iTeh Standards logo
EURUSD
Your shopping cart is empty.
CEN

CEN/CLC/TS 18072:2025

(Main)

Requirements for Conformity Assessment Bodies certifying Cloud Services

Requirements for Conformity Assessment Bodies certifying Cloud Services

This TS provides requirements and ISO/IEC 17065 interpretations for Conformity Assessment Bodies (CABs) assessing Cloud Services
This TS is intended to be used by the National Accreditation Bodies (NABs), as well as CABs.

Anforderungen an Konformitätsbewertungsstellen, die Cloud-Dienste zertifizieren

Exigences applicables aux organismes d’évaluation de la conformité pour la certification des services en nuage

Zahteve za organe za ugotavljanje skladnosti, ki certificirajo storitve v oblaku

Ta dokument dopolnjuje in nadomešča postopke in splošne zahteve iz standarda ISO/IEC 17065:2012 za organe za ugotavljanje skladnosti, ki certificirajo storitve v oblaku, v okviru namenske evropske certifikacijske sheme za kibernetsko varnost (na primer tiste, opredeljene v Uredbi (EU) 2019/881 (zakon o kibernetski varnosti), ki temelji na konceptih, opredeljenih v tej uredbi, kot so tri ravni varnosti: osnovna, znatna in visoka).

General Information

Status
Published
Publication Date
22-Apr-2025
ICS
03.120.20 - Product and company certification. Conformity assessment
35.030 - IT Security
Technical Committee
CEN/CLC/TC 13 - Cybersecurity and Data Protection
Drafting Committee
CEN/CLC/JTC 13/WG 3 - Security evaluation and assessment
Current Stage
6060 - Definitive text made available (DAV) - Publishing
Start Date
23-Apr-2025
Due Date
19-Jun-2023
Completion Date
23-Apr-2025
Directive
2019/881 - Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (Text with EEA relevance)
Ref Project
SIST-TS CEN/CLC/TS 18072:2025 - Requirements for Conformity Assessment Bodies certifying Cloud Services
TS CEN/CLC/TS 18072:2025TS CEN/CLC/TS 18072:2025
PreviousNext
Technical specification
TS CEN/CLC/TS 18072:2025
English language
45 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-julij-2025
Zahteve za organe za ugotavljanje skladnosti, ki certificirajo storitve v oblaku
Requirements for Conformity Assessment Bodies certifying Cloud Services
Anforderungen an Konformitätsbewertungsstellen, die Cloud-Dienste zertifizieren
Exigences applicables aux organismes d’évaluation de la conformité pour la certification
des services en nuage
Ta slovenski standard je istoveten z: CEN/CLC/TS 18072:2025
ICS:
03.120.20 Certificiranje proizvodov in Product and company
podjetij. Ugotavljanje certification. Conformity
skladnosti assessment
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL SPECIFICATION CEN/CLC/TS 18072

SPÉCIFICATION TECHNIQUE
TECHNISCHE SPEZIFIKATION
April 2025
ICS 03.120.20; 35.030
English version
Requirements for Conformity Assessment Bodies
certifying Cloud Services
Exigences applicables aux organismes d'évaluation de Anforderungen an Konformitätsbewertungsstellen, die
la conformité pour la certification des services en Cloud-Dienste zertifizieren
nuage
This Technical Specification (CEN/TS) was approved by CEN on 13 October 2024 for provisional application.

The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN and CENELEC will be
requested to submit their comments, particularly on the question whether the CEN/TS can be converted into a European
Standard.
CEN and CENELEC members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the
CEN/TS available promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in
force (in parallel to the CEN/TS) until the final decision about the possible conversion of the CEN/TS into an EN is reached.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2025 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. CEN/CLC/TS 18072:2025 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
Introduction .5
1 Scope .6
2 Normative references .6
3 Terms and definitions.6
4 General requirements .8
4.1 Legal and contractual matters .8
4.1.1 Legal responsibility .8
4.1.2 Certification agreement .8
4.1.3 Use of license, certificates and marks of conformity .8
4.2 Management of impartiality .8
4.2.1 General .8
4.2.2 Nonconflicting activities .8
4.3 Liability and financing .8
4.4 Non-discriminatory conditions .8
4.5 Confidentiality .9
4.6 Publicly available information .9
5 Structural Requirements .9
5.1 Organizational structure and top management .9
5.2 Mechanisms for safeguarding impartiality .9
6 Resource Requirements .9
6.1 Certification body personnel — Determination of competence criteria .9
6.2 Resources for Evaluation .9
7 Process requirements .9
7.1 General requirements .9
7.2 Application .9
7.3 Application review .9
7.4 Evaluation . 10
7.4.1 General . 10
7.4.2 Types of evaluations . 10
7.4.3 Preparation of the evaluation . 10
7.4.4 Conducting evaluations . 17
7.4.5 General requirements on conducting evaluations. 25
7.5 Review . 29
7.6 Certification decision . 29
7.7 Certification Documentation . 29
7.8 Directory of certified products . 30
7.9 Surveillance . 30
7.9.1 Introduction . 30
7.9.2 General . 30
7.9.3 Surveillance Evaluation . 30
7.9.4 Recertification Evaluation . 30
7.9.5 Special Evaluation . 31
7.10 Changes affecting certification . 31
7.11 Termination, reduction, suspension or withdrawal of certification . 32
7.12 Records . 32
7.13 Complaints and appeals . 32
8 Management system requirements . 32
8.1 Options . 32
8.1.1 General . 32
8.1.2 Option A . 32
8.1.3 Option B . 32
8.2 Management system documentation (Option A) . 32
8.3 Control of documents (Option A) . 32
8.4 Control of records (Option A) . 32
8.5 Management review (Option A) . 32
8.5.1 General . 32
8.5.2 Review inputs . 32
8.5.3 Review outputs . 32
8.6 Internal Audits (Option A) . 32
8.7 Corrective actions (Option A) . 33
8.8 Preventive actions (Option A) . 33
Annex A (normative) Required Knowledge and Skills. 34
Annex B (normative) Dependency Analysis . 43
Bibliography . 45

