I am currently dealing with many again with mandates where the core issue is risk management. risk management.
The cases are basically the same. The clients' lawyers would like to contractual provisions (liability and warranty) to shift risks to the IT companies. IT companies.
Examples of such cases:
1) The availability of a cloud system should be almost 100% day and night, but new functions should not be tested on the staging, but on the "test system". should be tested.
2) According to the content of a GCU, the IT company should always be liable for ensuring that up-to-date technical measures are taken that correspond to the current state of the art technology: The costs for the risk of updates, which are more expensive The IT company alone should bear the costs for the risk of updates that are more expensive than the monthly remuneration.
3) An IT company would like to conclude a cloud contract with a government agency in accordance of the EVB IT, but not by applying the catalog of criteria C5. And many more examples.
The problem here is the content of risk management, communication on the subject and the question of which legal agreements are concluded.
I. Initial situation: The law
We can quickly leave this starting point quickly leave this starting point again, because - if we move to the level of level of European data protection or IT security law, we quickly realize that that there is no EU government body that can itself determine a.) which organizations in the individual EU member states should decide on such b.) what the content of such decisions should be. should look like. There are no clear legal stipulations on this, how a methodology for IT risk management is to be operated. It is not for nothing that there are is why there are so many providers in Germany who repeatedly refer to to ISO 27005:2018 (and thus, in the opinion of many others, cause unnecessary cause a lot of effort and costs). However, according to Wikipedia, ISO is an association under Swiss law, but not an EU commission or a body authorized by the body authorized by the German parliament.
II The normal way
One methodological approach that is often suggested is:
The first step is the question of which protected interests exist. In data protection, these are personal data.
In the second step The second step is to record the processing operations that affect the personal data; IT specialists would probably use the term "services" instead of IT experts would probably use the term services instead of processing.
As long as one knows which services are used operationally for which protected goods, step three is step three is the identification of risks (who or what threatens),
in the fourth step to a risk analysis (how high is the probability of damage occurring and of damage and what are the consequences of the damage occurring?
in the final step, the risk assessment the question of what measures can be taken to counter the risks and how a and how a proportionate measure can be taken. Both in the question of risk both the question of risk and the question of measures, it is repeatedly suggested to use a matrix with the values "low/medium/high" in order to in order to arrive at a result more quickly. However, this is not required by law. not required by law.
The problem with the normal way is is simply that a normal person does not have the time to deal with all the possibilities of a risk (what risks could there be?) and the considerations that should that should precede the result.
However, one option is is always to see what the BSI is doing.
III Orientation towards an existing standard existing standard: The BSI's C5 criteria catalog
The BSI publishes catalogs of criteria that enable those responsible to work through the BSI's to work through the BSI's requirements. The BSI has defined certain typical risks typical risks as standard and asks in criteria catalogs whether these risks exist these risks exist and whether these risks have been appropriately mitigated. The EVB IT were expanded in 2022 in the form of the EVB IT Cloud. These contain the following wording under the following wording in section 1.2.
The Contractor shall provide the services in compliance with the Cloud Computing Compliance Criteria Computing Compliance Criteria Catalogue - C5 (basic criteria).
You can find this catalog here ....
This has the advantage of templates that are well explained. The disadvantage of the documents is is that the documents are very broadly based. It is very dry paper.
But don't be fooled be deceived: Precisely because the BSI documents (and they refer in part to reference to ISO 2700X) do not contain any legal regulations, the BSI templates can be used as a starting point, the content can be content for yourself (this process is then also part of the result of the risk result of the risk assessment) and then use the result as a document and criteria catalog for yourself and your company.
If you want to conclude a contract on the basis of the EVB IT Cloud, it is possible to exclude the application of the exclude the application of the C5 catalog. But (!) then you still have to still have to prove that they have carried out risk management. This is because in Germany, if you are not certified, you must be audited. be audited. So you don't postpone the problem, you have to solve it differently.
