the users to report security incidents to a central body (SIM-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-14-SIM-05 | |C5-14-SIM-05 | ||
|ISM:Evaluation and learning process (SIM-05) | |ISM:Evaluation and learning process (SIM-05) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-15-BCM-01 | |C5-15-BCM-01 | ||
|ISM:Top management responsibility (BCM-01) | |ISM:Top management responsibility (BCM-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-15-BCM-02 | |C5-15-BCM-02 | ||
|ISM:Business impact analysis policies and instructions (BCM-02) | |ISM:Business impact analysis policies and instructions (BCM-02) | ||
|Risk analysis was done and is documented. There is no formal policy. | |Risk analysis was done and is documented. There is no formal policy. | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-15-BCM-03 | |C5-15-BCM-03 | ||
|ISM:Planning business continuity (BCM-03) | |ISM:Planning business continuity (BCM-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-15-BCM-04 | |C5-15-BCM-04 | ||
|ISM:Verification, updating and testing of the business continuity (BCM-04) | |ISM:Verification, updating and testing of the business continuity (BCM-04) | ||
|Disaster recovery tests are conducted at implementation time. There is no regular schedule yet. | |Disaster recovery tests are conducted at implementation time. There is no regular schedule yet. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-16-COM-01 | |C5-16-COM-01 | ||
|ISM:Identification of applicable legal, regulatory, self-imposed or contractual requirements (COM-01) | |ISM:Identification of applicable legal, regulatory, self-imposed or contractual requirements (COM-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-16-COM-02 | |C5-16-COM-02 | ||
|ISM:Policy for planning and conducting audits (COM-02) | |ISM:Policy for planning and conducting audits (COM-02) | ||
|We conduct annual audits of the ISMS. There is no formal policy. | |We conduct annual audits of the ISMS. There is no formal policy. | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-16-COM-03 | |C5-16-COM-03 | ||
|ISM:Internal audits of the ISMS (COM-03) | |ISM:Internal audits of the ISMS (COM-03) | ||
|There is no formal process of the internal audit yet | |There is no formal process of the internal audit yet | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-16-COM-04 | |C5-16-COM-04 | ||
|ISM:Information on information security performance and management assessment of the ISMS (COM-04) | |ISM:Information on information security performance and management assessment of the ISMS (COM-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-17-INQ-01 | |C5-17-INQ-01 | ||
|ISM:Legal Assessment of Investigative Inquiries (INQ-01) | |ISM:Legal Assessment of Investigative Inquiries (INQ-01) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-17-INQ-02 | |C5-17-INQ-02 | ||
|ISM:Informing Cloud Customers about Investigation Requests (INQ-02) | |ISM:Informing Cloud Customers about Investigation Requests (INQ-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-17-INQ-03 | |C5-17-INQ-03 | ||
|ISM:Conditions for Access to or Disclosure of Data in Investigation Requests (INQ-03) | |ISM:Conditions for Access to or Disclosure of Data in Investigation Requests (INQ-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-17-INQ-04 | |C5-17-INQ-04 | ||
|ISM:Limiting Access to or Disclosure of Data in Investigation Requests (INQ-04) | |ISM:Limiting Access to or Disclosure of Data in Investigation Requests (INQ-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-18-PSS-01 | |C5-18-PSS-01 | ||
|ISM:Guidelines and Recommendations for Cloud Customers (PSS-01) | |ISM:Guidelines and Recommendations for Cloud Customers (PSS-01) | ||
|We maintain this information in our product documentation. However it cannot be found in one central place. | |We maintain this information in our product documentation. However it cannot be found in one central place. | ||
|Partially implemented | | style="" class="col-orange-bg" |Partially implemented | ||
|- | |- | ||
|C5-18-PSS-02 | |C5-18-PSS-02 | ||
