CEN/CLC/TC 13 - Cybersecurity and Data Protection

This TS provides requirements and ISO/IEC 17065 interpretations for Conformity Assessment Bodies (CABs) assessing Cloud Services
This TS is intended to be used by the National Accreditation Bodies (NABs), as well as CABs.

This document contains guidelines to be used in the process of drafting requirements of cybersecurity certification schemes for sectoral ICT services and systems. It includes all steps necessary to define, implement and maintain such requirements.

The standard contains guidelines for developing and establishing policies and procedures for deletion
of PII in organizations by specifying:
—   a harmonized terminology for PII deletion;
—   an approach for defining deletion rules in an efficient way;
—   a description of required documentation; and
—   a broad definition of roles, responsibilities and processes.
This document is intended to be used by organizations where PII are stored or processed.
This document does not address:
—   specific legal provision, as given by national law or specified in contracts;
—   specific deletion rules for particular clusters of PII as are to be defined by PII controllers for
—   processing PII;
—   deletion mechanisms;
—   reliability, security and suitability of deletion mechanisms;
—   specific techniques for de-identification of data.

This document complements and supplements the procedures and general requirements found in ISO/IEC 17025:2017 for laboratories performing evaluations based on the ISO/IEC 15408 series and ISO/IEC 18045.

This document complements and supplements the procedures and general requirements found in ISO/IEC 17025:2017 for laboratories performing testing based on ISO/IEC 19790 and ISO/IEC 24759.

This document specifies common security requirements for internet-connected radio equipment. This document provides technical specifications for radio equipment, which concerns electrical or electronic products that are capable to communicate over the internet, regardless of whether these products communicate directly or via any other equipment.

Common security requirements for radio equipment processing personal data or traffic data or location data being either internet connected radio equipment, radio equipment designed or intended exclusively for childcare; toys and wearable radio equipment. The standard provides technical specifications for radio equipment processing personal data, traffic data or location data, which concerns electrical or electronic products that are capable to communicate over the internet, regardless of whether these products communicate directly or via any other equipment, childcare, toys or wearable radio equipment.
The scope does not apply to 5G network equipment used by providers of public electronic communications networks and publicly available electronic communications services within the meaning of in Directive (EU) 2018/1972 of the European Parliament and of the Council as defined in that Regulation.

Common security requirements for internet connected radio equipment that equipment enables the holder or user to transfer money, monetary value or virtual currency. This document provides technical specifications for radio equipment processing virtual money or monetary value, which apply to electrical or electronic products that are capable to communicate over the internet, regardless of whether these products communicate directly or via any other equipment.

This document provides guidance to assist organizations to:
—    fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
—    perform information security risk management activities, specifically information security risk assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.

This Technical Specification (TS) provides a set of cybersecurity requirements for cloud services.
This TS is applicable to organizations providing cloud services and their subservice organizations

This document specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021-1.
The requirements contained in this document are demonstrated in terms of competence and reliability by bodies providing ISMS certification. The guidance contained in this document provides additional interpretation of these requirements for bodies providing ISMS certification.
NOTE       This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

This document establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of the standard which in its entirety is meant to be used as the basis for evaluation of security properties of IT products.
This document provides an overview of all parts of the ISO/IEC 15408 series. It describes the various parts of the ISO/IEC 15408 series; defines the terms and abbreviations to be used in all parts of the standard; establishes the core concept of a Target of Evaluation (TOE); describes the evaluation context and describes the audience to which the evaluation criteria is addressed. An introduction to the basic security concepts necessary for evaluation of IT products is given.
This document introduces:
—    the key concepts of Protection Profiles (PP), PP-Modules, PP-Configurations, packages, Security Targets (ST), and conformance types;
—    a description of the organization of security components throughout the model;
—    the various operations by which the functional and assurance components given in ISO/IEC 15408‑2 and ISO/IEC 15408‑3 can be tailored through the use of permitted operations;
—    general information about the evaluation methods given in ISO/IEC 18045;
—    guidance for the application of ISO/IEC 15408‑4 in order to develop evaluation methods (EM) and evaluation activities (EA) derived from ISO/IEC 18045;
—    general information about the pre-defined Evaluation Assurance Levels (EALs) defined in ISO/IEC 15408‑5;
—    information in regard to the scope of evaluation schemes.

