1、PDCEN/CLC/TS18072:2025BSIStandardsPublicationRequirementsforConformityAssessmentBodiescertifyingCloudServicesbsi.NationalforewordThisPublishedDocumentistheUKimplementationofCENCLCTS18072:2025.TheUKparticipationinitspreparationwasentrustedtoTechnicalCommitteeIST/33/3,SecurityEvaluation,TestingandSpec
2、ification.Alistoforganizationsrepresentedonthiscommitteecanbeobtainedonrequesttoitscommitteemanager.ContractualandlegalconsiderationsThispublicationhasbeenpreparedingoodfaith,howevernorepresentation,warranty,assuranceorundertaking(expressorimplied)isorwillbemade,andnoresponsibilityorliabilityisorwil
3、lbeacceptedbyBSIinrelationtotheadequacy,accuracy,completenessorreasonablenessofthispublication.Allandanysuchresponsibilityandliabilityisexpresslydisclaimedtothefullextentpermittedbythelaw.Thispublicationisprovidedasis,andistobeusedattherecipientsownrisk.Therecipientisadvisedtoconsiderseekingprofessi
4、onalguidancewithrespecttoitsuseofthispublication.Thispublicationisnotintendedtoconstituteacontract.Usersareresponsibleforitscorrectapplication.ThispublicationisnottoberegardedasaBritishStandard.TheBritishStandardsInstitution2025PublishedbyBSIStandardsLimited2025ISBN9780539314526ICS03.120.20;35.030Co
5、mpliancewithaPublishedDocumentcannotconferimmunityfromlegalobligations.ThisPublishedDocumentwaspublishedundertheauthorityoftheStandardsPolicyandStrategyCommitteeon30April2025.Amendments/corrigendaissuedsincepublicationDateTextaffectedTECHNICALSPECIFICATIONCEN/CLC/TS18072SPECIFICATIONTECHNIQUETECHNlS
6、CHESPEZlFIKATlONApril2025ICS03.120.20;35.030EnglishversionRequirementsforConformityAssessmentBodiescertifyingCloudServicesExigencesapplicablesauxOrganismesdevaluationdeAnforderungenanKonformitatsbewertungsstellen,dielaConformitepourlacertificationdesservicesenCloud-DiensteZertifizierennuageThisTechn
7、icalSpecification(CENTS)wasapprovedbyCENon13October2024forprovisionalapplication.TheperiodofvalidityofthisCEN/TSislimitedinitiallytothreeyears.AftertwoyearsthemembersofCENandCENELECwillberequestedtosubmittheircomments,particularlyonthequestionwhethertheCEN/TScanbeconvertedintoaEuropeanStandard.CENan
8、dCENELECmembersarerequiredtoannouncetheexistenceofthisCEN/TSinthesamewayasforanENandtomaketheCEN/TSavailablepromptlyatnationallevelinanappropriateform.Itispermissibletokeepconflictingnationalstandardsinforce(inparalleltotheCEN/TS)untilthefinaldecisionaboutthepossibleconversionoftheCEN/TSintoanENisre
9、ached.CENandCENELECmembersarethenationalstandardsbodiesandnationalelectrotechnicalcommitteesofAustria,Belgium,Bulgaria,Croatia,Cyprus,CzechRepublic,Denmark,Estonia,Finland,France,Germany,Greece,Hungary,Iceland,Ireland,Italy,Latvia,Lithuania,Luxembourg,Malta,Netherlands,Norway,Poland,Portugal,Republi
10、cofNorthMacedonia,Romania,Serbia,Slovakia,Slovenia,Spain,Sweden,Switzerland,TiirkiyeandUnitedKingdom.CEN-CENELECManagementCentre:RuedelaScience23,B-1040BrusselsRef.No.CEN/CLC/TS18072:2025E2025CEN/CENELECAllrightsofexploitationinanyformandbyanymeansreservedworldwideforCENnationalMembersandforCENELECM
11、embers.ContentsPageIntroduction51 Scope62 Normativereferences63 Termsanddefinitions64 Generalrequirements84.1 Legalandcontractualmatters84.1.1 Legalresponsibility84.1.2 Certificationagreement84.1.3 Useoflicense,certificatesandmarksofconformity84.2 Managementofimpartiality84.2.1 General84.2.2 Nonconf
12、lictingactivities84.3 Liabilityandfinancing84.4 Non-discriminatoryconditions84.5 Confidentiality94.6 Publiclyavailableinformation95 StructuralRequirements95.1 Organizationalstructureandtopmanagement95.2 Mechanismsforsafeguardingimpartiality96 ResourceRequirements96.1 CertificationbodypersonnelDeterm
