iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
CEN

FprCEN/CLC/TS 18072

(Main)

Requirements for Conformity Assessment Bodies certifying Cloud Services

Requirements for Conformity Assessment Bodies certifying Cloud Services

This TS provides requirements and ISO/IEC 17065 interpretations for Conformity Assessment Bodies (CABs) assessing Cloud Services
This TS is intended to be used by the National Accreditation Bodies (NABs), as well as CABs.

Anforderungen an Konformitätsbewertungsstellen, die Cloud-Dienste zertifizieren

Zahteve za organe za ugotavljanje skladnosti, ki certificirajo storitve v oblaku

General Information

Status
Not Published
Publication Date
06-Nov-2024
ICS
03.120.20 - Product and company certification. Conformity assessment
35.030 - IT Security
Technical Committee
CEN/CLC/TC 13 - Cybersecurity and Data Protection
Drafting Committee
CEN/CLC/JTC 13/WG 3 - Security evaluation and assessment
Current Stage
5060 - Closure of Vote - Formal Approval
Start Date
12-Sep-2024
Due Date
19-Mar-2023
Completion Date
12-Sep-2024
Directive
2019/881 - Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (Text with EEA relevance)
Ref Project
kSIST-TS FprCEN/CLC/TS 18072:2024 - Requirements for Conformity Assessment Bodies certifying Cloud Services

Buy Standard

kTS FprCEN/CLC/TS 18072:2024kTS FprCEN/CLC/TS 18072:2024
PreviousNext
Draft
kTS FprCEN/CLC/TS 18072:2024
English language
45 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-september-2024
Zahteve za organe za ugotavljanje skladnosti, ki certificirajo storitve v oblaku
Requirements for Conformity Assessment Bodies certifying Cloud Services
Anforderungen an Konformitätsbewertungsstellen, die Cloud-Dienste zertifizieren
Ta slovenski standard je istoveten z: FprCEN/CLC/TS 18072
ICS:
03.120.20 Certificiranje proizvodov in Product and company
podjetij. Ugotavljanje certification. Conformity
skladnosti assessment
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL SPECIFICATION FINAL DRAFT
SPÉCIFICATION TECHNIQUE
TECHNISCHE SPEZIFIKATION
June 2024
ICS 03.120.20; 35.030
English version
Requirements for Conformity Assessment Bodies
certifying Cloud Services
Anforderungen an Konformitätsbewertungsstellen, die
Cloud-Dienste zertifizieren
This draft Technical Specification is submitted to CEN members for Vote. It has been drawn up by the Technical Committee
CEN/CLC/JTC 13.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.

Warning : This document is not a Technical Specification. It is distributed for review and comments. It is subject to change
without notice and shall not be referred to as a Technical Specification.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2024 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. FprCEN/CLC/TS 18072:2024 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
Introduction . 5
1 Scope . 6
2 Normative references . 6
3 Terms and definitions . 6
4 General requirements . 8
4.1 Legal and contractual matters . 8
4.1.1 Legal responsibility . 8
4.1.2 Certification agreement . 8
4.1.3 Use of license, certificates and marks of conformity . 8
4.2 Management of impartiality . 8
4.2.1 General. 8
4.2.2 Nonconflicting activities . 8
4.3 Liability and financing . 8
4.4 Non-discriminatory conditions. 8
4.5 Confidentiality . 9
4.6 Publicly available information . 9
5 Structural Requirements . 9
5.1 Organizational structure and top management . 9
5.2 Mechanisms for safeguarding impartiality . 9
6 Resource Requirements . 9
6.1 Conformity assessment body personnel — Determination of competence criteria . 9
6.2 Resources for Evaluation . 9
7 Process requirements . 9
7.1 General requirements . 9
7.2 Application . 9
7.3 Application review . 9
7.4 Evaluation . 10
7.4.1 General. 10
7.4.2 Types of evaluations . 10
7.4.3 Preparation of the evaluation . 10
7.4.4 Conducting evaluations . 17
7.4.5 General requirements on conducting evaluations . 25
7.5 Review . 29
7.6 Certification decision . 29
7.7 Certification Documentation . 29
7.8 Directory of certified products . 30
7.9 Surveillance . 30
7.9.1 Introduction . 30
7.9.2 General. 30
7.9.3 Surveillance Evaluation . 30
7.9.4 Recertification Evaluation . 31
7.9.5 Special Evaluation . 31
7.10 Changes affecting certification . 31
7.11 Termination, reduction, suspension or withdrawal of certification . 32
7.12 Records . 32
7.13 Complaints and appeals. 32
8 Management system requirements . 32
8.1 Options . 32
8.1.1 General . 32
8.1.2 Option A . 32
8.1.3 Option B . 32
8.2 Management system documentation (Option A) . 32
8.3 Control of documents (Option A) . 32
8.4 Control of records (Option A) . 32
8.5 Management review (Option A) . 32
8.5.1 General . 32
8.5.2 Review inputs . 33
8.5.3 Review outputs . 33
8.6 Internal Audits (Option A) . 33
8.7 Corrective actions (Option A) . 33
8.8 Preventive actions (Option A) . 33
Annex A (normative) Required Knowledge and Skills . 34
Annex B (normative) Dependency Analysis . 43
Bibliography . 45