This document defines the assurance requirements of the ISO/IEC 15408 series. It includes the individual assurance components from which the evaluation assurance levels and other packages contained in ISO/IEC 15408-5 are composed, and the criteria for evaluation of Protection Profiles (PPs),  PP-Configurations, PP-Modules, and Security Targets (STs).

This document provides packages of security assurance and security functional requirements that have been identified as useful in support of common usage by stakeholders.
EXAMPLE Examples of provided packages include the evaluation assurance levels (EAL) and the composed assurance packages (CAPs).

This document defines the required structure and content of security functional components for the purpose of security evaluation. It includes a catalogue of functional components that will meet the common security functionality requirements of many IT products.

The ISO/IEC 15408 series permits comparability between the results of independent security evaluations. The ISO/IEC 15408 series does so by providing a common set of requirements for the security functionality of IT products and for assurance measures applied to these IT products during a security evaluation. ISO/IEC 18045 provides a companion methodology for some of the assurance requirements specified in the ISO/IEC 15408 series, ISO/IEC 15408-1 and ISO/IEC 18045 also allow that more specific Evaluation Activities (EAs) may be derived for use in particular evaluation contexts. Specification of such Evaluation Activities is already occurring amongst practitioners and this creates a need for a specification for defining such Evaluation Activities.
This document, ISO/IEC 15408-4, provides a standardised framework for specifying objective, repeatable and reproducible Evaluation Methods (EMs), and Evaluation Activities.

This document specifies refinements for an application of ISO/IEC 27701 in a European context.
An organization can use this document for the implementation of the generic requirements and controls of ISO/IEC 27701 according to its context and its applicable obligations.
Certification bodies can use the specifications in this document as a basis for certification criteria verifying conformity to ISO/IEC 27701.
Certification criteria based on these specifications can provide a certification model under ISO/IEC 17065 for processing operations performed within the scope of a Privacy Information Management System according to ISO/IEC 27701, which can be combined with certification requirements for ISO/IEC 27701 under ISO/IEC 17021.
Accreditation bodies or regulatory authorities can use provisions in this document as criteria to establish certification mechanisms.

This document describes a cybersecurity evaluation methodology, named SESIP, for components of connected ICT products. Security claims in SESIP are made based on the security services offered by those components. Components can be in hardware and software. SESIP aims to support comparability between and reuse of independent security evaluations. SESIP provides a common set of requirements for the security functionality of components which apply to the foundational components of devices that are not application specific. The methodology describes the re-use of evaluation results.

This document defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 series evaluation, using the criteria and evaluation evidence defined in the ISO/IEC 15408 series.

The standard defines the requirements related to the professional activity of subjects active in the processing and protection of
personal data, namely the intellectual profession that is pursued at different levels of complexity and in different organizational
contexts, both public and private.
These requirements are specified, starting from the specific tasks and activities identified, in terms of knowledge, skills and
competence, in accordance with the European Qualifications Framework - EQF and are expressed in such a way as to facilitate and
contribute to harmonize, as far as possible, evaluation and validation processes of learning outcomes.

This document specifies baseline requirements for demonstrating processing activities compliance with the European personal data protection normative framework in accordance with EN ISO/IEC 17065. It does not however apply to products or management systems destined for processing personal data.
This document is applicable to all organizations which, as personal data controllers and/or processors, process personal data, and its objective is to provide a set of requirements enabling such organizations to conform effectively with the European personal data protection normative framework.
An organization can decide that the standard is applicable only to a specific subset of its processing activities if such a decision does not involve failure to conform with the European personal data protection normative framework.
This document also provides indications for conformity assessment with the aforementioned requirements.

This document specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations, regardless of type, size or nature. Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable when an organization claims conformity to this document.

ISO/IEC 29146:2016 defines and establishes a framework for access management (AM) and the secure management of the process to access information and Information and Communications Technologies (ICT) resources, associated with the accountability of a subject within some context.
This International Standard provides concepts, terms and definitions applicable to distributed access management techniques in network environments.
This International Standard also provides explanations about related architecture, components and management functions.
The subjects involved in access management might be uniquely recognized to access information systems, as defined in ISO/IEC 24760.
The nature and qualities of physical access control involved in access management systems are outside the scope of this International Standard.

This document specifies controls which shape the content and the structure of online privacy notices as well as the process of asking for consent to collect and process personally identifiable information (PII) from PII principals.
This document is applicable in any online context where a PII controller or any other entity processing PII informs PII principals of processing.