European foreword
This document (CEN/CLC/TS 18072:2025) has been prepared by Technical Committee CEN/CLC/JTC 13
“Cybersecurity and Data protection”, the secretariat of which is held by DIN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document is developed to support the Cybersecurity Act, EUCSA, Regulation (EU) 2019/881 on
information and communications technology cybersecurity certification.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN website.
According to the CEN/CENELEC Internal Regulations, the national standards organisations of the
following countries are bound to announce this Technical Specification: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Introduction
The overall aim of certifying products, processes or services is to give confidence to all interested parties
that a product, process or service fulfils specified requirements. The value of certification is the degree of
confidence and trust that is established by an impartial and competent demonstration of fulfilment of
specified requirements by a third party.
ISO/IEC 17065 specifies requirements, the observance of which is intended to ensure that certification
bodies operate certification schemes in a competent, consistent and impartial manner, thereby
facilitating the recognition of such bodies and the acceptance of certified products, processes and services
on a national and international basis and so furthering international trade.
ISO/IEC 17065 gives generalized requirements for operating certification schemes for a broad range of
products, processes or services. While the general requirements given by ISO/IEC 17065 are shared by
all Certification Bodies, they are a high-level set.
The conformity assessment bodies providing evaluation and certification of cloud services have some
specific requirements for evaluation procedures and competence.
To help implementers, this document is numbered identically to ISO/IEC 17065:2012. Supplementary
requirements are presented as clauses and subclauses additional to ISO/IEC 17065:2012. Any
supplementary requirements are presented in this document with the same clause / subclause number
as in ISO/IEC 17065:2012.
1 Scope
This document complements and supplements the procedures and general requirements found in
ISO/IEC 17065:2012 for conformity assessment bodies performing certification of cloud services under
a dedicated European cybersecurity certification scheme (for example, those defined in Regulation (EU)
2019/881 (Cybersecurity Act), based on concepts defined in this regulation, such as the three assurance
levels Basic, Substantial and High).
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced documents (including any amendments) applies.
ISO/IEC 17000, Conformity assessment — Vocabulary and general principles
ISO/IEC 17065:2012, Conformity assessment — Requirements for bodies certifying products, processes and
services
CEN/CLC/TS 18026, Three-level approach for a set of cybersecurity requirements for cloud services1
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17000, ISO/IEC 17065 and
CEN/CLC/TS 18026 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at http://www.electropedia.org/
3.1
appropriateness of evidence
measure of the relevance and reliability of evidence in providing support for the evaluator’s conclusion
[SOURCE: International Standard on Assurance Engagements (ISAE) 3000, definition 12.i.ii]
3.2
carve-out method
evaluation method where the description of the system includes the services provided by the subservice
provider but the controls and controls objectives from the subservice provider are excluded from the
description and the scope of the evaluation
Note 1 to entry: When carve-out method is used, the scope of the evaluation includes controls implemented by the
client to monitor the effectiveness of controls which can include the review of assurance documentation of the
subservice provider.
Under preparation. Stage at the time of publication: FprCEN/CLC/TS 18026
3.3
complementary user entity control
CUEC
control that the cloud service provider (CSP) assumes, in the design of its service, will be implemented
by its customer
3.4
complementary service organization controls
CSOC
controls that the cloud service provider assumes that their subservice providers will have in place in
order for them to securely operate their cloud service
3.5
evaluation
combination of the selection and determination functions of conformity assessment activities
Note 1 to entry: Evaluations include initial, surveillance, recertification evaluations, and can also include special
evaluations.
[SOURCE: EN ISO/IEC 17065:2012, definition 3.3]
3.6
evaluation criteria
reference to which conformity is determined
Note 1 to entry: Evaluation criteria include the requirements of a defined scheme for services applicable to a defined
evaluation level and corresponding assurance level.
Note 2 to entry: Evaluation criteria include the requirements on the defined processes and documentation of the
service operated by the client and of its associated controls.
3.7
fair presentation
accurate, truthful and transparent description of a client’s service
Note 1 to entry: Additional information about the content of a fair presentation is included in the certification
scheme.
3.8
inclusive method
evaluation method where the controls from the subservice that supports cloud service provider
operations are included in scope and will be reviewed by the evaluators
Note 1 to entry: When inclusive method is used, the description of the client’s service includes the services provided
by the subservice provider, the relevant control objectives and related controls if existing.
3.9
suitability of the design of a control
control design which ensures that actions or events that comprise a risk are prevented, or detected and
corrected
Note 1 to entry: Typical risk are information security risks.
4 General requirements
4.1 Legal and contractual matters
4.1.1 Legal responsibility
The requirements of ISO/IEC 17065:2012, 4.1.1 apply.
4.1.2 Certification agreement
The requirements of ISO/IEC 17065:2012, 4.1.2 apply. In addition, the following requirements and
guidance apply.
The certification agreement shall include the scope and the evaluation level.
4.1.3 Use of license, certificates and marks of conformity
The requirements of ISO/IEC 17065:2012, 4.1.3 apply.
4.2 Management of impartiality
4.2.1 General
The requirements of ISO/IEC 17065:2012, 4.2 apply. In addition, the following requirements and
guidance in 4.2.2 apply.
4.2.2 Nonconflicting activities
The certification body (CB) and its personnel may carry out additional activities provided they do not
constitute a risk to its impartiality. These activities may include:
a) organizing and participating in information meetings about the certification scheme in general;
b) arranging and participating as a lecturer in training courses, provided that, where these courses
relate to cloud services, related security requirements and controls, evaluations or auditing, lecturers
