Overview
For more info: Cloud computing C5 criteria catalogue
Current phase of the internal audit: Initial audit
Fully implemented C5 guidelines: 92%
Partially implemented C5 guidelines: 66%
List of guidelines
| ID | Guideline | Comment | Audit state |
|---|---|---|---|
| C5-01-OIS-01 | Information Security Management System (OIS-01) | ISMS is in effect, but not all requirements of C5 are implemented | Partially implemented |
| C5-01-OIS-02 | Information Security Policy (OIS-02) | Security policy is available, but needs improvement | Partially implemented |
| C5-01-OIS-03 | Interfaces and Dependencies (OIS-03) | Fully implemented | |
| C5-01-OIS-04 | Segregation of Duties (OIS-04) | Fully implemented | |
| C5-01-OIS-05 | Contact with Relevant Government Agencies and Interest Groups (OIS-05) | Fully implemented | |
| C5-01-OIS-06 | Risk Management Policy (OIS-06) | Fully implemented | |
| C5-01-OIS-07 | Application of the Risk Management Policy (OIS-07) | The process is described and will be introduced. | Partially implemented |
| C5-03-SA-01 | Documentation, communication and provision of policies and instructions (SA-01) | Fully implemented | |
| C5-03-SA-02 | Review and approval of policies and instructions (SA-02) | Fully implemented | |
| C5-03-SA-03 | Deviations from existing policies and instructions (SA-03) | Fully implemented | |
| C5-04-HR-01 | Security check of the background information (HR-01) | Trust is built on a personal basis, as the company is small. | Inactive |
| C5-04-HR-02 | Employment agreements (HR-02) | Employees are contractually bound to data protection and privacy. Security is implicitly addressed. | Partially implemented |
| C5-04-HR-03 | Security training and awareness-raising programme (HR-03) | Fully implemented | |
| C5-04-HR-04 | Disciplinary measures (HR-04) | There is no specific mention of security issues. However, standard disciplinary measures apply. | Partially implemented |
| C5-04-HR-05 | Termination of the employment relationship or changes to the responsibilities (HR-05) | Fully implemented | |
| C5-05-AM-01 | Asset inventory (AM-01) | Fully implemented | |
| C5-05-AM-02 | Assignment of persons responsible for assets (AM-02) | Fully implemented | |
| C5-05-AM-03 | Instruction manuals for assets (AM-03) | The handling of certain assets is documented in the internal knowledge base. The next step is to systematise this. | Partially implemented |
| C5-05-AM-04 | Handing in and returning assets (AM-04) | Fully implemented | |
| C5-05-AM-05 | Classification of information (AM-05) | Services are classified, but there is no classification scheme for data.
All customer data is treated confidentially. |
Partially implemented |
| C5-05-AM-06 | Labelling of information and handling of assets (AM-06) | Information is currently not labelled.By default, all customer data is treated confidentially. | Inactive |
| C5-05-AM-07 | Management of data media (AM-07) | Fully implemented | |
| C5-05-AM-08 | Transfer and removal of assets (AM-08) | Fully implemented | |
| C5-06-PS-01 | Perimeter protection (PS-01) | The data centre locations where the company's cloud data is located all meet the ISO 27001 standard and have corresponding perimeter protection. | Partially implemented |
| C5-06-PS-02 | Physical site access control (PS-02) | Fully implemented | |
| C5-06-PS-03 | Protection against threats from outside and from the environment (PS-03) | Fully implemented | |
| C5-06-PS-04 | Protection against interruptions caused by power failures and other such risks (PS-04) | Fully implemented | |
| C5-06-PS-05 | Maintenance of infrastructure and devices (PS-05) | Fully implemented | |
| C5-07-OPS-01 | Planning (OPS-01) | Fully implemented | |
| C5-07-OPS-02 | Monitoring (OPS-02) | Fully implemented | |
| C5-07-OPS-03 | Controlling of Resources (OPS-03) | Here, it is required to make resource data available to the customer for their planning. This is currently out of scope. | Inactive |
| C5-07-OPS-04 | Concept (OPS-04) | Fully implemented | |
| C5-07-OPS-05 | Implementation (OPS-05) | Fully implemented | |
| C5-07-OPS-06 | Concept (OPS-06) | Fully implemented | |
| C5-07-OPS-07 | Monitoring (OPS-07) | Fully implemented | |
| C5-07-OPS-08 | Regular Testing (OPS-08) | Fully implemented | |
| C5-07-OPS-09 | Storage (OPS-09) | Fully implemented | |
| C5-07-OPS-10 | Concept (OPS-10) | Fully implemented | |
| C5-07-OPS-11 | Metadata Management Concept (OPS-11) | Is currently covered in OPS-10 | Inactive |
| C5-07-OPS-12 | Access, Storage and Deletion (OPS-12) | Is currently covered by OPS-10 | Inactive |
| C5-07-OPS-13 | Identification of Events (OPS-13) | Is currently covered by OPS-10 | Inactive |
| C5-07-OPS-14 | Storage of the Logging Data (OPS-14) | Log data is stored centrally on a logging server. | Partially implemented |
| C5-07-OPS-15 | Accountability (OPS-15) | Application logs are available. Access logs are stored without IP address | Partially implemented |
| C5-07-OPS-16 | Configuration (OPS-16) | Fully implemented | |
| C5-07-OPS-17 | Availability of the Monitoring Software (OPS-17) | Fully implemented | |
| C5-07-OPS-18 | Concept (OPS-18) | Fully implemented | |
| C5-07-OPS-19 | Penetration Tests (OPS-19) | Penetration tests are occasionally carried out as part of customer projects. No major problems were identified here.