|ISM:Identification of Vulnerabilities of the Cloud Service (PSS-02) | |ISM:Identification of Vulnerabilities of the Cloud Service (PSS-02) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-18-PSS-03 | |C5-18-PSS-03 | ||
|ISM:Online Register of Known Vulnerabilities (PSS-03) | |ISM:Online Register of Known Vulnerabilities (PSS-03) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-18-PSS-04 | |C5-18-PSS-04 | ||
|ISM:Error handling and Logging Mechanisms (PSS-04) | |ISM:Error handling and Logging Mechanisms (PSS-04) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-18-PSS-05 | |C5-18-PSS-05 | ||
|ISM:Authentication Mechanisms (PSS-05) | |ISM:Authentication Mechanisms (PSS-05) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-18-PSS-06 | |C5-18-PSS-06 | ||
|ISM:Session Management (PSS-06) | |ISM:Session Management (PSS-06) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-18-PSS-07 | |C5-18-PSS-07 | ||
|ISM:Confidentiality of Authentication Information (PSS-07) | |ISM:Confidentiality of Authentication Information (PSS-07) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-18-PSS-08 | |C5-18-PSS-08 | ||
|ISM:Roles and Rights Concept (PSS-08) | |ISM:Roles and Rights Concept (PSS-08) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-18-PSS-09 | |C5-18-PSS-09 | ||
|ISM:Authorisation Mechanisms (PSS-09) | |ISM:Authorisation Mechanisms (PSS-09) | ||
| | | | ||
|Fully implemented | | style="" class="col-green-bg" |Fully implemented | ||
|- | |- | ||
|C5-18-PSS-10 | |C5-18-PSS-10 | ||
|ISM:Software Defined Networking (PSS-10) | |ISM:Software Defined Networking (PSS-10) | ||
|We do not provide SDN to the customer | |We do not provide SDN to the customer | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-18-PSS-11 | |C5-18-PSS-11 | ||
|ISM:Images for Virtual Machines and Containers (PSS-11) | |ISM:Images for Virtual Machines and Containers (PSS-11) | ||
|We do not proved VMs and containers to the customer in the cloud | |We do not proved VMs and containers to the customer in the cloud | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|- | |- | ||
|C5-18-PSS-12 | |C5-18-PSS-12 | ||
|ISM:Locations of Data Processing and Storage (PSS-12) | |ISM:Locations of Data Processing and Storage (PSS-12) | ||
|We do not provide a choice of data locations to the cloud customers | |We do not provide a choice of data locations to the cloud customers | ||
|Inactive | | style="" class="col-grey-light-bg" |Inactive | ||
|} | |} |
Revision as of 15:30, 29 April 2024
Overview
For more info: Cloud computing C5 criteria catalogue
Current phase of the internal audit: Initial audit
Fully implemented C5 guidelines: 92%
Partially implemented C5 guidelines: 66%
List of guidelines
ID | Guideline | Comment | Audit state |
---|---|---|---|
C5-01-OIS-01 | ISM:Information Security Management System (OIS-01) | ISMS is in effect, but not all requirements of C5 are implemented | Partially implemented |
C5-01-OIS-02 | ISM:Information Security Policy (OIS-02) | Security policy is available, but needs improvement | Partially implemented |
C5-01-OIS-03 | ISM:Interfaces and Dependencies (OIS-03) | Fully implemented | |
C5-01-OIS-04 | ISM:Segregation of Duties (OIS-04) | Fully implemented | |
C5-01-OIS-05 | ISM:Contact with Relevant Government Agencies and Interest Groups (OIS-05) | Fully implemented | |
C5-01-OIS-06 | ISM:Risk Management Policy (OIS-06) | Fully implemented | |
C5-01-OIS-07 | ISM:Application of the Risk Management Policy (OIS-07) | The process is described, but not well established | Partially implemented |
C5-03-SA-01 | ISM:Documentation, communication and provision of policies and instructions (SA-01) | Fully implemented | |
C5-03-SA-02 | ISM:Review and approval of policies and instructions (SA-02) | Fully implemented | |
C5-03-SA-03 | ISM:Deviations from existing policies and instructions (SA-03) | Fully implemented | |
C5-04-HR-01 | ISM:Security check of the background information (HR-01) | Given the small size of the company, trust is established on a personal basis | Inactive |
C5-04-HR-02 | ISM:Employment agreements (HR-02) | We do bind our employees contractually to data protection and privacy. Security is only mentioned implicitly here. | Partially implemented |