shall confine themselves to the provision of generic information and advice which is publicly
available;
c) activities prior to evaluation, solely aimed at determining readiness for evaluation; however, such
activities shall not result in the provision of recommendations or advice for specific solutions and
shall not result in a reduction in the eventual evaluation duration;
d) performing third party evaluations according to standards, publicly available specifications or
regulatory requirements other than those being part of the scope of accreditation; or
e) adding value during evaluations without recommending specific solutions.
NOTE Adding value during evaluations may include identifying opportunities for improvement, as they
become evident during the evaluation.
4.3 Liability and financing
The requirements of ISO/IEC 17065:2012, 4.3 apply.
4.4 Non-discriminatory conditions
The requirements of ISO/IEC 17065:2012, 4.4 apply.
4.5 Confidentiality
The requirements of ISO/IEC 17065:2012, 4.5 apply.
4.6 Publicly available information
The requirements of ISO/IEC 17065:2012, 4.6 apply.
5 Structural Requirements
5.1 Organizational structure and top management
The requirements of ISO/IEC 17065:2012, 5.1 apply.
5.2 Mechanisms for safeguarding impartiality
The requirements of ISO/IEC 17065:2012, 5.2 apply.
6 Resource Requirements
6.1 Certification body personnel — Determination of competence criteria
The requirements of ISO/IEC 17065:2012, 6.1 apply. In addition, the following requirements and
guidance apply.
The output of the process for determining the competence criteria for personnel involved in the
management of evaluations or other certification activities shall be the documented criteria of required
knowledge and skills necessary to effectively perform evaluation and certification tasks to be fulfilled to
achieve the intended results.
Annex A provides a summary of competence requirements for personnel involved in specific certification
functions.
6.2 Resources for Evaluation
The requirements of ISO/IEC 17065:2012, 6.2 apply.
7 Process requirements
7.1 General requirements
The requirements of ISO/IEC 17065:2012, 7.1 apply.
7.2 Application
The requirements of ISO/IEC 17065:2012, 7.2 apply.
7.3 Application review
7.3.1 The requirements of ISO/IEC 17065:2012, 7.3.1 apply. In addition, the following requirements
apply.
The CB shall conduct additional review of the information obtained to ensure that:
a) the application contains all the information required by the certification scheme including the
identification of subservices operated by subservice providers used by the client in the operation of
its cloud service;
b) the client has acknowledged and understands its responsibilities as defined in the certification
scheme;
c) the CB understands the area of activity of the client and the associated business risks;
d) the CB has the competence and capability to perform the certification activity;
e) CB has the resources, capabilities and competences are available to perform all evaluation activities.
7.3.2 The requirements of ISO/IEC 17065:2012, 7.3.2 apply.
7.3.3 The requirements of ISO/IEC 17065:2012, 7.3.3 apply.
7.3.4 The requirements of ISO/IEC 17065:2012, 7.3.4 apply. In addition, the following requirement apply.
When the CB declines an application for certification as a result of the review of the application, the
reasons for declining an application shall be documented and made clear to the client.
7.3.5 The requirements of ISO/IEC 17065:2012, 7.3.5 apply.
7.4 Evaluation
7.4.1 General
The requirements of ISO/IEC 17065:2012, 7.4 apply. In addition, requirements and guidance in 7.4.2 –
7.4.6 apply.
NOTE ISO/IEC 17065 refers to “evaluation” and is applicable to the various types of product, process and
services certification schemes which incorporate conformity assessment activities including inspection, testing and
audit.
7.4.2 Types of evaluations
There are different types of evaluations, depending on both the nature of the evaluation (initial,
surveillance, recertification and special) and on the assurance level (‘Basic’, ‘Substantial’ or ‘High’)
associated to the selected evaluation level.
7.4.3 Preparation of the evaluation
7.4.3.1 General
During the preparation phase, the CB shall
a) determine the evaluation objectives, scope and criteria, based on the evaluation programme;
NOTE This encompasses vulnerability identification (including penetration testing) activities if required for
the evaluation level.
b) select and appoint an evaluation team;
c) determine the evaluation time;
d) determine matters related to confidentiality and information security of records obtained during the
evaluation;
e) determine the logistics and communications arrangements, including specific arrangements for the
locations to be evaluated (e.g. datacentre visits); and
f) ensure that the objectives of stage 1 can be met and the client shall be informed of any “on site”
activities during stage 1.
7.4.3.2 Evaluation programme
An evaluation programme for the full certification cycle shall be developed to clearly identify the
evaluation activity/activities required to demonstrate that the client’s service fulfils the requirements for
certification to the relevant scheme. The evaluation programme for the certification cycle shall cover the
complete service requirements.
The evaluation programme for the initial certification shall include a two-stage initial evaluation,
surveillance evaluations and recertification evaluation at a frequency defined in the certification scheme.
The first certification cycle begins with the certification decision. Subsequent cycles begin with the
recertification decision. The determination of the evaluation plan and any subsequent adjustments shall
consider the scope and complexity of the client’s service and of its security controls as well as the results
of any previous evaluations.
Where the CB takes into account any certification already granted to the client or evaluations performed
by another CB, it shall obtain and retain sufficient evidence, such as reports and documentation on
corrective actions, to any nonconformity. The documentation can be used to support the fulfilment of the
requirements in this document and in the certification scheme.
EXAMPLE Non-conformities identified during an ISO/IEC 27001 audit can be relevant for the evaluation of the
cloud service.
The CB shall, based on the information obtained, justify and record any adjustments to the existing
evaluation programme and follow up the implementation of corrective actions concerning previous
nonconformities.
Where the client operates shifts, the activities that take place during shift working shall be considered
when developing the evaluation programme and evaluation plans.
7.4.3.3 Determining the evaluation objectives and scope
7.4.3.3.1 General
7.4.3.3.1.1 The evaluation scope shall be established by the CB after discussion with the client.
The evaluation scope shall describe the extent and boundaries of the evaluation, such as sites, activities