13、inationofcompetencecriteria96.2 ResourcesforEvaluation97 Processrequirements97.1 Generalrequirements97.2 Application97.3 Applicationreview97.4 Evaluation107.4.1 General107.4.2 Typesofevaluations107.4.3 Preparationoftheevaluation107.4.4 Conductingevaluations177.4.5 Generalrequirementsonconductingeval
14、uations257.5 Review297.6 Certificationdecision297.7 CertificationDocumentation297.8 Directoryofcertifiedproducts307.9 Surveillance307.9.1 Introduction307.9.2 General307.9.3 SurveillanceEvaluation307.9.4 RecertificationEvaluation307.9.5 SpecialEvaluation317.10 Changesaffectingcertification317.11 Term
15、ination,reduction,suspensionorwithdrawalofcertification327.12 Records327.13 Complaintsandappeals328 Managementsystemrequirements328.1 Options328.1.1 General328.1.2 OptionA328.1.3 OptionB328.2 Managementsystemdocumentation(OptionA)328.3 Controlofdocuments(OptionA)328.4 Controlofrecords(OptionA)328.5
16、Managementreview(OptionA)328.5.1 General328.5.2 Reviewinputs328.5.3 Reviewoutputs328.6 InternalAudits(OptionA)328.7 Correctiveactions(OptionA)338.8 Preventiveactions(OptionA)33Annex A (normative)RequiredKnowledgeandSkills34Annex B (normative)DependencyAnalysis43Bibliography45EuropeanforewordThisdocu
17、ment(CEN/CLC/TS18072:2025)hasbeenpreparedbyTechnicalCommitteeCEN/CLC/JTC13“CybersecurityandDataprotection1,thesecretariatofwhichisheldbyDIN.Attentionisdrawntothepossibilitythatsomeoftheelementsofthisdocumentmaybethesubjectofpatentrights.CENshallnotbeheldresponsibleforidentifyinganyorallsuchpatentrig
18、hts.ThisdocumentisdevelopedtosupporttheCybersecurityAct,EUCSA,Regulation(EU)2019/881oninformationandcommunicationstechnologycybersecuritycertification.Anyfeedbackandquestionsonthisdocumentshouldbedirectedtotheusersnationalstandardsbody.AcompletelistingofthesebodiescanbefoundontheCENwebsite.According
19、totheCEN/CENELECInternalRegulations,thenationalstandardsorganisationsofthefollowingcountriesareboundtoannouncethisTechnicalSpecification:Austria,Belgium,Bulgaria,Croatia,Cyprus,CzechRepublic,Denmark,Estonia,Finland,France,Germany,Greece,Hungary,Iceland,Ireland,Italy,Latvia,Lithuania,Luxembourg,Malta
20、Netherlands,Norway,Poland,Portugal,RepublicofNorthMacedonia,Romania,Serbia,Slovakia,Slovenia,Spain,Sweden,Switzerland,TurkiyeandtheUnitedKingdom.IntroductionTheoverallaimofcertifyingproducts,processesorservicesistogiveconfidencetoallinterestedpartiesthataproduct,processorservicefulfilsspecifiedrequ
21、irements.Thevalueofcertificationisthedegreeofconfidenceandtrustthatisestablishedbyanimpartialandcompetentdemonstrationoffulfilmentofspecifiedrequirementsbyathirdparty.ISO/IEC17065specifiesrequirements,theobservanceofwhichisintendedtoensurethatcertificationbodiesoperatecertificationschemesinacompeten
22、t,consistentandimpartialmanner,therebyfacilitatingtherecognitionofsuchbodiesandtheacceptanceofcertifiedproducts,processesandservicesonanationalandinternationalbasisandsofurtheringinternationaltrade.ISO/IEC17065givesgeneralizedrequirementsforoperatingcertificationschemesforabroadrangeofproducts,proce
23、ssesorservices.WhilethegeneralrequirementsgivenbyISO/IEC17065aresharedbyallCertificationBodies,theyareahigh-levelset.Theconformityassessmentbodiesprovidingevaluationandcertificationofcloudserviceshavesomespecificrequirementsforevaluationproceduresandcompetence.TohelpImplementerslthisdocumentisnumber
24、edidenticallytoISO/IEC17065:2012.SupplementaryrequirementsarepresentedasclausesandsubclausesadditionaltoISO/IEC17065:2012.Anysupplementaryrequirementsarepresentedinthisdocumentwiththesameclause/subclausenumberasinISO/IEC17065:2012.1 ScopeThisdocumentcomplementsandsupplementstheproceduresandgeneralre