C5-04-HR-03 | ISM:Security training and awareness-raising programme (HR-03) | Fully implemented | |
C5-04-HR-04 | ISM:Disciplinary measures (HR-04) | There is no specific mention of security issues. However, standard disciplinary measures apply. | Partially implemented |
C5-04-HR-05 | ISM:Termination of the employment relationship or changes to the responsibilities (HR-05) | Fully implemented | |
C5-05-AM-01 | ISM:Asset inventory (AM-01) | Fully implemented | |
C5-05-AM-02 | ISM:Assignment of persons responsible for assets (AM-02) | Fully implemented | |
C5-05-AM-03 | ISM:Instruction manuals for assets (AM-03) | In our internal wiki, we document the handling of specific assets. However, there is no systematic approach | Partially implemented |
C5-05-AM-04 | ISM:Handing in and returning assets (AM-04) | Fully implemented | |
C5-05-AM-05 | ISM:Classification of information (AM-05) | We classify services, but there is no classification scheme for data. All customer data is treated as sensitive. | Partially implemented |
C5-05-AM-06 | ISM:Labelling of information and handling of assets (AM-06) | We currently do not label information. As a standard, all customer data is treated as sensitive. | Inactive |
C5-05-AM-07 | ISM:Management of data media (AM-07) | Fully implemented | |
C5-05-AM-08 | ISM:Transfer and removal of assets (AM-08) | Fully implemented | |
C5-06-PS-01 | ISM:Perimeter protection (PS-01) | Data center locations, where our cloud data is located, do all comply with ISO 27001 and do have according perimeter protection. | Partially implemented |
C5-06-PS-02 | ISM:Physical site access control (PS-02) | Fully implemented | |
C5-06-PS-03 | ISM:Protection against threats from outside and from the environment (PS-03) | Fully implemented | |
C5-06-PS-04 | ISM:Protection against interruptions caused by power failures and other such risks (PS-04) | Fully implemented | |
C5-06-PS-05 | ISM:Maintenance of infrastructure and devices (PS-05) | Fully implemented | |
C5-07-OPS-01 | Planning (OPS-01) | Fully implemented | |
C5-07-OPS-02 | Monitoring (OPS-02) | Fully implemented | |
C5-07-OPS-03 | Controlling of Resources (OPS-03) | Here, it is required to make resource data available to the customer for their planning. This is currently out of scope. | Inactive |
C5-07-OPS-04 | Concept (OPS-04) | Fully implemented | |
C5-07-OPS-05 | Implementation (OPS-05) | Fully implemented | |
C5-07-OPS-06 | Concept (OPS-06) | Fully implemented | |
C5-07-OPS-07 | Monitoring (OPS-07) | Fully implemented | |
C5-07-OPS-08 | Regular Testing (OPS-08) | Fully implemented | |
C5-07-OPS-09 | Storage (OPS-09) | Fully implemented | |
C5-07-OPS-10 | Concept (OPS-10) | Fully implemented | |
C5-07-OPS-11 | Metadata Management Concept (OPS-11) | Is currently covered in OPS-10 | Inactive |
C5-07-OPS-12 | Access, Storage and Deletion (OPS-12) | Is currently covered by OPS-10 | Inactive |
C5-07-OPS-13 | Identification of Events (OPS-13) | Is currently covered by OPS-10 | Inactive |
C5-07-OPS-14 | Storage of the Logging Data (OPS-14) | Log data is stored centrally on a logging server. | Partially implemented |
C5-07-OPS-15 | Accountability (OPS-15) | Application logs are available. Access logs are stored without IP address | Partially implemented |
C5-07-OPS-16 | Configuration (OPS-16) | Fully implemented | |
C5-07-OPS-17 | Availability of the Monitoring Software (OPS-17) | Fully implemented | |
C5-07-OPS-18 | Concept (OPS-18) | Fully implemented | |
C5-07-OPS-19 | Penetration Tests (OPS-19) | We currently do not perform any external or internal penetration tests. However, some of our customers did. No major issues were found. | Inactive |
C5-07-OPS-20 | Measurements, Analyses and Assessment of Procedures (OPS-20) | There is no regular process for this yet. | Partially implemented |
C5-07-OPS-21 | ISM:Involvement of Cloud Customers in the Event of Incidents (OPS-21) | Fully implemented | |
C5-07-OPS-22 | ISM:Testing and Documentation of Known Vulnerabilities (OPS-22) | Fully implemented | |
C5-07-OPS-23 | System Hardening (OPS-23) | We adhere to industry standards. There is currently no documentation per system. | Partially implemented |