and processes to be evaluated. If the scope of an individual evaluation does not cover all sites and
activities the totality of all evaluations within the certification cycle shall be consistent with the
certification document.
7.4.3.3.1.2 The evaluation objectives shall describe what is to be accomplished by the evaluation and
shall include the following:
a) determination of the conformity of the client’s service with evaluation criteria;
b) if appropriate, identification of areas for potential improvement.
7.4.3.3.1.3 The evaluation plan shall ensure that the evaluation team is able to obtain sufficient and
appropriate evidence about:
a) the information presented in the description of the service as provided together or embedded in the
application;
b) the suitability of the design of the service and its controls to meet the evaluation criteria and the
client security objectives;
c) the existence of an implementation of these controls.
7.4.3.3.2 Objective for assurance level ‘Basic’
Evaluation objective for assurance level ‘Basic’ is to provide assurance through the execution of an
evaluation that the service is designed to meet the requirements defined in the certification scheme and
applicable standards.
In order to provide assurance level ‘Basic’, CB shall gather evidence based on the internal audit performed
by the client using the questionnaire defined specifically for assurance level ‘Basic’ in the certification
scheme. Based on this, CB shall confirm the sufficiency and appropriateness of the evidence to provide
assurance.
7.4.3.3.3 Objective for assurance level ‘Substantial’ and ‘High’
Evaluation objective for assurance levels ‘Substantial’ and ‘High’ is to provide assurance through an
evaluation that the service is designed, implemented and operated to meet the requirements defined in
the certification scheme and applicable standards and that are applicable to evaluation levels mapped to
assurance levels ‘Substantial’ or ‘High’ respectively.
For assurance levels ‘Substantial’ and ‘High’, the evaluation team shall obtain sufficient and appropriate
evidence about the operating effectiveness of these controls throughout a specified period before the
evaluation.
7.4.3.4 Determining evaluation time
The CB shall have documented procedures for determining evaluation time. For each client the CB shall
determine the needed time to accomplish a complete and effective evaluation of the client’s service.
In determining the evaluation time, the CB shall consider, among other things, the following aspects:
a) the requirements of the certification scheme;
b) evaluation level;
c) complexity of the client and its service;
d) technological and regulatory context;
e) any outsourcing of the activities in the scope of the service;
f) the results of any prior evaluation;
g) number of sites, their geographical locations;
h) the risks associated with the services, processes or activities of the organization;
Where specific criteria have been established for the certification scheme, these shall be applied.
The duration of the evaluation and its justification shall be recorded.
The time spent by any team member that is not assigned to an evaluator (i.e.: translators, interpreters,
observers and evaluators-in-training) shall not count in the above established duration of the evaluation.
NOTE Evaluation team travel time is not part of the evaluation time.
7.4.3.5 Multi-site sampling
7.4.3.5.1 Where multi-site sampling is used for the evaluation of a client’s service covering the same
activity in various geographical locations, the CB shall develop a sampling programme to ensure proper
evaluation of the service. The rationale for the sampling plan shall be documented for each client
considering random elements for selection.
NOTE Where there are multiple sites not covering the same activity sampling is not appropriate.
7.4.3.5.2 The certification body wishing to use a sample-based approach shall have procedures in place
to ensure the following:
a) The initial contract review identifies, to the greatest extent possible, the difference between sites
such that an adequate level of sampling is determined.
b) A representative number of sites have been sampled by the certification body, taking into account:
1) the results of internal audits of the head office and the sites;
2) variations in the size of the sites;
3) complexity of the information systems at the different sites;
4) variations in working practices;
5) variations in activities undertaken;
6) variations of design and operation of controls;
7) potential interaction with critical information systems or information systems processing
sensitive information;
8) any differing legal requirements;
9) geographical and cultural aspects;
10) risk situation of the sites;
11) information security incidents at the specific sites.
c) A representative sample (see clause 7.4.3.8) is selected from all sites within the scope of the client’s
service; this selection shall be based upon judgmental choice to reflect the factors presented in item
b) above as well as a random element.
d) Every site included in the scope which is subject to significant risks is evaluated by the certification
body prior to certification.
e) The evaluation programme has been designed in the light of the above requirements and covers
representative samples of the scope of the service during the certification period.
f) In the case of a nonconformity being observed, either at the head office or at a single site, the
corrective action procedure applies to the head office and all sites covered by the certificate.
The evaluation shall address the client’s head office activities to ensure that a single service applies to all
sites and delivers central management at the operational level. The evaluation shall address all the issues
outlined above.
7.4.3.6 Remote evaluation
If remote evaluation techniques such as interactive web-based collaboration, web meetings,
teleconferences and/or electronic verification of the organization’s processes are utilized to interface
with the organization, these activities shall be agreed upon by the CB and the client during the planning
of the evaluation considering the selected assurance level. In addition, these activities shall be identified
in the evaluation plan. The usage of remote evaluation techniques shall be documented along with the
rationale.
NOTE Electronic evaluations of remote sites are considered to be remote evaluations, even if the electronic
evaluations are physically carried out on the organization’s premises.
The CB shall determine the risks of remote evaluation techniques to the evaluation effectiveness. If this
risk assessment identifies unacceptable risks to the effectiveness of the evaluation process or certain
parts thereof, remote evaluation shall not be used for this part.
For assurance level ‘basic’ evaluations, the use of remote evaluation techniques is recommended for all
the evaluation activities but a limited number of activities can be performed on-site.
