SIST-TS CEN/CLC/TS 18072:2025

SLOVENSKI STANDARD
01-julij-2025
Zahteve za organe za ugotavljanje skladnosti, ki certificirajo storitve v oblaku
Requirements for Conformity Assessment Bodies certifying Cloud Services
Anforderungen an Konformitätsbewertungsstellen, die Cloud-Dienste zertifizieren
Exigences applicables aux organismes d’évaluation de la conformité pour la certification
des services en nuage
Ta slovenski standard je istoveten z: CEN/CLC/TS 18072:2025
ICS:
03.120.20 Certificiranje proizvodov in Product and company
podjetij. Ugotavljanje certification. Conformity
skladnosti assessment
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL SPECIFICATION CEN/CLC/TS 18072

SPÉCIFICATION TECHNIQUE
TECHNISCHE SPEZIFIKATION
April 2025
ICS 03.120.20; 35.030
English version
Requirements for Conformity Assessment Bodies
certifying Cloud Services
Exigences applicables aux organismes d'évaluation de Anforderungen an Konformitätsbewertungsstellen, die
la conformité pour la certification des services en Cloud-Dienste zertifizieren
nuage
This Technical Specification (CEN/TS) was approved by CEN on 13 October 2024 for provisional application.

The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN and CENELEC will be
requested to submit their comments, particularly on the question whether the CEN/TS can be converted into a European
Standard.
CEN and CENELEC members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the
CEN/TS available promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in
force (in parallel to the CEN/TS) until the final decision about the possible conversion of the CEN/TS into an EN is reached.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2025 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. CEN/CLC/TS 18072:2025 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
Introduction .5
1 Scope .6
2 Normative references .6
3 Terms and definitions.6
4 General requirements .8
4.1 Legal and contractual matters .8
4.1.1 Legal responsibility .8
4.1.2 Certification agreement .8
4.1.3 Use of license, certificates and marks of conformity .8
4.2 Management of impartiality .8
4.2.1 General .8
4.2.2 Nonconflicting activities .8
4.3 Liability and financing .8
4.4 Non-discriminatory conditions .8
4.5 Confidentiality .9
4.6 Publicly available information .9
5 Structural Requirements .9
5.1 Organizational structure and top management .9
5.2 Mechanisms for safeguarding impartiality .9
6 Resource Requirements .9
6.1 Certification body personnel — Determination of competence criteria .9
6.2 Resources for Evaluation .9
7 Process requirements .9
7.1 General requirements .9
7.2 Application .9
7.3 Application review .9
7.4 Evaluation . 10
7.4.1 General . 10
7.4.2 Types of evaluations . 10
7.4.3 Preparation of the evaluation . 10
7.4.4 Conducting evaluations . 17
7.4.5 General requirements on conducting evaluations. 25
7.5 Review . 29
7.6 Certification decision . 29
7.7 Certification Documentation . 29
7.8 Directory of certified products . 30
7.9 Surveillance . 30
7.9.1 Introduction . 30
7.9.2 General . 30
7.9.3 Surveillance Evaluation . 30
7.9.4 Recertification Evaluation . 30
7.9.5 Special Evaluation . 31
7.10 Changes affecting certification . 31
7.11 Termination, reduction, suspension or withdrawal of certification . 32
7.12 Records . 32
7.13 Complaints and appeals . 32
8 Management system requirements . 32
8.1 Options . 32
8.1.1 General . 32
8.1.2 Option A . 32
8.1.3 Option B . 32
8.2 Management system documentation (Option A) . 32
8.3 Control of documents (Option A) . 32
8.4 Control of records (Option A) . 32
8.5 Management review (Option A) . 32
8.5.1 General . 32
8.5.2 Review inputs . 32
8.5.3 Review outputs . 32
8.6 Internal Audits (Option A) . 32
8.7 Corrective actions (Option A) . 33
8.8 Preventive actions (Option A) . 33
Annex A (normative) Required Knowledge and Skills. 34
Annex B (normative) Dependency Analysis . 43
Bibliography . 45

European foreword
This document (CEN/CLC/TS 18072:2025) has been prepared by Technical Committee CEN/CLC/JTC 13
“Cybersecurity and Data protection”, the secretariat of which is held by DIN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document is developed to support the Cybersecurity Act, EUCSA, Regulation (EU) 2019/881 on
information and communications technology cybersecurity certification.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN website.
According to the CEN/CENELEC Internal Regulations, the national standards organisations of the
following countries are bound to announce this Technical Specification: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Lux
...