Hallo Welt! does not (yet) carry out internal penetration tests itself. |
Inactive |
| C5-07-OPS-20 | Measurements, Analyses and Assessment of Procedures (OPS-20) | There is no regular process for this yet. | Partially implemented |
| C5-07-OPS-21 | Involvement of Cloud Customers in the Event of Incidents (OPS-21) | Fully implemented | |
| C5-07-OPS-22 | Testing and Documentation of Known Vulnerabilities (OPS-22) | Fully implemented | |
| C5-07-OPS-23 | System Hardening (OPS-23) | Hallo Welt! is based on industry standards.
There is currently no documentation for each system. |
Partially implemented |
| C5-07-OPS-24 | Separation of Datasets in the Cloud Infrastructure (OPS-24) | Fully implemented | |
| C5-08-IDM-01 | Policy for user accounts and access rights (IDM-01) | Fully implemented | |
| C5-08-IDM-02 | Granting and change of user accounts and access rights (IDM-02) | Fully implemented | |
| C5-08-IDM-03 | Locking and withdrawal of user accounts in the event of inactivity or multiple failed logins (IDM-03) | Some of our systems implement this. The rest is managed automatically. | Partially implemented |
| C5-08-IDM-04 | Withdraw or adjust access rights as the task area changes (IDM-04) | Fully implemented | |
| C5-08-IDM-05 | Regular review of access rights (IDM-05) | This is currently only done for the most critical systems | Partially implemented |
| C5-08-IDM-06 | Privileged access rights (IDM-06) | Largely implemented. However, privileges are not withdrawn for a limited period of time. | Partially implemented |
| C5-08-IDM-07 | Access to cloud customer data (IDM-07) | Fully implemented | |
| C5-08-IDM-08 | Confidentiality of authentication information (IDM-08) | Fully implemented | |
| C5-08-IDM-09 | Authentication Mechanisms (IDM-09) | Fully implemented | |
| C5-09-CRY-01 | Policy for the use of encryption procedures and key management (CRY-01) | There are some guidelines, but no approved policy yet. | Partially implemented |
| C5-09-CRY-02 | Encryption of data for transmission (transport encryption) (CRY-02) | Fully implemented | |
| C5-09-CRY-03 | Encryption of sensitive data for storage (CRY-03) | Customer data is encrypted at rest. Backups are encrypted | Partially implemented |
| C5-09-CRY-04 | Secure key management (CRY-04) | There is no centralized key management. Guidelines exist. | Partially implemented |
| C5-10-COS-01 | Technical safeguards (COS-01) | Hallo Welt! does not operate an intrusion detection system. However, network patterns are monitored and notifications are sent in the event of major irregularities, such as DDOS attacks. | Inactive |
| C5-10-COS-02 | Security requirements for connections in the Cloud Service Provider’s network (COS-02) | Fully implemented | |
| C5-10-COS-03 | Monitoring of connections in the Cloud Service Provider’s network (COS-03) | All access to the cloud network is logged. | Partially implemented |
| C5-10-COS-04 | Cross-network access (COS-04) | Fully implemented | |
| C5-10-COS-05 | Networks for administration (COS-05) | Fully implemented | |
| C5-10-COS-06 | Segregation of data traffic in jointly used network environments (COS-06) | Internal traffic segregated, but not encrypted. | Partially implemented |
| C5-10-COS-07 | Documentation of the network topology (COS-07) | Fully implemented | |
| C5-10-COS-08 | Policies for data transmission (COS-08) | Fully implemented | |
| C5-11-PI-01 | Documentation and safety of input and output interfaces (PI-01) | Fully implemented | |
| C5-11-PI-02 | Contractual agreements for the provision of data (PI-02) | Fully implemented | |
| C5-11-PI-03 | Secure deletion of data (PI-03) | Fully implemented | |
| C5-12-DEV-01 | Policies for the development and procurement of information systems (DEV-01) | Hallo Welt! applies the coding guidelines that apply in the Wikimedia ecosystem. | Partially implemented |
| C5-12-DEV-02 | Outsourcing of the development (DEV-02) | Contractual agreements are in place but need updating. However, third parties do not have access to our production cloud or to production code. | Partially implemented |
| C5-12-DEV-03 | Policies for changes to information systems (DEV-03) | Fully implemented | |
| C5-12-DEV-04 | Safety training and awareness programme regarding continuous software delivery and associated systems, components or tools (DEV-04) | Training is done on the job and on an annual basis in combination with GDPR compliance training | Partially implemented |