7.4.3.7 Evaluation plan
7.4.3.7.1 The evaluation plan shall describe evaluation activities for the specific evaluation to be
performed.
The evaluation team shall design the evaluation activities in a manner to cover a representative number
of actions and events that triggered the occurrence or performance of the controls throughout the
specified period (see clause 7.4.3.8).
The evaluation team shall ensure in the definition of the evaluation activities that they are adapted to the
specific risks that possibly prevent the client from meeting the evaluation criteria and applicable
standards, considering at least:
a) the services provided by the client;
b) the components of the systems used to provide the services;
c) the environment in which the systems operate.
7.4.3.7.2 The evaluation activities shall be tailored to every evaluation, depending, among other things,
on the requested evaluation level, and the evaluator’s judgement, including the assessment of the risks of
nonconformity of the matter being investigated.
In their consideration of the risks associated to the client’s service and controls, the evaluation team shall
tailor the evaluation activities to the specific circumstances by considering the following aspects:
a) the competence of the personnel in charge of implementing the controls;
b) the relevance and reliability of the evidence to be obtained;
c) the nature of the controls, including their level of automation, and the frequency with which they
operate;
d) the degree to which the controls rely on the effectiveness of other controls.
For certain activities the certification scheme can provide guidelines for their customization.
7.4.3.7.3 The extent of the evaluation activity shall provide a quantitative or qualitative aspect to the
evaluation activity, such as:
— the number of observations to be performed;
— the rigour and depth of interviews;
— the amount of information to be reviewed;
— the number of re-performances of a specific evaluation activity.
The extent shall be determined from the specific characteristics of the control being evaluated, and it shall
consider the evaluation level (see clause 7.4.7.8).
7.4.3.7.4 In their consideration of the risks associated to the client’s service and controls, the
evaluation team shall tailor the evaluation activities to the specific circumstances by considering the
following aspects:
a) the relevance and reliability of the evidence to be obtained;
b) the nature of the controls, including their level of automation, and the frequency with which they
operate;
c) the degree to which the controls rely on the effectiveness of other controls;
d) the evaluation level targeted for certification.
7.4.3.7.5 Based on all the parameters above, evaluators shall determine for each evaluation activity:
a) the target (what is being evaluated);
b) the nature (what kind of evaluation activity);
c) the timing (at what point in time or over what period);
d) the extent (how many or how often to execute the activity).
The target of the evaluation activity shall be a control or a component used in the implementation of the
service, associated to one or several evaluation criteria.
The nature of the evaluation activity shall be one of a specific type, such as: interview, observation,
documentation review, re-performance of the control, re-performance of programmed processing and
independent testing.
NOTE 1 Re-performance can be performed by an evaluation team member or performed by a client employee
and witnessed by an evaluation team member.
NOTE 2 Re-performance of activities by an evaluator team member could be a high-risk operation. However,
under certain circumstances like using non-production environments or under client supervision this task can be
conducted by the evaluation team.
The evaluation plan shall specify for each evaluation activity if it covers a certain point in time or a certain
period, using the following criteria:
— a point in time shall be defined for evaluation activities related to the fairness of a description, and
to the design, implementation and existence of a control;
— a period shall be defined for evaluation activities related to operating effectiveness, typically covering
the period since the last evaluation, or for an initial certification evaluation, a period preceding the
evaluation, as defined in the certification scheme.
7.4.3.8 Sampling
7.4.3.8.1 General
Evaluators shall select a sample of test objects based on assumed population included in Table 1 (by type
and number within type) to achieve the required evaluation level and to provide a level of coverage
necessary for determining whether the control is implemented and free of obvious errors and whether
there are further increased grounds for confidence that the control is implemented correctly and
operating as intended on an ongoing and consistent basis.
The sampling approach should be guided, at least in part, by the risks attached to the area of operations
being evaluated.
7.4.3.8.2 Operating effectiveness over a period of time
For testing operating effectiveness over a period of time, evaluation team shall use sampling.
For a period, the following sampling shall be used in order to provide assurance that the controls
operated effectively during the specified period and that the associated requirements were met during
that specified period.
Table 1: Sampling required
Assumed population of Sample Size
control occurrences
Over 250 25 - 60
250 20 - 40
52 5 - 15
12 2 - 5
4 2
1 1
The sample size for a given population shall be chosen in the range indicated in Table 1, also considering
the nature of the evaluation activity and the targeted evaluation level.
The sample size (within the range determined from Table 1) shall be determined by considering the
specific risks that prevent the service from meeting the evaluation criteria.
EXAMPLE Some specific examples that can drive specific risks that prevents the service from meeting the evaluation
criteria are shown below:
— The control is routine and requires little judgment or complex and requires significant judgment.
— Knowledge from stage 1 evaluation activities and previous evaluations about changes to the design
of the control or that its operating effectiveness in the specified period.
— Whether or not the client has established an effective controls evaluation program, and the client’s
testing has resulted in a conclusion about the control’s operating effectiveness.
Where the population of occurrences falls between the levels identified in the table above, the sample
size shall be interpolated, exercising appropriate judgement in determining the appropriate sample size.
Alternative or complementary information on sample sizes may be provided with the certification
scheme.
7.4.3.9 Vulnerability Identification
For assurance level ‘High’, CB shall perform activities to identify potential vulnerabilities and to evaluate
resistance against
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