C5-07-OPS-24 | ISM:Separation of Datasets in the Cloud Infrastructure (OPS-24) | Fully implemented | |
C5-08-IDM-01 | ISM:Policy for user accounts and access rights (IDM-01) | Fully implemented | |
C5-08-IDM-02 | ISM:Granting and change of user accounts and access rights (IDM-02) | Fully implemented | |
C5-08-IDM-03 | ISM:Locking and withdrawal of user accounts in the event of inactivity or multiple failed logins (IDM-03) | Some of our systems implement this. The rest is managed automatically. | Partially implemented |
C5-08-IDM-04 | ISM:Withdraw or adjust access rights as the task area changes (IDM-04) | Fully implemented | |
C5-08-IDM-05 | ISM:Regular review of access rights (IDM-05) | This is currently only done for the most critical systems | Partially implemented |
C5-08-IDM-06 | ISM:Privileged access rights (IDM-06) | Mostly implemented, but we do not revoke privileges on a limited time basis | Partially implemented |
C5-08-IDM-07 | ISM:Access to cloud customer data (IDM-07) | Fully implemented | |
C5-08-IDM-08 | ISM:Confidentiality of authentication information (IDM-08) | Fully implemented | |
C5-08-IDM-09 | ISM:Authentication Mechanisms (IDM-09) | Fully implemented | |
C5-09-CRY-01 | ISM:Policy for the use of encryption procedures and key management (CRY-01) | There are some guidelines, but no approved policy yet. | Partially implemented |
C5-09-CRY-02 | ISM:Encryption of data for transmission (transport encryption) (CRY-02) | Fully implemented | |
C5-09-CRY-03 | ISM:Encryption of sensitive data for storage (CRY-03) | Customer data is encrypted at rest. Backups are encrypted | Partially implemented |
C5-09-CRY-04 | ISM:Secure key management (CRY-04) | There is no centralized key management. Guidelines exist. | Partially implemented |
C5-10-COS-01 | ISM:Technical safeguards (COS-01) | We do not run any intrusion detection system. However, we monitor network patterns and will be informed on major irregularities, like DDOS attacks. | Inactive |
C5-10-COS-02 | ISM:Security requirements for connections in the Cloud Service Provider’s network (COS-02) | Fully implemented | |
C5-10-COS-03 | ISM:Monitoring of connections in the Cloud Service Provider’s network (COS-03) | All access to the cloud network is logged. | Partially implemented |
C5-10-COS-04 | ISM:Cross-network access (COS-04) | Fully implemented | |
C5-10-COS-05 | ISM:Networks for administration (COS-05) | Fully implemented | |
C5-10-COS-06 | ISM:Segregation of data traffic in jointly used network environments (COS-06) | Internal traffic segregated, but not encrypted. | Partially implemented |
C5-10-COS-07 | ISM:Documentation of the network topology (COS-07) | Fully implemented | |
C5-10-COS-08 | ISM:Policies for data transmission (COS-08) | Fully implemented | |
C5-11-PI-01 | ISM:Documentation and safety of input and output interfaces (PI-01) | Fully implemented | |
C5-11-PI-02 | ISM:Contractual agreements for the provision of data (PI-02) | Fully implemented | |
C5-11-PI-03 | ISM:Secure deletion of data (PI-03) | Fully implemented | |
C5-12-DEV-01 | ISM:Policies for the development and procurement of information systems (DEV-01) | We apply the coding guidelines which are followed in the Wikimedia ecosystem | Partially implemented |
C5-12-DEV-02 | ISM:Outsourcing of the development (DEV-02) | Contractual agreements are in place but need updating. However, third parties do not have access to our production cloud or to production code. | Partially implemented |
C5-12-DEV-03 | ISM:Policies for changes to information systems (DEV-03) | Fully implemented | |
C5-12-DEV-04 | ISM:Safety training and awareness programme regarding continuous software delivery and associated systems, components or tools (DEV-04) | Training is done on the job and on an annual basis in combination with GDPR compliance training | Partially implemented |
C5-12-DEV-05 | ISM:Risk assessment, categorisation and prioritisation of changes (DEV-05) | Any changes are assessed within the team. A formal risk assessment is not applied yet. | Partially implemented |
C5-12-DEV-06 | ISM:Testing changes (DEV-06) | Fully implemented | |
C5-12-DEV-07 | ISM:Logging of changes (DEV-07) | Fully implemented | |