| C5-12-DEV-05 | Risk assessment, categorisation and prioritisation of changes (DEV-05) | Any changes are assessed within the team. A formal risk assessment is not applied yet. | Partially implemented |
| C5-12-DEV-06 | Testing changes (DEV-06) | Fully implemented | |
| C5-12-DEV-07 | Logging of changes (DEV-07) | Fully implemented | |
| C5-12-DEV-08 | Version Control (DEV-08) | Fully implemented | |
| C5-12-DEV-09 | Approvals for provision in the production environment (DEV-09) | Fully implemented | |
| C5-12-DEV-10 | Separation of environments (DEV-10) | Fully implemented | |
| C5-13-SSO-01 | Policies and instructions for controlling and monitoring third parties (SSO-01) | Fully implemented | |
| C5-13-SSO-02 | Risk assessment of service providers and suppliers (SSO-02) | Fully implemented | |
| C5-13-SSO-03 | Directory of service providers and suppliers (SSO-03) | Fully implemented | |
| C5-13-SSO-04 | Monitoring of compliance with requirements (SSO-04) | Fully implemented | |
| C5-13-SSO-05 | Exit strategy for the receipt of benefit (SSO-05) | There is no documented exit strategy. | Inactive |
| C5-14-SIM-01 | Policy for security incident management (SIM-01) | Fully implemented | |
| C5-14-SIM-02 | Processing of security incidents (SIM-02) | Fully implemented | |
| C5-14-SIM-03 | Documentation and reporting of security incidents (SIM-03) | Fully implemented | |
| C5-14-SIM-04 | Duty of the users to report security incidents to a central body (SIM-04) | Fully implemented | |
| C5-14-SIM-05 | Evaluation and learning process (SIM-05) | Fully implemented | |
| C5-15-BCM-01 | Top management responsibility (BCM-01) | Fully implemented | |
| C5-15-BCM-02 | Business impact analysis policies and instructions (BCM-02) | Risk analysis was done and is documented. There is no formal policy. | Inactive |
| C5-15-BCM-03 | Planning business continuity (BCM-03) | Fully implemented | |
| C5-15-BCM-04 | Verification, updating and testing of the business continuity (BCM-04) | Disaster recovery tests are conducted at implementation time. There is no regular schedule yet. | Partially implemented |
| C5-16-COM-01 | Identification of applicable legal, regulatory, self-imposed or contractual requirements (COM-01) | Fully implemented | |
| C5-16-COM-02 | Policy for planning and conducting audits (COM-02) | The ISMS is audited annually. There is no formal guideline. | Inactive |
| C5-16-COM-03 | Internal audits of the ISMS (COM-03) | There is no formal process of the internal audit yet | Partially implemented |
| C5-16-COM-04 | Information on information security performance and management assessment of the ISMS (COM-04) | Fully implemented | |
| C5-17-INQ-01 | Legal Assessment of Investigative Inquiries (INQ-01) | Fully implemented | |
| C5-17-INQ-02 | Informing Cloud Customers about Investigation Requests (INQ-02) | Fully implemented | |
| C5-17-INQ-03 | Conditions for Access to or Disclosure of Data in Investigation Requests (INQ-03) | Fully implemented | |
| C5-17-INQ-04 | Limiting Access to or Disclosure of Data in Investigation Requests (INQ-04) | Fully implemented | |
| C5-18-PSS-01 | Guidelines and Recommendations for Cloud Customers (PSS-01) | This information is maintained as part of our product documentation. However, it cannot be found in a centralised location. | Partially implemented |
| C5-18-PSS-02 | Identification of Vulnerabilities of the Cloud Service (PSS-02) | Fully implemented | |
| C5-18-PSS-03 | Online Register of Known Vulnerabilities (PSS-03) | Fully implemented | |
| C5-18-PSS-04 | Error handling and Logging Mechanisms (PSS-04) | Fully implemented | |
| C5-18-PSS-05 | Authentication Mechanisms (PSS-05) | Fully implemented | |
| C5-18-PSS-06 | Session Management (PSS-06) | Fully implemented | |
| C5-18-PSS-07 | Confidentiality of Authentication Information (PSS-07) | Fully implemented | |
| C5-18-PSS-08 | Roles and Rights Concept (PSS-08) | Fully implemented | |
| C5-18-PSS-09 | Authorisation Mechanisms (PSS-09) | Fully implemented | |
| C5-18-PSS-10 | Software Defined Networking (PSS-10) | Hallo Welt! does not provide the customer with SDN. | Inactive |
| C5-18-PSS-11 | Images for Virtual Machines and Containers (PSS-11) | Hallo Welt! does not provide the customer with VMs and containers in the cloud. | Inactive |
| C5-18-PSS-12 | Locations of Data Processing and Storage (PSS-12) | Hallo Welt! does not provide a choice of data locations to the cloud customers. | Inactive |
