Federal Office for Information Security (BSI)

What is the compliance controls catalogue?

From the BSI’s perspective, the compliance controls catalogue outlines requirements which cloud providers should meet irrespective of the application context in order to ensure a minimum security level of their cloud services towards their customers. The compliance controls catalogue is an audit standard. It thus only contains auditable requirements and does not recommends concrete safeguards. This means that the compliance controls catalogue fundamentally differs from other catalogues, such as the IT-Grundschutz Catalogues, which contain specific safeguards for implementation.

For whom is the compliance controls catalogue intended?

The catalogue is primarily intended for cloud providers and auditors, but also for cloud customers. The provider must implement the requirements and the auditor must prove corresponding compliance. As the term cloud is used in a variety of ways, the catalogue can also be used for IT services which do not explicitly have “cloud” in their title, but are related to cloud services.

For cloud customers, the catalogue facilitates the choice of a suitable cloud provider to a great extent. The essential security requirements are covered by the catalogue so that the customer focuses more on their individual requirements and their implementation and/or their own requirements which go beyond the basic level of the compliance controls catalogue.

The requirements are not limited to certain industry sectors.

How is the compliance controls catalogue structured?

The catalogue itself consists of 114 requirements which are divided into 17 topics (see Section 5). The requirements are provided in tabular form. These tables also include higher-level requirements in addition to the standard requirements. Where necessary, notes on the interpretation of the individual requirements are added. The so-called surrounding parameters for transparency (see Section 4) ensure a high transparency of the framework conditions of the cloud service.

Section 3 provides the framework conditions for a concrete requirements audit by public auditors, which skills and knowledge the audit team should have and what an audit report addressed to a customer must contain.

Where do the requirements come from?

(The compliance controls catalogue is based on established standards such as ISO/IEC 27001:2013, CSA CCM 3.01, ANSSI Référentiel secure cloud v. 2.0, AICPA - Trust Service Principles Criteria 2014, IDW ERS FAIT 5 (4.11.2014) and on the BSI’s requirements such as in the IT-Grundschutz (15th version) and the SaaS-Sicherheitsprofilen (German only). When compiling the catalogue, the main rule was to generally take over existing requirements from the standards mentioned above wherever possible. Where applicable, these requirements were refined and new requirements were drafted only in those cases in which there were no comparable requirements in the concrete formulation.

And how were the requirements implemented?

All requirements are formulated in such a way that they can be audited. They are technology-neutral and how requirements are met is left to the cloud provider. For some requirements, there are also higher-level requirements which take increased security with respect to confidentiality and/or availability into account.

What are the surrounding parameters for transparency?

The so-called surrounding parameters for transparency are specific to the compliance controls catalogue. They mainly serve to provide transparency of the offered cloud service and are thus not requirements. As part of an audit, the cloud provider must disclose the following information: a detailed system description, information on their jurisdiction and data processing location, duties of disclosure and investigation at these locations as well as the certificates already issued for the cloud service and/or proof.

This transparency helps the cloud user, irrespective of the proof of security, to decide whether their essential requirements are met by the cloud provider (for the localisation of the data).

Which conditions does the compliance controls catalogue specify for subcontractors?

Cloud providers who render all services themselves and do not use services from other providers are rather the exception. The compliance controls catalogue covers the use of external IT services to provide the provider’s own cloud service. In this case, the cloud provider must pass on all requirements of the catalogue (including the transparency requirements from the surrounding parameters for transparency) to their subcontractors and oblige them to comply with these requirements (in case of the surrounding parameters for transparency, to document them).

There are several options for checking whether the subcontractor meets the requirements. The cloud provider can have an audit carried out by a public auditor at the subcontractor provided that the subcontractor allows this. Usually, the cloud provider agrees with the subcontractor that the subcontractor is regularly audited by public auditors and submits the audit report to the cloud provider. Thus, it is regulated that the same requirements apply to the entire service chain regardless of whether the cloud service is provided entirely by a provider or also to some extent by subcontractors.

Are the requirements generally binding?

No, because the BSI can impose binding requirements only to a very limited extent. The compliance controls catalogue is of a recommendatory nature for cloud customers and cloud providers. It is an important reference of the BSI for secure cloud computing and can help to establish trust between cloud customers and cloud providers.