FprCEN/CLC/TS 18072
(Main)Requirements for Conformity Assessment Bodies certifying Cloud Services
Requirements for Conformity Assessment Bodies certifying Cloud Services
This TS provides requirements and ISO/IEC 17065 interpretations for Conformity Assessment Bodies (CABs) assessing Cloud Services
This TS is intended to be used by the National Accreditation Bodies (NABs), as well as CABs.
Anforderungen an Konformitätsbewertungsstellen, die Cloud-Dienste zertifizieren
Zahteve za organe za ugotavljanje skladnosti, ki certificirajo storitve v oblaku
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
01-september-2024
Zahteve za organe za ugotavljanje skladnosti, ki certificirajo storitve v oblaku
Requirements for Conformity Assessment Bodies certifying Cloud Services
Anforderungen an Konformitätsbewertungsstellen, die Cloud-Dienste zertifizieren
Ta slovenski standard je istoveten z: FprCEN/CLC/TS 18072
ICS:
03.120.20 Certificiranje proizvodov in Product and company
podjetij. Ugotavljanje certification. Conformity
skladnosti assessment
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
TECHNICAL SPECIFICATION FINAL DRAFT
SPÉCIFICATION TECHNIQUE
TECHNISCHE SPEZIFIKATION
June 2024
ICS 03.120.20; 35.030
English version
Requirements for Conformity Assessment Bodies
certifying Cloud Services
Anforderungen an Konformitätsbewertungsstellen, die
Cloud-Dienste zertifizieren
This draft Technical Specification is submitted to CEN members for Vote. It has been drawn up by the Technical Committee
CEN/CLC/JTC 13.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.
Warning : This document is not a Technical Specification. It is distributed for review and comments. It is subject to change
without notice and shall not be referred to as a Technical Specification.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2024 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. FprCEN/CLC/TS 18072:2024 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
Introduction . 5
1 Scope . 6
2 Normative references . 6
3 Terms and definitions . 6
4 General requirements . 8
4.1 Legal and contractual matters . 8
4.1.1 Legal responsibility . 8
4.1.2 Certification agreement . 8
4.1.3 Use of license, certificates and marks of conformity . 8
4.2 Management of impartiality . 8
4.2.1 General. 8
4.2.2 Nonconflicting activities . 8
4.3 Liability and financing . 8
4.4 Non-discriminatory conditions. 8
4.5 Confidentiality . 9
4.6 Publicly available information . 9
5 Structural Requirements . 9
5.1 Organizational structure and top management . 9
5.2 Mechanisms for safeguarding impartiality . 9
6 Resource Requirements . 9
6.1 Conformity assessment body personnel — Determination of competence criteria . 9
6.2 Resources for Evaluation . 9
7 Process requirements . 9
7.1 General requirements . 9
7.2 Application . 9
7.3 Application review . 9
7.4 Evaluation . 10
7.4.1 General. 10
7.4.2 Types of evaluations . 10
7.4.3 Preparation of the evaluation . 10
7.4.4 Conducting evaluations . 17
7.4.5 General requirements on conducting evaluations . 25
7.5 Review . 29
7.6 Certification decision . 29
7.7 Certification Documentation . 29
7.8 Directory of certified products . 30
7.9 Surveillance . 30
7.9.1 Introduction . 30
7.9.2 General. 30
7.9.3 Surveillance Evaluation . 30
7.9.4 Recertification Evaluation . 31
7.9.5 Special Evaluation . 31
7.10 Changes affecting certification . 31
7.11 Termination, reduction, suspension or withdrawal of certification . 32
7.12 Records . 32
7.13 Complaints and appeals. 32
8 Management system requirements . 32
8.1 Options . 32
8.1.1 General . 32
8.1.2 Option A . 32
8.1.3 Option B . 32
8.2 Management system documentation (Option A) . 32
8.3 Control of documents (Option A) . 32
8.4 Control of records (Option A) . 32
8.5 Management review (Option A) . 32
8.5.1 General . 32
8.5.2 Review inputs . 33
8.5.3 Review outputs . 33
8.6 Internal Audits (Option A) . 33
8.7 Corrective actions (Option A) . 33
8.8 Preventive actions (Option A) . 33
Annex A (normative) Required Knowledge and Skills . 34
Annex B (normative) Dependency Analysis . 43
Bibliography . 45
European foreword
This document (FprCEN/CLC/TS 18072:2024) has been prepared by Technical Committee
CEN/CLC/JTC 13 “Cybersecurity and Data protection”, the secretariat of which is held by DIN.
This document is currently submitted to the Vote on TS.
This document is developed to support the Cybersecurity Act, EUCSA, Regulation (EU) 2019/881 on
information and communications technology cybersecurity certification.
Introduction
The overall aim of certifying products, processes or services is to give confidence to all interested parties
that a product, process or service fulfils specified requirements. The value of certification is the degree of
confidence and trust that is established by an impartial and competent demonstration of fulfilment of
specified requirements by a third party.
ISO/IEC 17065 specifies requirements, the observance of which is intended to ensure that certification
bodies operate certification schemes in a competent, consistent and impartial manner, thereby
facilitating the recognition of such bodies and the acceptance of certified products, processes and services
on a national and international basis and so furthering international trade.
ISO/IEC 17065 gives generalized requirements for operating certification schemes for a broad range of
products, processes or services. While the general requirements given by ISO/IEC 17065 are shared by
all Certification Bodies, they are a high-level set.
The conformity assessment bodies providing evaluation and certification of cloud services have some
specific requirements for evaluation procedures and competence.
To help implementers, this document is numbered identically to ISO/IEC 17065:2012. Supplementary
requirements are presented as clauses and subclauses additional to ISO/IEC 17065:2012. Any
supplementary requirements are presented in this document with the same clause / subclause number
as in ISO/IEC 17065:2012.
1 Scope
This document complements and supplements the procedures and general requirements found in
ISO/IEC 17065:2012 for conformity assessment bodies performing certification of cloud services under
a dedicated European cybersecurity certification scheme (for example, those defined in Regulation (EU)
2019/881 (Cybersecurity Act), based on concepts defined in this regulation, such as the three assurance
levels Basic
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.