European foreword
This document (FprCEN/CLC/TS 18072:2024) has been prepared by Technical Committee
CEN/CLC/JTC 13 “Cybersecurity and Data protection”, the secretariat of which is held by DIN.
This document is currently submitted to the Vote on TS.
This document is developed to support the Cybersecurity Act, EUCSA, Regulation (EU) 2019/881 on
information and communications technology cybersecurity certification.
Introduction
The overall aim of certifying products, processes or services is to give confidence to all interested parties
that a product, process or service fulfils specified requirements. The value of certification is the degree of
confidence and trust that is established by an impartial and competent demonstration of fulfilment of
specified requirements by a third party.
ISO/IEC 17065 specifies requirements, the observance of which is intended to ensure that certification
bodies operate certification schemes in a competent, consistent and impartial manner, thereby
facilitating the recognition of such bodies and the acceptance of certified products, processes and services
on a national and international basis and so furthering international trade.
ISO/IEC 17065 gives generalized requirements for operating certification schemes for a broad range of
products, processes or services. While the general requirements given by ISO/IEC 17065 are shared by
all Certification Bodies, they are a high-level set.
The conformity assessment bodies providing evaluation and certification of cloud services have some
specific requirements for evaluation procedures and competence.
To help implementers, this document is numbered identically to ISO/IEC 17065:2012. Supplementary
requirements are presented as clauses and subclauses additional to ISO/IEC 17065:2012. Any
supplementary requirements are presented in this document with the same clause / subclause number
as in ISO/IEC 17065:2012.
1 Scope
This document complements and supplements the procedures and general requirements found in
ISO/IEC 17065:2012 for conformity assessment bodies performing certification of cloud services under
a dedicated European cybersecurity certification scheme (for example, those defined in Regulation (EU)
2019/881 (Cybersecurity Act), based on concepts defined in this regulation, such as the three assurance
levels Basic
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

CEN
EN ISO/IEC 27006-1:2024(Main)
Information security, cybersecurity and privacy protection - Requirements for bodies providing audit and certification of information security management systems - Part 1: General (ISO/IEC 27006-1:2024)
SIST EN ISO/IEC 27006-1:2024

This document specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021-1.
The requirements contained in this document are demonstrated in terms of competence and reliability by bodies providing ISMS certification. The guidance contained in this document provides additional interpretation of these requirements for bodies providing ISMS certification.
NOTE       This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

  • Standard
    56 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN ISO/IEC/TS 27006-2:2022(Main)
Requirements for bodies providing audit and certification of information security management systems - Part 2: Privacy information management systems (ISO/IEC TS 27006-2:2021)
SIST-TS CEN ISO/IEC/TS 27006-2:2023

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.
The requirements contained in this document need to be demonstrated in terms of competence and reliability by anybody providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.
NOTE     This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

  • Technical specification
    18 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27007:2022(Main)
Information security, cybersecurity and privacy protection - Guidelines for information security management systems auditing (ISO/IEC 27007:2020)
SIST EN ISO/IEC 27007:2022

ISO/IEC 27007 provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011:2011.
ISO/IEC 27007 is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.

  • Standard
    48 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
prEN ISO/IEC 27706(Main)
Requirements for bodies providing audit and certification of privacy information management systems (ISO/IEC DIS 27706:2024)
oSIST prEN ISO/IEC 27006-2:2023

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.
The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.
NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

  • Draft
    24 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27006-1:2024(Main)
Information security, cybersecurity and privacy protection - Requirements for bodies providing audit and certification of information security management systems - Part 1: General (ISO/IEC 27006-1:2024)
SIST EN ISO/IEC 27006-1:2024

This document specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021-1.
The requirements contained in this document are demonstrated in terms of competence and reliability by bodies providing ISMS certification. The guidance contained in this document provides additional interpretation of these requirements for bodies providing ISMS certification.
NOTE       This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

  • Standard
    56 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN ISO/IEC/TS 27006-2:2022(Main)
Requirements for bodies providing audit and certification of information security management systems - Part 2: Privacy information management systems (ISO/IEC TS 27006-2:2021)
SIST-TS CEN ISO/IEC/TS 27006-2:2023

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.
The requirements contained in this document need to be demonstrated in terms of competence and reliability by anybody providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.
NOTE     This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

  • Technical specification
    18 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27007:2022(Main)
Information security, cybersecurity and privacy protection - Guidelines for information security management systems auditing (ISO/IEC 27007:2020)
SIST EN ISO/IEC 27007:2022

ISO/IEC 27007 provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011:2011.
ISO/IEC 27007 is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.

