PD CENCLCTS 18072 2025.docx

《PD CENCLCTS 18072 2025.docx》由会员分享，可在线阅读，更多相关《PD CENCLCTS 18072 2025.docx（43页珍藏版）》请在三一文库上搜索。

1、PDCEN/CLC/TS18072:2025BSIStandardsPublicationRequirementsforConformityAssessmentBodiescertifyingCloudServicesbsi.NationalforewordThisPublishedDocumentistheUKimplementationofCENCLCTS18072:2025.TheUKparticipationinitspreparationwasentrustedtoTechnicalCommitteeIST/33/3,SecurityEvaluation,TestingandSpec

2、ification.Alistoforganizationsrepresentedonthiscommitteecanbeobtainedonrequesttoitscommitteemanager.ContractualandlegalconsiderationsThispublicationhasbeenpreparedingoodfaith,howevernorepresentation,warranty,assuranceorundertaking(expressorimplied)isorwillbemade,andnoresponsibilityorliabilityisorwil

3、lbeacceptedbyBSIinrelationtotheadequacy,accuracy,completenessorreasonablenessofthispublication.Allandanysuchresponsibilityandliabilityisexpresslydisclaimedtothefullextentpermittedbythelaw.Thispublicationisprovidedasis,andistobeusedattherecipientsownrisk.Therecipientisadvisedtoconsiderseekingprofessi

4、onalguidancewithrespecttoitsuseofthispublication.Thispublicationisnotintendedtoconstituteacontract.Usersareresponsibleforitscorrectapplication.ThispublicationisnottoberegardedasaBritishStandard.TheBritishStandardsInstitution2025PublishedbyBSIStandardsLimited2025ISBN9780539314526ICS03.120.20;35.030Co

5、mpliancewithaPublishedDocumentcannotconferimmunityfromlegalobligations.ThisPublishedDocumentwaspublishedundertheauthorityoftheStandardsPolicyandStrategyCommitteeon30April2025.Amendments/corrigendaissuedsincepublicationDateTextaffectedTECHNICALSPECIFICATIONCEN/CLC/TS18072SPECIFICATIONTECHNIQUETECHNlS

6、CHESPEZlFIKATlONApril2025ICS03.120.20;35.030EnglishversionRequirementsforConformityAssessmentBodiescertifyingCloudServicesExigencesapplicablesauxOrganismesdevaluationdeAnforderungenanKonformitatsbewertungsstellen,dielaConformitepourlacertificationdesservicesenCloud-DiensteZertifizierennuageThisTechn

7、icalSpecification(CENTS)wasapprovedbyCENon13October2024forprovisionalapplication.TheperiodofvalidityofthisCEN/TSislimitedinitiallytothreeyears.AftertwoyearsthemembersofCENandCENELECwillberequestedtosubmittheircomments,particularlyonthequestionwhethertheCEN/TScanbeconvertedintoaEuropeanStandard.CENan

8、dCENELECmembersarerequiredtoannouncetheexistenceofthisCEN/TSinthesamewayasforanENandtomaketheCEN/TSavailablepromptlyatnationallevelinanappropriateform.Itispermissibletokeepconflictingnationalstandardsinforce(inparalleltotheCEN/TS)untilthefinaldecisionaboutthepossibleconversionoftheCEN/TSintoanENisre

9、ached.CENandCENELECmembersarethenationalstandardsbodiesandnationalelectrotechnicalcommitteesofAustria,Belgium,Bulgaria,Croatia,Cyprus,CzechRepublic,Denmark,Estonia,Finland,France,Germany,Greece,Hungary,Iceland,Ireland,Italy,Latvia,Lithuania,Luxembourg,Malta,Netherlands,Norway,Poland,Portugal,Republi

10、cofNorthMacedonia,Romania,Serbia,Slovakia,Slovenia,Spain,Sweden,Switzerland,TiirkiyeandUnitedKingdom.CEN-CENELECManagementCentre:RuedelaScience23,B-1040BrusselsRef.No.CEN/CLC/TS18072:2025E2025CEN/CENELECAllrightsofexploitationinanyformandbyanymeansreservedworldwideforCENnationalMembersandforCENELECM

