EN 18037:2025

SLOVENSKI STANDARD
oSIST prEN 18037:2024
01-februar-2024
Smernice za sektorsko oceno kibernetske varnosti
Guidelines on a sectoral cybersecurity assessment
Leitlinien für ein sektorales Cybersecurity Assessment
Cybersécurité et protection des données - Lignes directrices pour l'appréciation
sectorielle de la cybersécurité
Ta slovenski standard je istoveten z: prEN 18037
ICS:
35.030 Informacijska varnost IT Security
oSIST prEN 18037:2024 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

oSIST prEN 18037:2024
oSIST prEN 18037:2024
EUROPEAN STANDARD DRAFT
prEN 18037
NORME EUROPÉENNE
EUROPÄISCHE NORM
November 2023
ICS
English version
Guidelines on a sectoral cybersecurity assessment
Leitlinien für ein sektorales Cybersecurity Assessment
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/CLC/JTC 13.
If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.
This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A
version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language
and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. prEN 18037:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
oSIST prEN 18037:2024
prEN 18037:2023 (E)
Contents Page
European foreword . 4
Introduction . 5
1 Scope . 7
2 Normative references . 7
3 Terms and definitions . 7
3.1 General terms . 7
3.2 Terms related to organization . 8
3.3 Terms related to sectoral approach to cybersecurity . 9
3.4 Terms related to risk . 10
4 Abbreviations . 12
5 Sectoral Cybersecurity Assessment . 12
5.1 Application of the sectoral cybersecurity assessment methodology . 12
5.2 Principles and new capacities . 14
6 Sectoral representation of risk . 17
6.1 Sectoral ICT systems . 17
6.1.1 Sectoral ICT system components and their relationships . 17
6.1.2 Multi-layered architecture of sectoral ICT system . 17
6.1.3 Risk –based definitions of cybersecurity and assurance requirements in sectoral
systems . 19
6.1.4 Sectoral ICT system architecture relevance for risk assessment . 20
6.1.5 Cybersecurity certification of sectoral ICT systems . 21
6.2 Consistent sectoral risk assessment . 22
6.3 Performing sectoral risk assessment . 23
6.3.1 General. 23
6.3.2 Choosing an approach . 24
6.3.3 Identifying business processes, objectives and requirements. 24
6.3.4 Identifying primary and supporting assets . 24
6.3.5 Defining risk scenarios . 25
6.3.6 Assessment of consequences in risk scenarios . 25
6.3.7 Assessment of likelihood in risk scenarios . 26
6.3.8 Adding the attacker perspective: assessment of attack potential . 27
6.3.9 Risk re-assessment for supporting assets . 28
7 Normalized representation of risk, cybersecurity and assurance . 28
7.1 Risk assessment results: meta-risk classes . 28
7.2 Risk-based definition of common security levels and selection of controls . 29
7.2.1 General. 29
7.2.2 Introducing Common Security Levels (CSL) . 29
7.2.3 Applying Meta-risk Classes and Common Security Levels for sectoral risk treatment
................................................................................................................................................................... 30
7.2.4 Attack Potential as criterion for selecting the CSL of controls . 30
7.3 Consistent implementation of assurance . 30
7.3.1 Introduction . 30
7.3.2 Definition of a common assurance reference concept based on ISO/IEC 15408 . 31
7.3.3 Applying CTI concept of attack potential to CAR . 32
oSIST prEN 18037:2024
prEN 18037:2023 (E)
8 Mapping cybersecurity and assurance requirements to scheme’s representation . 32
Annex A (informative) Examples of normalized scales in sectoral risk assessment . 33
A.1 Qualitative approach for assessment of consequences . 33
A.2 Qualitative approach to likelihood assessment . 34
A.3 Qualitative approach to risk estimation . 34
A.4 Qualitative approach to risk mitigation . 35
A.5 Addressing meta-risk classes by Common Assurance Reference classification . 36
Annex B (informative) CTI fundamentals . 37
B.1 General . 37
B.2 Attacker types . 38
B.3 Characteristics of attackers . 39
B.4 Criteria for attack potential qualitative estimation . 43
B.4.1 Characteristics: Opportunity . 43
B.4.1.1 Area: System Access/Knowledge . 43
B.4.1.2 Area: Vulnerabilities . 45
B.4.2 Characteristics: Means . 47
B.4.2.1 Area: Capabilities and Resources . 47
B.4.2.2 Area: Skills. 49
B.4.3 Characteristic: Motives . 51
B.4.3.1 Area: Valuation . 51
B.4.3.2 Area: Goals . 52
B.5 Estimating Attack potential using CTI approach . 54
B.5.1 General . 54
B.5.2 Characteristics: Opportunity . 54
B.5.3 Characteristics: Means . 55
B.5.4 Characteristics: Motives . 55
B.5.5 Calculation of attack potential level (APL) . 56
B.5.6 Finding equivalence between CTI and ISO/IEC 18045 for the attack potential
estimation . 56
Annex C (informative) Application of Common Security Level approach - examples . 59
C.1 General . 59
C.2 Example use case: Mobile device-based authentication system . 59
C.3 Example use case: Protection against cloned devices and cheating vendors . 61
Annex D (informative) Example of assurance level mapping . 63
Bibliography . 64
oSIST prEN 18037:2024
prEN 18037:2023 (E)
European foreword
This document (prEN 18037:2023) has been prepared by Technical Committee CEN/CLC/JTC13
“Cybersecurity and Data Protection”, the secretariat of which is held by DIN.
This document is currently submitted to the CEN Enquiry.
oSIST prEN 18037:2024
prEN 18037:2023 (E)
Introduction
This document describes cybersecurity assessments at the level of a market sector or an application area.
It is designed to be used as a preparatory step for the drafting of cybersecurity certification schemes for
ICT products, and ICT processes and ICT systems used by a market sector for providing sectoral services
to the end users or business customer thus creating sectoral ICT systems.
Sectoral ICT systems can be found in application areas such as mobile networks, digital identity, e-health,
public transportation, or payment.
Sectoral ICT systems can involve very large numbers of stakeholder organiza
...