  • Standard
    48 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 419261:2015(Main)
Security requirements for trustworthy systems managing certificates and time-stamps
SIST-TS CEN/TS 419261:2015

1.1   General
This Technical Specification establishes security requirements for TWSs that can be used by a TSP in order to issue QCs and Non-Qualified Certificates (NQCs) as well as electronic time-stamps in accordance with Dir.1999/93/EC and with [Reg.910/2014/EU].
Security requirements for the Subject Device Provision Service, which includes SCDev/QSCD provision to subjects, are defined in this TS. However, requirements specific to SCDev/QSCD devices, as used by subjects of the TSP, are outside the scope of this TS. These requirements are defined as Common Criteria [CC] Protection Profiles (PP) in the EN 419211 series.
Recommendations for the cryptographic algorithms to be supported by TWSs are provided in ETSI/TS 119 312.
Although this TS is based on the use of public key cryptography, it does not require or define any particular communication protocol or format for electronic signatures, certificates, certificate revocation lists, certificate status information and time-stamp tokens. It only assumes certain types of information to be present in the certificates in accordance with Annex I of Dir.1999/93/EC and of [Reg.910/2014/EU]. Interoperability between TSP systems and subject systems is outside the scope of this document.
The use of TWSs that are already compliant to relevant security requirements of this TS should support TSPs in reducing their burden to establish conformance of their policy to ETSI TS 119 411-1, 119 411-2, and 119 421 (or equivalent ENs to be subsequently published) and in meeting the Annex I and Annex II requirements of Dir.1999/93/EC as well as the requirements from Annex I and Article 24.2 (e) of [Reg.910/2014/EU].
1.2   European Regulation-specific
The main focus of this document is on the requirements in Article 24.2 (e) of [Reg.910/2014/EU] whilst still facilitating the meeting of requirements in Dir.1999/93/EC, Annex II (f). In considering [Reg.910/2014/EU] it is important to take into account the following requirements of particular relevance to TSP trustworthy systems:
a)   Article 24.2 (f) – “use trustworthy systems to store data provided to it, in a verifiable form so that:
(i)   they are publicly available for retrieval only where the consent of the person to whom the data relates has been obtained,
(ii)   only authorised persons can make entries and changes to the stored data,
(iii)   the data can be checked for authenticity”;
b)   Article 24.2 (g) – “take appropriate measures against forgery and theft of data”;
c)   Article 24.2 (h) – “record and keep accessible for an appropriate period of time, including after the activities of the qualified trust service provider have ceased, all relevant information concerning data issued and received by the qualified trust service provider, in particular, for the purpose of providing evidence in legal proceedings and for the purpose of ensuring continuity of the service. Such recording may be done electronically”;
d)   Article 24.2 (j) – “ensure lawful processing of personal data in accordance with Directive 95/46/EC”;
e)   Article 24.2 (k) – “in case of qualified trust service providers issuing qualified certificates, establish and keep updated a certificate database”;
f)   Article 24.3 – “If a qualified trust service provider issuing qualified certificates decides to revoke a certificate, it shall register such revocation in its certificate database and publish the revocation status of the certificate in a timely manner, and in any event within 24 hours after the receipt of the request. The revocation shall become effective immediately upon its publication”;
g)   Article 24.4 – "With regard to paragraph 3, qualified trust service providers issuing qualified certificates shall provide to any relying party information on the validity or revocation status of qualified certificates issued by them.

  • Technical specification
    56 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
prEN ISO/IEC 27706(Main)
Requirements for bodies providing audit and certification of privacy information management systems (ISO/IEC DIS 27706:2024)
oSIST prEN ISO/IEC 27006-2:2023

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.
The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.
NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

  • Draft
    24 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 1998-5:2024(Main)
Eurocode 8 - Design of structures for earthquake resistance - Part 5: Geotechnical aspects, foundations, retaining and underground structures
kSIST FprEN 1998-5:2024

1.1   Scope of EN 1998-5
(1)   This document establishes general principles for the design and assessment of geotechnical systems in seismic regions. It gives general rules relevant to all families of geotechnical structures, to the design of foundations, retaining structures and underground structures and complements EN 1997-3 for the seismic design situation.
(2)   This document contains the basic performance requirements and compliance criteria applicable to geotechnical structures and geotechnical systems in seismic regions.
(3)   This document refers to the rules for the representation of seismic actions and the description of the seismic design situations defined in EN 1998-1-1 and provides specific definition of the seismic action applicable to geotechnical structures.
1.2   Assumptions
(1)   The assumptions of EN 1990 apply to this document.

  • Draft
    113 pages
    English language
    sale 10% off
    e-Library read for
    1 day