11、embers.ContentsPageIntroduction51 Scope62 Normativereferences63 Termsanddefinitions64 Generalrequirements84.1 Legalandcontractualmatters84.1.1 Legalresponsibility84.1.2 Certificationagreement84.1.3 Useoflicense,certificatesandmarksofconformity84.2 Managementofimpartiality84.2.1 General84.2.2 Nonconf

12、lictingactivities84.3 Liabilityandfinancing84.4 Non-discriminatoryconditions84.5 Confidentiality94.6 Publiclyavailableinformation95 StructuralRequirements95.1 Organizationalstructureandtopmanagement95.2 Mechanismsforsafeguardingimpartiality96 ResourceRequirements96.1 CertificationbodypersonnelDeterm

13、inationofcompetencecriteria96.2 ResourcesforEvaluation97 Processrequirements97.1 Generalrequirements97.2 Application97.3 Applicationreview97.4 Evaluation107.4.1 General107.4.2 Typesofevaluations107.4.3 Preparationoftheevaluation107.4.4 Conductingevaluations177.4.5 Generalrequirementsonconductingeval

14、uations257.5 Review297.6 Certificationdecision297.7 CertificationDocumentation297.8 Directoryofcertifiedproducts307.9 Surveillance307.9.1 Introduction307.9.2 General307.9.3 SurveillanceEvaluation307.9.4 RecertificationEvaluation307.9.5 SpecialEvaluation317.10 Changesaffectingcertification317.11 Term

15、ination,reduction,suspensionorwithdrawalofcertification327.12 Records327.13 Complaintsandappeals328 Managementsystemrequirements328.1 Options328.1.1 General328.1.2 OptionA328.1.3 OptionB328.2 Managementsystemdocumentation(OptionA)328.3 Controlofdocuments(OptionA)328.4 Controlofrecords(OptionA)328.5

16、Managementreview(OptionA)328.5.1 General328.5.2 Reviewinputs328.5.3 Reviewoutputs328.6 InternalAudits(OptionA)328.7 Correctiveactions(OptionA)338.8 Preventiveactions(OptionA)33Annex A (normative)RequiredKnowledgeandSkills34Annex B (normative)DependencyAnalysis43Bibliography45EuropeanforewordThisdocu

17、ment(CEN/CLC/TS18072:2025)hasbeenpreparedbyTechnicalCommitteeCEN/CLC/JTC13“CybersecurityandDataprotection1,thesecretariatofwhichisheldbyDIN.Attentionisdrawntothepossibilitythatsomeoftheelementsofthisdocumentmaybethesubjectofpatentrights.CENshallnotbeheldresponsibleforidentifyinganyorallsuchpatentrig

18、hts.ThisdocumentisdevelopedtosupporttheCybersecurityAct,EUCSA,Regulation(EU)2019/881oninformationandcommunicationstechnologycybersecuritycertification.Anyfeedbackandquestionsonthisdocumentshouldbedirectedtotheusersnationalstandardsbody.AcompletelistingofthesebodiescanbefoundontheCENwebsite.According

19、totheCEN/CENELECInternalRegulations,thenationalstandardsorganisationsofthefollowingcountriesareboundtoannouncethisTechnicalSpecification:Austria,Belgium,Bulgaria,Croatia,Cyprus,CzechRepublic,Denmark,Estonia,Finland,France,Germany,Greece,Hungary,Iceland,Ireland,Italy,Latvia,Lithuania,Luxembourg,Malta

20、Netherlands,Norway,Poland,Portugal,RepublicofNorthMacedonia,Romania,Serbia,Slovakia,Slovenia,Spain,Sweden,Switzerland,TurkiyeandtheUnitedKingdom.IntroductionTheoverallaimofcertifyingproducts,processesorservicesistogiveconfidencetoallinterestedpartiesthataproduct,processorservicefulfilsspecifiedrequ

21、irements.Thevalueofcertificationisthedegreeofconfidenceandtrustthatisestablishedbyanimpartialandcompetentdemonstrationoffulfilmentofspecifiedrequirementsbyathirdparty.ISO/IEC17065specifiesrequirements,theobservanceofwhichisintendedtoensurethatcertificationbodiesoperatecertificationschemesinacompeten

22、t,consistentandimpartialmanner,therebyfacilitatingtherecognitionofsuchbodiesandtheacceptanceofcertifiedproducts,processesandservicesonanationalandinternationalbasisandsofurtheringinternationaltrade.ISO/IEC17065givesgeneralizedrequirementsforoperatingcertificationschemesforabroadrangeofproducts,proce