25、quirementsfoundinISO/IEC17065:2012forconformityassessmentbodiesperformingcertificationofcloudservicesunderadedicatedEuropeancybersecuritycertificationscheme(forexample,thosedefinedinRegulation(EU)2019/881(CybersecurityAct),basedonconceptsdefinedinthisregulation,suchasthethreeassurancelevelsBasic,Sub
26、stantialandHigh).2 NormativereferencesThefollowingdocumentsarereferredtointhetextinsuchawaythatsomeoralloftheircontentconstitutesrequirementsofthisdocument.Fordatedreferences,onlytheeditioncitedapplies.Forundatedreferences,thelatesteditionofthereferenceddocuments(includinganyamendments)applies.ISO/I
27、EC17000,ConformityassessmentVocabularyandgeneralprinciplesISO/IEC17065:2012,ConformityassessmentRequirementsforbodiescertifyingproducts,processesandservicesCEN/CLC/TS18026,Three-IevelapproachforasetofcybersecurityrequirementsforcloudserviceslUnderpreparation.Stageatthetimeofpublication:FprCEN/CLC/TS
28、180263 TermsanddefinitionsForthepurposesofthisdocument,thetermsanddefinitionsgiveninISO/IEC17000,ISO/IEC17065andCEN/CLC/TS180261andthefollowingapply.ISOandIECmaintainterminologicaldatabasesforuseinstandardizationatthefollowingaddresses: ISOOnlinebrowsingplatform:availableathttps:WWW.iso.org/obp IECE
29、lectropedia:availableathttp/www.rlectropedia.org/1.1appropriatenessofevidencemeasureoftherelevanceandreliabilityofevidenceinprovidingsupportfortheevaluatorsconclusionSOURCE:InternationalStandardonAssuranceEngagements(ISAE)3000,definition12.i.ii1.2carve-outmethodevaluationmethodwherethedescriptionoft
30、hesystemincludestheservicesprovidedbythesubserviceproviderbutthecontrolsandcontrolsobjectivesfromthesubserviceproviderareexcludedfromthedescriptionandthescopeoftheevaluationNote1toentry:Whencarve-outmethodisused,thescopeoftheevaluationincludescontrolsimplementedbytheclienttomonitortheeffectivenessof
31、controlswhichcanincludethereviewofassurancedocumentationofthesubserviceprovider.1.3complementaryuserentitycontrolCUECcontrolthatthecloudserviceprovider(CSP)assumes,inthedesignofitsservice,willbeimplementedbyitscustomer1.4complementaryserviceorganizationcontrolsCSOCcontrolsthatthecloudserviceprovider
32、assumesthattheirsubserviceproviderswillhaveinplaceinorderforthemtosecurelyoperatetheircloudservice1.5evaluationcombinationoftheselectionanddeterminationfunctionsofconformityassessmentactivitiesNote1toentry:Evaluationsincludeinitial,surveillance,recertificationevaluations,andcanalsoincludespecialeval
33、uations.SOURCE:ENISO/IEC17065:2012,definition3.31.6evaluationcriteriareferencetowhichconformityisdeterminedNote1toentry:Evaluationcriteriaincludetherequirementsofadefinedschemeforservicesapplicabletoadefinedevaluationlevelandcorrespondingassurancelevel.Note2toentry:Evaluationcriteriaincludetherequir
34、ementsonthedefinedprocessesanddocumentationoftheserviceoperatedbytheclientandofitsassociatedcontrols.1.7fairpresentationaccurate,truthfulandtransparentdescriptionofaclientsserviceNote1toentry:Additionalinformationaboutthecontentofafairpresentationisincludedinthecertificationscheme.1.8inclusivemethod
35、evaluationmethodwherethecontrolsfromthesubservicethatsupportscloudserviceprovideroperationsareincludedinscopeandwillbereviewedbytheevaluatorsNote1toentry:Wheninclusivemethodisused,thedescriptionoftheclientsserviceincludestheservicesprovidedbythesubserviceprovider,therelevantcontrolobjectivesandrelat
36、edcontrolsifexisting.1.9suitabilityofthedesignofacontrolcontroldesignwhichensuresthatactionsoreventsthatcompriseariskareprevented,ordetectedandcorrectedNote1toentry:Typicalriskareinformationsecurityrisks.4 Generalrequirements4.1 Legalandcontractualmatters4.1.1 LegalresponsibilityTherequirementsofISO
