SIST-TS CEN/CLC/TS 18026:2024

SLOVENSKI STANDARD
01-julij-2024
Tristopenjski pristop za nabor zahtev kibernetske varnosti za storitve v oblaku
Three-level approach for a set of cybersecurity requirements for cloud services
Mehrschichtiger Ansatz für einen Anforderungskatalog für
Informations-/Cybersicherheitsmaßnahmen für Cloud Dienste
Ta slovenski standard je istoveten z: CEN/TS 18026:2024
ICS:
35.030 Informacijska varnost IT Security
35.210 Računalništvo v oblaku Cloud computing
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL SPECIFICATION CEN/TS 18026

SPÉCIFICATION TECHNIQUE
TECHNISCHE SPEZIFIKATION
April 2024
ICS 35.030; 35.210
English version
Three-level approach for a set of cybersecurity
requirements for cloud services
Mehrschichtiger Ansatz für einen Anforderungskatalog
für Informations-/Cybersicherheitsmaßnahmen für
Cloud Dienste
This Technical Specification (CEN/TS) was approved by CEN on 27 February 2024 for provisional application.

The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN and CENELEC will be
requested to submit their comments, particularly on the question whether the CEN/TS can be converted into a European
Standard.
CEN and CENELEC members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the
CEN/TS available promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in
force (in parallel to the CEN/TS) until the final decision about the possible conversion of the CEN/TS into an EN is reached.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2024 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. CEN/TS 18026:2024 E
reserved worldwide for CEN national Members and for
CENELEC Members.
CEN/CLC/TS 18026:2024 (E)
Contents Page
European foreword . 3
Introduction . 4
1 Scope . 8
2 Normative references . 8
3 Terms and definitions . 8
4 Organisation of Information Security . 35
5. Information Security Policies . 39
6. Risk management . 45
7. Human Resources . 49
8. Asset Management . 57
9. Physical Security . 63
10.     Operational Security ……………………………………………………………………… ………………………….93
11. Identity, Authentication and Access Control Management . 94
12. Cryptography and Key Management .113
13. Communication Security .117
14. Portability and Interoperability .125
15. Change and Configuration Management .128
16. Development of Information Systems .134
17. Procurement Management .144
18. Incident Management .152
19. Business Continuity .160
20. Compliance .164
21. User Documentation .168
22. Dealing with Investigation Requests from Government Agencies .172
23. Product Security .174
Bibliography .178