23、ssesorservices.WhilethegeneralrequirementsgivenbyISO/IEC17065aresharedbyallCertificationBodies,theyareahigh-levelset.Theconformityassessmentbodiesprovidingevaluationandcertificationofcloudserviceshavesomespecificrequirementsforevaluationproceduresandcompetence.TohelpImplementerslthisdocumentisnumber

24、edidenticallytoISO/IEC17065:2012.SupplementaryrequirementsarepresentedasclausesandsubclausesadditionaltoISO/IEC17065:2012.Anysupplementaryrequirementsarepresentedinthisdocumentwiththesameclause/subclausenumberasinISO/IEC17065:2012.1 ScopeThisdocumentcomplementsandsupplementstheproceduresandgeneralre

25、quirementsfoundinISO/IEC17065:2012forconformityassessmentbodiesperformingcertificationofcloudservicesunderadedicatedEuropeancybersecuritycertificationscheme(forexample,thosedefinedinRegulation(EU)2019/881(CybersecurityAct),basedonconceptsdefinedinthisregulation,suchasthethreeassurancelevelsBasic,Sub

26、stantialandHigh).2 NormativereferencesThefollowingdocumentsarereferredtointhetextinsuchawaythatsomeoralloftheircontentconstitutesrequirementsofthisdocument.Fordatedreferences,onlytheeditioncitedapplies.Forundatedreferences,thelatesteditionofthereferenceddocuments(includinganyamendments)applies.ISO/I

27、EC17000,ConformityassessmentVocabularyandgeneralprinciplesISO/IEC17065:2012,ConformityassessmentRequirementsforbodiescertifyingproducts,processesandservicesCEN/CLC/TS18026,Three-IevelapproachforasetofcybersecurityrequirementsforcloudserviceslUnderpreparation.Stageatthetimeofpublication:FprCEN/CLC/TS

28、180263 TermsanddefinitionsForthepurposesofthisdocument,thetermsanddefinitionsgiveninISO/IEC17000,ISO/IEC17065andCEN/CLC/TS180261andthefollowingapply.ISOandIECmaintainterminologicaldatabasesforuseinstandardizationatthefollowingaddresses: ISOOnlinebrowsingplatform:availableathttps:WWW.iso.org/obp IECE

29、lectropedia:availableathttp/www.rlectropedia.org/1.1appropriatenessofevidencemeasureoftherelevanceandreliabilityofevidenceinprovidingsupportfortheevaluatorsconclusionSOURCE:InternationalStandardonAssuranceEngagements(ISAE)3000,definition12.i.ii1.2carve-outmethodevaluationmethodwherethedescriptionoft

30、hesystemincludestheservicesprovidedbythesubserviceproviderbutthecontrolsandcontrolsobjectivesfromthesubserviceproviderareexcludedfromthedescriptionandthescopeoftheevaluationNote1toentry:Whencarve-outmethodisused,thescopeoftheevaluationincludescontrolsimplementedbytheclienttomonitortheeffectivenessof

31、controlswhichcanincludethereviewofassurancedocumentationofthesubserviceprovider.1.3complementaryuserentitycontrolCUECcontrolthatthecloudserviceprovider(CSP)assumes,inthedesignofitsservice,willbeimplementedbyitscustomer1.4complementaryserviceorganizationcontrolsCSOCcontrolsthatthecloudserviceprovider

32、assumesthattheirsubserviceproviderswillhaveinplaceinorderforthemtosecurelyoperatetheircloudservice1.5evaluationcombinationoftheselectionanddeterminationfunctionsofconformityassessmentactivitiesNote1toentry:Evaluationsincludeinitial,surveillance,recertificationevaluations,andcanalsoincludespecialeval

33、uations.SOURCE:ENISO/IEC17065:2012,definition3.31.6evaluationcriteriareferencetowhichconformityisdeterminedNote1toentry:Evaluationcriteriaincludetherequirementsofadefinedschemeforservicesapplicabletoadefinedevaluationlevelandcorrespondingassurancelevel.Note2toentry:Evaluationcriteriaincludetherequir

34、ementsonthedefinedprocessesanddocumentationoftheserviceoperatedbytheclientandofitsassociatedcontrols.1.7fairpresentationaccurate,truthfulandtransparentdescriptionofaclientsserviceNote1toentry:Additionalinformationaboutthecontentofafairpresentationisincludedinthecertificationscheme.1.8inclusivemethod