This document contains recommendations on how to integrate the principle of ‘data protection and privacy by design’ during the entire lifecycle of video-surveillance products and services, in order to achieve ‘data protection and privacy by default’.

ISO/IEC 24760-1:2019 defines terms for identity management, and •specifies core concepts of identity and identity management and their relationships.
It is applicable to any information system that processes identity information.
A bibliography of documents describing various aspects of identity information management is provided.

This document provides the specialized requirements to demonstrate competence of individuals in performing IT product security evaluations in accordance with ISO/IEC 15408 (all parts) and  ISO/IEC 18045.

This document provides the minimum requirements for the knowledge, skills and effectiveness requirements of individuals performing testing activities for a conformance scheme using ISO/IEC 19790 and ISO/IEC 24759.

ISO/IEC 19896-1:2018 defines terms and establishes an organized set of concepts and relationships to understand the competency requirements for information security assurance conformance-testing and evaluation specialists, thereby establishing a basis for shared understanding of the concepts and principles central to the ISO/IEC 19896 series across its user communities. It provides fundamental information to users of the ISO/IEC 19896 series.

This Protection Profile describes a set of security requirements for smart meters, based on the ‘minimum security requirements’ for components of AMI infrastructures in [5]. The requirements in [5] were based on the concept that there are a common/generic set of underlying ‘minimum’ security requirements associated with smart metering requirement specifications in a number of EU Member States

This document provides requirements for manufacturers and/or service providers to implement Data protection and Privacy by Design and by Default (DPbDD) early in their development of their products and services, i.e. before (or independently of) any specific application integration, to make sure that they are as privacy ready as possible. The document will be applicable to all business sectors, including the security industry.

This document provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organizations:
a) within the context of an information security management system (ISMS) based on ISO/IEC27001;
b) for implementing information security controls based on internationally recognized best practices;
c) for developing organization-specific information security management guidelines.

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.
The requirements contained in this document need to be demonstrated in terms of competence and reliability by anybody providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.
NOTE     This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

ISO/IEC 29151:2017 establishes control objectives, controls and guidelines for implementing controls, to meet the
requirements identified by a risk and impact assessment related to the protection of personally identifiable information
(PII).
In particular, this Recommendation | International Standard specifies guidelines based on ISO/IEC 27002, taking into
consideration the requirements for processing PII that may be applicable within the context of an organization's
information security risk environment(s).
ISO/IEC 29151:2017 is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100),
including public and private companies, government entities and not-for-profit organizations that process PII.

This document describes a cybersecurity evaluation methodology that can be implemented using pre-defined time and workload resources, for ICT products. It is intended to be applicable for all three assurance levels defined in the CSA (i.e. basic, substantial and high).
The methodology comprises different evaluation blocks including assessment activities that comply with the evaluation requirements of the CSA for the mentioned three assurance levels. Where appropriate, it can be applied both to third-party evaluation and self-assessment.

ISO/IEC 24760-2:2015 provides guidelines for the implementation of systems for the management of identity information, and specifies requirements for the implementation and operation of a framework for identity management.
ISO/IEC 24760-2:2015 is applicable to any information system where information relating to identity is processed or stored.

ISO/IEC 24760-3:2016 provides guidance for the management of identity information and for ensuring that an identity management system conforms to ISO/IEC 24760-1 and ISO/IEC 24760-2.
ISO/IEC 24760-3:2016 is applicable to an identity management system where identifiers or PII relating to entities are acquired, processed, stored, transferred or used for the purposes of identifying or authenticating entities and/or for the purpose of decision making using attributes of entities. Practices for identity management can also be addressed in other standards.

This document provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011.
This document is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.

This document defines a privacy architecture framework that:
—          specifies concerns for ICT systems that process PII;
—          lists components for the implementation of such systems; and
—          provides architectural views contextualizing these components.
This document is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII.
It focuses primarily on ICT systems that are designed to interact with PII principals.

This document specifies requirements and provides guidance for establishing, implementing,
maintaining and continually improving a Privacy Information Management System (PIMS) in the form
of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the
organization.
This document specifies PIMS-related requirements and provides guidance for PII controllers and PII
processors holding responsibility and accountability for PII processing.
This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which are PII controllers and/or PII
processors processing PII within an ISMS.

ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:
- additional implementation guidance for relevant controls specified in ISO/IEC 27002;
- additional controls with implementation guidance that specifically relate to cloud services.
This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.