This May Also Interest You

CEN
EN ISO/IEC 27706:2025(Main)
Information security, cybersecurity and privacy protection - Requirements for bodies providing audit and certification of privacy information management systems (ISO/IEC 27706:2025)
SIST EN ISO/IEC 27706:2025

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701, in addition to the requirements contained within ISO/IEC 17021-1.
The requirements contained in this document are demonstrated in terms of competence and reliability by bodies providing PIMS certification. The guidance contained in this document provides additional interpretation of these requirements for bodies providing PIMS certification.
NOTE       This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

  • Standard
    33 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27006-1:2024(Main)
Information security, cybersecurity and privacy protection - Requirements for bodies providing audit and certification of information security management systems - Part 1: General (ISO/IEC 27006-1:2024)
SIST EN ISO/IEC 27006-1:2024

This document specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021-1.
The requirements contained in this document are demonstrated in terms of competence and reliability by bodies providing ISMS certification. The guidance contained in this document provides additional interpretation of these requirements for bodies providing ISMS certification.
NOTE       This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

  • Standard
    56 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27007:2022(Main)
Information security, cybersecurity and privacy protection - Guidelines for information security management systems auditing (ISO/IEC 27007:2020)
SIST EN ISO/IEC 27007:2022

This document provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011.
This document is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.