CEN/CLC/TS 18026:2024 (E)
European foreword
This document (CEN/CLC/TS 18026:2024) has been prepared by Technical Committee CEN/CLC /JTC 13
“Cybersecurity and Data protection”, the secretariat of which is held by DIN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document is developed to support the Cybersecurity Act, EUCSA, Regulation (EU) 2019/881 on
information and communications technology cybersecurity certification.
Any feedback and questions on this document should be directed to the users’ national standards body. A
complete listing of these bodies can be found on the CEN website.
CEN/CLC/TS 18026:2024 (E)
Introduction
General
This document presents requirements for cybersecurity of cloud services. These requirements are also
strongly related to information security. ISO 27100 states that cybersecurity is primarily concerned with
protecting entities including people, society, organisations and nations from cyber risks, while
information security addresses maintaining confidentiality, integrity and availability of information with
consequences. Information security and cybersecurity therefore have different perspectives and
concerns while they are closely related and overlapping as both address cyber threats. The requirements
primarily address the cloud service, but unavoidably also raise expectations and impose requirements on
organisations developing and operating such services.
Organisations wishing to demonstrate conformance to these requirements might prefer to do so using a
single free-standing certification or build on existing certifications held by that organisation or the cloud
service. To facilitate this, the requirements are written so as to allow coverage by composition of multiple
certifications, or a single-step complete coverage via a single certification.
In addition, the organisational requirements align closely with the requirements and controls of ISO/IEC
27001, ISO/IEC 27002 and other international schemes for cybersecurity and information security
requirements and controls. This means that organisations already holding certifications, for the
organisation or the service, can build from those prior audits and certifications. Similarly, if the
requirements of this document are the first ones ever certified for this organisation or service, the
evaluation materials will have the potential to be used to support additional certifications thereafter.
Further guidance on this issue is available in .
This document presents a set of requirements for cybersecurity of cloud services with two key concepts:
• It provides for three different assurance levels, i.e. Basic, Substantial and High: some
requirements are present at all levels, sometimes being extended at higher levels, while others
only come into effect at the higher levels; and
• A risk assessment is undertaken to determine the cloud service specific risks, taking also into
account the opportunities with the level and the cloud service specific cyber risks; risk treatment
then involves the selection of appropriate controls by the organisation to satisfy the requirements
for that level. The requirements themselves that are included in the document are mandatory for
the chosen level.
Nothing written in this document is to be taken as indicating requirements for how evaluations will be
conducted by bodies offering conformance testing for certification schemes. Requirements for bodies
offering conformance testing for certification schemes based on this document are given in .
The three assurance levels: Basic, Substantial and High offer increasing levels of assurance as to the
security of the cloud service. As this document addresses cybersecurity for cloud services, it is important
to appreciate that an information security management system (ISMS) certification alone is not sufficient
to demonstrate conformance with the requirements in this document. Nonetheless, having an ISMS will
assist the organisation in developing and operating their cloud services and in satisfying some
requirements in this document.
Assurance level Basic should be suitable for cloud services that are designed to meet typical security
requirements on services for non-critical data and systems, while Substantial targets cloud services that
are designed to meet typical security requirements on services for business-critical data and systems.
Assurance level High should be suitable for cloud services that are designed to meet specific (exceeding
level ‘substantial’) security requirements for mission-critical data and systems. Similarly, the assurance
levels are intended to be achievable for cloud services being offered to cloud service customers (CSCs)
who themselves target the indicated data and systems, and related criticality levels. The EUCS is not
intended to address the needs of national security purposes and the activities of the State in areas of
criminal law.
CEN/CLC/TS 18026:2024 (E)
Assurance levels
The requirements defined in the document are labelled Basic, Substantial or High:
• Requirements labelled Basic apply to assurance level Basic. They carry over to assurance levels
Substantial and High, unless replaced by stronger requirements;
• Requirements labelled Substantial apply to assurance level Substantial and will in some cases be
considered as guidance for level Basic (i.e., the reference method to achieve the Basic requirements,
which are often less detailed); and
• Requirements labelled High only apply to assurance level High.
Typically, the requirements corresponding to a cybersecurity objective are organized as follows:
• Basic requirements define a baseline in bold text, often with limited details or constraints;
• Substantial requirements add to that baseline further details and constraints in bold text. In addition,
specific Substantial requirements are introduced; and
• High requirements add further details or constraints in bold text. Some are also related to automated
monitoring, or to additional testing and review requirements, contributing to an increase in
confidence in the security of the service.
Certification schemes define evaluation levels as a combination of assurance components that
corresponds to an assurance level (and the requirements defined for this assurance level), and to
appropriate levels of depth and rigour in the assessment, corresponding to a category of security
problems.
Applicability of requirements
The risk assessment and risk treatment that the Cloud Service Provider (CSP) performs in accordance with
RM-01 includes the determination of controls that are needed to satisfy the requirements in this document
and to address identified risks. The implementation of controls may vary depending on the characteristics
of the certified cloud service. The CSP can design further controls or determine them from other resources
to address the results of the risk assessment, in addition to the requirements in the document. The
similarities with this document’s requirements to controls and or requirements in existing EN standards
such as the ISO 27000 series can support the fulfilment of requirements by using these documents in
addition. The CSP provides justifications for all the requirements present in this document applicable to
the cloud service and to which level of assurance. The CSP explains in the description of the cloud service
if individual Basic, Substantial, and High requirements are not applicable due to the design and
implementation of the cloud service and how these requirements are addressed in other ways. Based on
the information provided by the CSP, conformity assessment will be conducted to cover the scope for
certification of the cloud service for the actu
...