ISO/IEC 29100:2011 provides a privacy framework which
specifies a common privacy terminology;
defines the actors and their roles in processing personally identifiable information (PII);
describes privacy safeguarding considerations; and
provides references to known privacy principles for information technology.
ISO/IEC 29100:2011 is applicable to natural persons and organizations involved in specifying, procuring, architecting, designing, developing, testing, maintaining, administering, and operating information and communication technology systems or services where privacy controls are required for the processing of PII.

This document establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in line with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
In particular, this document specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.
The guidelines in this document can also be relevant to organizations acting as PII controllers. However, PII controllers can be subject to additional PII protection legislation, regulations and obligations, not applying to PII processors. This document is not intended to cover such additional obligations.

This document provides requirements and recommendations for how to process and remediate reported potential vulnerabilities in a product or service.
This document is applicable to vendors involved in handling vulnerabilities.

The scope of this Recommendation | ISO/IEC 27011:2016 is to define guidelines supporting the implementation of information security controls in telecommunications organizations.
The adoption of this Recommendation | ISO/IEC 27011:2016 will allow telecommunications organizations to meet baseline information security management requirements of confidentiality, integrity, availability and any other relevant security property.

This document provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. Vulnerability disclosure enables users to perform technical vulnerability management as specified in ISO/IEC 27002:2013, 12.6.1[1]. Vulnerability disclosure helps users protect their systems and data, prioritize defensive investments, and better assess risk. The goal of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. Coordinated vulnerability disclosure is especially important when multiple vendors are affected. This document provides:
—          guidelines on receiving reports about potential vulnerabilities;
—          guidelines on disclosing vulnerability remediation information;
—          terms and definitions that are specific to vulnerability disclosure;
—          an overview of vulnerability disclosure concepts;
—          techniques and policy considerations for vulnerability disclosure;
—          examples of techniques, policies (Annex A), and communications (Annex B).
Other related activities that take place between receiving and disclosing vulnerability reports are described in ISO/IEC 30111.
This document is applicable to vendors who choose to practice vulnerability disclosure to reduce risk to users of vendors' products and services.

ISO/IEC 19790:2012 the security requirements for a cryptographic module utilised within a security system protecting sensitive information in computer and telecommunication systems.  This International Standard defines four security levels for cryptographic modules to provide for a wide spectrum of data sensitivity (e.g. low value administrative data, million dollar funds transfers, life protecting data, personal identity information, and sensitive information used by government) and a diversity of application environments (e.g. a guarded facility, an office, removable media, and a completely unprotected location).  This International Standard specifies four security levels for each of 11 requirement areas with each security level increasing security over the preceding level.
ISO/IEC 19790:2012 specifies security requirements specifically intended to maintain the security provided by a cryptographic module and compliance with this International Standard is not sufficient to ensure that a particular module is secure or that the security provided by the module is sufficient and acceptable to the owner of the information that is being protected.

ISO/IEC 27019:2017 provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes in particular the following:
-      central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices;
-      digital controllers and automation components such as control and field devices or Programmable Logic Controllers (PLCs), including digital sensor and actuator elements;
-      all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes;
-      communication technology used in the process control domain, e.g. networks, telemetry, telecontrol applications and remote control technology;
-      Advanced Metering Infrastructure (AMI) components, e.g. smart meters;
-      measurement devices, e.g. for emission values;
-      digital protection and safety systems, e.g. protection relays, safety PLCs, emergency governor mechanisms;
-      energy management systems, e.g. of Distributed Energy Resources (DER), electric charging infrastructures, in private households, residential buildings or industrial customer installations;
-      distributed components of smart grid environments, e.g. in energy grids, in private households, residential buildings or industrial customer installations;
-      all software, firmware and applications installed on above-mentioned systems, e.g. DMS (Distribution Management System) applications or OMS (Outage Management System);
-      any premises housing the above-mentioned equipment and systems;
-      remote maintenance systems for above-mentioned systems.
ISO/IEC 27019:2017 does not apply to the process control domain of nuclear facilities. This domain is covered by IEC 62645.
ISO/IEC 27019:2017 also includes a requirement to adapt the risk assessment and treatment processes described in ISO/IEC 27001:2013 to the energy utility industry-sector?specific guidance provided in this document.

2019-08-21: WI initiated by CEN/CLC/JTC 8 transferred into CEN/CLC/JTC 13 (CEN/BT C122/2019)