37、/IEC17065:2012,4.1.1apply.4.1.2 CertificationagreementTherequirementsofISO/IEC17065:2012,4.1.2apply.Inaddition,thefollowingrequirementsandguidanceapply.Thecertificationagreementshallincludethescopeandtheevaluationlevel.4.1.3 Useoflicense,certificatesandmarksofconformityTherequirementsofISO/IEC17065:
38、2012,4.1.3apply.4.2 Managementofimpartiality4.2.1 GeneralTherequirementsofISO/IEC17065:2012,4.2apply.Inaddition,thefollowingrequirementsandguidancein4.2.2apply.4.2.2 NonconflictingactivitiesThecertificationbody(CB)anditspersonnelmaycarryoutadditionalactivitiesprovidedtheydonotconstitutearisktoitsimp
39、artiality.Theseactivitiesmayinclude:a) organizingandparticipatingininformationmeetingsaboutthecertificationschemeingeneral;b) arrangingandparticipatingasalecturerintrainingcourses,providedthat,wherethesecoursesrelatetocloudservices,relatedsecurityrequirementsandcontrols,evaluationsorauditing,lecture
40、rsshallconfinethemselvestotheprovisionofgenericinformationandadvicewhichispubliclyavailable;c) activitiespriortoevaluation,solelyaimedatdeterminingreadinessforevaluation;however,suchactivitiesshallnotresultintheprovisionofrecommendationsoradviceforspecificsolutionsandshallnotresultinareductioninthee
41、ventualevaluationduration;d) performingthirdpartyevaluationsaccordingtostandards,publiclyavailablespecificationsorregulatoryrequirementsotherthanthosebeingpartofthescopeofaccreditation;ore) addingvalueduringevaluationswithoutrecommendingspecificsolutions.NOTEAddingvalueduringevaluationsmayincludeide
42、ntifyingopportunitiesforimprovement,astheybecomeevidentduringtheevaluation.4.3 LiabilityandfinancingTherequirementsofISO/IEC17065:2012,4.3apply.4.4 Non-discriminatoryconditionsTherequirementsofISO/IEC17065:2012,4.4apply.4.5 ConfidentialityTherequirementsofISO/IEC17065:2012,4.5apply.4.6 Publiclyavail
43、ableinformationTherequirementsofISO/IEC17065:2012,4.6apply.5 StructuralRequirements5.1 OrganizationalstructureandtopmanagementTherequirementsofISO/IEC17065:2012,5.1apply.5.2 MechanismsforsafeguardingimpartialityTherequirementsofISO/IEC17065:2012,5.2apply.6 ResourceRequirements6.1 Certificationbodype
44、rsonnelDeterminationofcompetencecriteriaTherequirementsofISO/IEC17065:2012,6.1apply.Inaddition,thefollowingrequirementsandguidanceapply.Theoutputoftheprocessfordeterminingthecompetencecriteriaforpersonnelinvolvedinthemanagementofevaluationsorothercertificationactivitiesshallbethedocumentedcriteriaof
45、requiredknowledgeandskillsnecessarytoeffectivelyperformevaluationandcertificationtaskstobefulfilledtoachievetheintendedresults.AnnexAprovidesasummaryofcompetencerequirementsforpersonnelinvolvedinspecificcertificationfunctions.6.2 ResourcesforEvaluationTherequirementsofISO/IEC17065:2012,6.2apply.7 Pr
46、ocessrequirements7.1 GeneralrequirementsTherequirementsofISO/IEC17065:2012,7.1apply.7.2 ApplicationTherequirementsofISO/IEC17065:2012,7.2apply.7.3 Applicationreview7.3.1 TherequirementsofISO/IEC17065:2012,7.3.1apply.Inaddition,thefollowingrequirementsapply.TheCBshallconductadditionalreviewoftheinfor
47、mationobtainedtoensurethat:a) theapplicationcontainsalltheinformationrequiredbythecertificationschemeincludingtheidentificationofsubservicesoperatedbysubserviceprovidersusedbytheclientintheoperationofitscloudservice;b) theclienthasacknowledgedandunderstandsitsresponsibilitiesasdefinedinthecertificat
48、ionscheme;c) theCBunderstandstheareaofactivityoftheclientandtheassociatedbusinessrisks;d) theCBhasthecompetenceandcapabilitytoperformthecertificationactivity;e) CBhastheresources,capabilitiesandcompetencesareavailabletoperformallevaluationactivities.7.3.2 TherequirementsofISO/IEC17065:2012,7.3.2apply.7.3.3 TherequirementsofISO/IEC17065:2012,7.