  • Standard
    48 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    48 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 419261:2015(Main)
Security requirements for trustworthy systems managing certificates and time-stamps
SIST-TS CEN/TS 419261:2015

1.1   General
This Technical Specification establishes security requirements for TWSs that can be used by a TSP in order to issue QCs and Non-Qualified Certificates (NQCs) as well as electronic time-stamps in accordance with Dir.1999/93/EC and with [Reg.910/2014/EU].
Security requirements for the Subject Device Provision Service, which includes SCDev/QSCD provision to subjects, are defined in this TS. However, requirements specific to SCDev/QSCD devices, as used by subjects of the TSP, are outside the scope of this TS. These requirements are defined as Common Criteria [CC] Protection Profiles (PP) in the EN 419211 series.
Recommendations for the cryptographic algorithms to be supported by TWSs are provided in ETSI/TS 119 312.
Although this TS is based on the use of public key cryptography, it does not require or define any particular communication protocol or format for electronic signatures, certificates, certificate revocation lists, certificate status information and time-stamp tokens. It only assumes certain types of information to be present in the certificates in accordance with Annex I of Dir.1999/93/EC and of [Reg.910/2014/EU]. Interoperability between TSP systems and subject systems is outside the scope of this document.
The use of TWSs that are already compliant to relevant security requirements of this TS should support TSPs in reducing their burden to establish conformance of their policy to ETSI TS 119 411-1, 119 411-2, and 119 421 (or equivalent ENs to be subsequently published) and in meeting the Annex I and Annex II requirements of Dir.1999/93/EC as well as the requirements from Annex I and Article 24.2 (e) of [Reg.910/2014/EU].
1.2   European Regulation-specific
The main focus of this document is on the requirements in Article 24.2 (e) of [Reg.910/2014/EU] whilst still facilitating the meeting of requirements in Dir.1999/93/EC, Annex II (f). In considering [Reg.910/2014/EU] it is important to take into account the following requirements of particular relevance to TSP trustworthy systems:
a)   Article 24.2 (f) – “use trustworthy systems to store data provided to it, in a verifiable form so that:
(i)   they are publicly available for retrieval only where the consent of the person to whom the data relates has been obtained,
(ii)   only authorised persons can make entries and changes to the stored data,
(iii)   the data can be checked for authenticity”;
b)   Article 24.2 (g) – “take appropriate measures against forgery and theft of data”;
c)   Article 24.2 (h) – “record and keep accessible for an appropriate period of time, including after the activities of the qualified trust service provider have ceased, all relevant information concerning data issued and received by the qualified trust service provider, in particular, for the purpose of providing evidence in legal proceedings and for the purpose of ensuring continuity of the service. Such recording may be done electronically”;
d)   Article 24.2 (j) – “ensure lawful processing of personal data in accordance with Directive 95/46/EC”;
e)   Article 24.2 (k) – “in case of qualified trust service providers issuing qualified certificates, establish and keep updated a certificate database”;
f)   Article 24.3 – “If a qualified trust service provider issuing qualified certificates decides to revoke a certificate, it shall register such revocation in its certificate database and publish the revocation status of the certificate in a timely manner, and in any event within 24 hours after the receipt of the request. The revocation shall become effective immediately upon its publication”;
g)   Article 24.4 – "With regard to paragraph 3, qualified trust service providers issuing qualified certificates shall provide to any relying party information on the validity or revocation status of qualified certificates issued by them.

  • Technical specification
    56 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 12186:2025(Main)
Gas infrastructure - Gas pressure control stations for transmission and distribution - Functional requirements
kSIST FprEN 12186:2025

This document specifies the functional requirements relevant for design, materials, construction, testing, operation and maintenance of gas pressure control stations to ensure their reliability in terms of safety of the station itself and the downstream system and continuity of service.
This document is applicable for gas pressure control stations which are part of gas transmission or distribution systems for hydrogen, and hydrogen rich, and methane rich gases. Additional requirements in the case of gases heavier than air and/or toxic or corrosive gases are not covered by this document.
This document does not apply to gas pressure control stations in operation prior to the publication of this document. However, Annex D of this document can be used as guidance for the evaluation of stations in operation prior to the publication of this document, regarding the change of the type of gas, e.g. repurposing for the use with hydrogen.
The stations covered by this document have a maximum upstream operating pressure, which does not exceed 100 bar. For higher maximum upstream operating pressures, this document can be used as a guideline.
If the inlet pipework of the station is a service line and the maximum upstream operating pressure does not exceed 16 bar and the design flow rate is equal to 2000 kW based on the gross calorific value or less, EN 12279 applies.
This document contains the basic system requirements for gas pressure control stations. Requirements for individual components (valves, regulators, safety devices, pipes, etc.) or installation of the components are contained in the appropriate European Standards.
NOTE   For combined control and measuring stations, the additional requirements of EN 1776 can apply.
The requirements in this document do not apply to the design and construction of auxiliary facilities such as sampling, calorimetering, odorization systems and density measuring. These facilities are covered by the appropriate European Standards, where existing, or applicable national standards.
The requirements of this document are based on good gas engineering practice under conditions normally encountered in the gas industry. Requirements for unusual conditions cannot be specifically provided for, nor are all engineering and construction details prescribed.
The objective of this document is to ensure the safe operation of such stations. This does not, however, relieve all concerned of the responsibility for taking the necessary care and applying effective quality and safety management during the design, construction, operation and maintenance.