C5-12-DEV-08 | ISM:Version Control (DEV-08) | Fully implemented | |
C5-12-DEV-09 | ISM:Approvals for provision in the production environment (DEV-09) | Fully implemented | |
C5-12-DEV-10 | ISM:Separation of environments (DEV-10) | Fully implemented | |
C5-13-SSO-01 | ISM:Policies and instructions for controlling and monitoring third parties (SSO-01) | Fully implemented | |
C5-13-SSO-02 | ISM:Risk assessment of service providers and suppliers (SSO-02) | Fully implemented | |
C5-13-SSO-03 | ISM:Directory of service providers and suppliers (SSO-03) | Fully implemented | |
C5-13-SSO-04 | ISM:Monitoring of compliance with requirements (SSO-04) | Fully implemented | |
C5-13-SSO-05 | ISM:Exit strategy for the receipt of benefit (SSO-05) | There is no documented exit strategy. | Inactive |
C5-14-SIM-01 | ISM:Policy for security incident management (SIM-01) | Fully implemented | |
C5-14-SIM-02 | ISM:Processing of security incidents (SIM-02) | Fully implemented | |
C5-14-SIM-03 | ISM:Documentation and reporting of security incidents (SIM-03) | Fully implemented | |
C5-14-SIM-04 | ISM:Duty of the users to report security incidents to a central body (SIM-04) | Fully implemented | |
C5-14-SIM-05 | ISM:Evaluation and learning process (SIM-05) | Fully implemented | |
C5-15-BCM-01 | ISM:Top management responsibility (BCM-01) | Fully implemented | |
C5-15-BCM-02 | ISM:Business impact analysis policies and instructions (BCM-02) | Risk analysis was done and is documented. There is no formal policy. | Inactive |
C5-15-BCM-03 | ISM:Planning business continuity (BCM-03) | Fully implemented | |
C5-15-BCM-04 | ISM:Verification, updating and testing of the business continuity (BCM-04) | Disaster recovery tests are conducted at implementation time. There is no regular schedule yet. | Partially implemented |
C5-16-COM-01 | ISM:Identification of applicable legal, regulatory, self-imposed or contractual requirements (COM-01) | Fully implemented | |
C5-16-COM-02 | ISM:Policy for planning and conducting audits (COM-02) | We conduct annual audits of the ISMS. There is no formal policy. | Inactive |
C5-16-COM-03 | ISM:Internal audits of the ISMS (COM-03) | There is no formal process of the internal audit yet | Partially implemented |
C5-16-COM-04 | ISM:Information on information security performance and management assessment of the ISMS (COM-04) | Fully implemented | |
C5-17-INQ-01 | ISM:Legal Assessment of Investigative Inquiries (INQ-01) | Fully implemented | |
C5-17-INQ-02 | ISM:Informing Cloud Customers about Investigation Requests (INQ-02) | Fully implemented | |
C5-17-INQ-03 | ISM:Conditions for Access to or Disclosure of Data in Investigation Requests (INQ-03) | Fully implemented | |
C5-17-INQ-04 | ISM:Limiting Access to or Disclosure of Data in Investigation Requests (INQ-04) | Fully implemented | |
C5-18-PSS-01 | ISM:Guidelines and Recommendations for Cloud Customers (PSS-01) | We maintain this information in our product documentation. However it cannot be found in one central place. | Partially implemented |
C5-18-PSS-02 | ISM:Identification of Vulnerabilities of the Cloud Service (PSS-02) | Fully implemented | |
C5-18-PSS-03 | ISM:Online Register of Known Vulnerabilities (PSS-03) | Fully implemented | |
C5-18-PSS-04 | ISM:Error handling and Logging Mechanisms (PSS-04) | Fully implemented | |
C5-18-PSS-05 | ISM:Authentication Mechanisms (PSS-05) | Fully implemented | |
C5-18-PSS-06 | ISM:Session Management (PSS-06) | Fully implemented | |
C5-18-PSS-07 | ISM:Confidentiality of Authentication Information (PSS-07) | Fully implemented | |
C5-18-PSS-08 | ISM:Roles and Rights Concept (PSS-08) | Fully implemented | |
C5-18-PSS-09 | ISM:Authorisation Mechanisms (PSS-09) | Fully implemented | |
C5-18-PSS-10 | ISM:Software Defined Networking (PSS-10) | We do not provide SDN to the customer | Inactive |
C5-18-PSS-11 | ISM:Images for Virtual Machines and Containers (PSS-11) | We do not proved VMs and containers to the customer in the cloud | Inactive |
C5-18-PSS-12 | ISM:Locations of Data Processing and Storage (PSS-12) | We do not provide a choice of data locations to the cloud customers | Inactive |