  • Draft
    49 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 18209:2025(Main)
LPG equipment and accessories - Cylinders transportation racks controls
kSIST-TS FprCEN/TS 18209:2025

This document specifies the operational procedures and best practices when checking transportation racks for LPG cylinders before and during loading and unloading prior to the vehicles going on the road and at any break during the journey.
This document applies to racks containing transportable refillable LPG cylinders of water capacity from 0,5 l up to and including 150 l.
This document applies to the following equipment:
-   rack frame/structure;
-   rack closures;
-   rack fixing equipment or accessories on to the vehicle.
This document applies to checks performed:
-   at cylinder filling plants and depots;
-   or at cylinder manufacturing and/or refurbishment facilities;
-   or at any place where racks are used or moved.
This document also provides guidance and examples for rack maintenance and repair procedures, including rejection criteria and for establishing operational procedures. Transportation racks are also called stillages, pallets or racks (see Clause 3).
This document does not cover the design and the manufacturing of racks.
This document does not apply to presentation display racks at points of sale.

  • Draft
    23 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 10284:2025(Main)
Malleable cast iron fittings with compression ends for polyethylene (PE) piping systems
SIST EN 10284:2026

This document specifies the requirements for the design, performance and testing of fittings made of malleable cast iron (see also Clause 5 "Materials") with compression ends for polyethylene piping systems.
This document applies to piping systems in polyethylene (PE) materials for different application fields, such as supply and distribution of gas, water for general purposes (irrigation, etc.) as well as for human consumption, aqueous liquids and pressurized air.
NOTE   Products complying with this document used for water applications intended for human consumption are expected to comply with the relevant national, regional or local regulatory provisions applicable in the place of use. Due to the variety and dynamic of the requirements, it is advisable to check the compliance.
The malleable cast iron fittings specified in this document are of compression end type for the connection of PE pipes or of transition type with combined compression ends for pipes in different materials or with combined compression and threaded ends in conformance with EN 10226 1. Their range of sizes covers nominal outside diameters of PE pipes dn 16 mm to dn 110 mm (DN 10 to DN 100) and pipe thread sizes 3/8 to 4.

  • Draft
    28 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 4700-003:2025(Main)
Aerospace series - Steel and heat-resisting alloys for wrought products - Technical specification - Part 003: Tubes
SIST EN 4700-003:2026

This document specifies the requirements for the ordering, manufacture, testing, inspection and delivery of steel and heat-resisting alloy tubes. It is presupposed to be applied when referred to and in conjunction with the EN material standard unless otherwise specified on the drawing, order or inspection schedule.

  • Draft
    32 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 4700-004:2025(Main)
Aerospace series - Steel and heat-resisting alloys for wrought products for technical specification - Part 004: Wires
SIST EN 4700-004:2026

This document specifies the requirements for the ordering, manufacture, testing, inspection and delivery of steel and heat-resisting alloy wires. It is presupposed to be applied when referred to and in conjunction with the EN material standard unless otherwise specified on the drawing, order or inspection schedule.

  • Draft
    31 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 13245-1:2025(Main)
Plastics - Unplasticized poly(vinyl chloride) (PVC-U) profiles for building applications - Part 1: Designation of PVC-U profiles
SIST EN 13245-1:2026

This document establishes a system of designation for profiles made of unplasticized poly(vinyl chloride) (PVC-U) intended to be used for building applications. This system is intended to be used in product specification after the application is specified.
NOTE   It is intended to use this system for the designation of PVC-U profiles for information related to technical literature of the manufacturer, not for the marking of the products.
This part is applicable to PVC-U profiles of any colour, obtained by a mono-extrusion or a co-extrusion process, with or without surface finishing (e.g. foil, paint or print).
This document defines minimum requirements for the surface finishing of PVC-U profiles.
Profiles for the management of electrical power cables, communication cables and power track systems used for the distribution of electrical power, profiles for windows or doors and profiles for guttering are not covered by this document.

  • Draft
    24 pages
    English language
    sale 10% off
    e-Library read for
    1 day