35、evaluationmethodwherethecontrolsfromthesubservicethatsupportscloudserviceprovideroperationsareincludedinscopeandwillbereviewedbytheevaluatorsNote1toentry:Wheninclusivemethodisused,thedescriptionoftheclientsserviceincludestheservicesprovidedbythesubserviceprovider,therelevantcontrolobjectivesandrelat

36、edcontrolsifexisting.1.9suitabilityofthedesignofacontrolcontroldesignwhichensuresthatactionsoreventsthatcompriseariskareprevented,ordetectedandcorrectedNote1toentry:Typicalriskareinformationsecurityrisks.4 Generalrequirements4.1 Legalandcontractualmatters4.1.1 LegalresponsibilityTherequirementsofISO

37、/IEC17065:2012,4.1.1apply.4.1.2 CertificationagreementTherequirementsofISO/IEC17065:2012,4.1.2apply.Inaddition,thefollowingrequirementsandguidanceapply.Thecertificationagreementshallincludethescopeandtheevaluationlevel.4.1.3 Useoflicense,certificatesandmarksofconformityTherequirementsofISO/IEC17065:

38、2012,4.1.3apply.4.2 Managementofimpartiality4.2.1 GeneralTherequirementsofISO/IEC17065:2012,4.2apply.Inaddition,thefollowingrequirementsandguidancein4.2.2apply.4.2.2 NonconflictingactivitiesThecertificationbody(CB)anditspersonnelmaycarryoutadditionalactivitiesprovidedtheydonotconstitutearisktoitsimp

39、artiality.Theseactivitiesmayinclude:a) organizingandparticipatingininformationmeetingsaboutthecertificationschemeingeneral;b) arrangingandparticipatingasalecturerintrainingcourses,providedthat,wherethesecoursesrelatetocloudservices,relatedsecurityrequirementsandcontrols,evaluationsorauditing,lecture

40、rsshallconfinethemselvestotheprovisionofgenericinformationandadvicewhichispubliclyavailable;c) activitiespriortoevaluation,solelyaimedatdeterminingreadinessforevaluation;however,suchactivitiesshallnotresultintheprovisionofrecommendationsoradviceforspecificsolutionsandshallnotresultinareductioninthee

41、ventualevaluationduration;d) performingthirdpartyevaluationsaccordingtostandards,publiclyavailablespecificationsorregulatoryrequirementsotherthanthosebeingpartofthescopeofaccreditation;ore) addingvalueduringevaluationswithoutrecommendingspecificsolutions.NOTEAddingvalueduringevaluationsmayincludeide

42、ntifyingopportunitiesforimprovement,astheybecomeevidentduringtheevaluation.4.3 LiabilityandfinancingTherequirementsofISO/IEC17065:2012,4.3apply.4.4 Non-discriminatoryconditionsTherequirementsofISO/IEC17065:2012,4.4apply.4.5 ConfidentialityTherequirementsofISO/IEC17065:2012,4.5apply.4.6 Publiclyavail

43、ableinformationTherequirementsofISO/IEC17065:2012,4.6apply.5 StructuralRequirements5.1 OrganizationalstructureandtopmanagementTherequirementsofISO/IEC17065:2012,5.1apply.5.2 MechanismsforsafeguardingimpartialityTherequirementsofISO/IEC17065:2012,5.2apply.6 ResourceRequirements6.1 Certificationbodype

44、rsonnelDeterminationofcompetencecriteriaTherequirementsofISO/IEC17065:2012,6.1apply.Inaddition,thefollowingrequirementsandguidanceapply.Theoutputoftheprocessfordeterminingthecompetencecriteriaforpersonnelinvolvedinthemanagementofevaluationsorothercertificationactivitiesshallbethedocumentedcriteriaof

45、requiredknowledgeandskillsnecessarytoeffectivelyperformevaluationandcertificationtaskstobefulfilledtoachievetheintendedresults.AnnexAprovidesasummaryofcompetencerequirementsforpersonnelinvolvedinspecificcertificationfunctions.6.2 ResourcesforEvaluationTherequirementsofISO/IEC17065:2012,6.2apply.7 Pr

46、ocessrequirements7.1 GeneralrequirementsTherequirementsofISO/IEC17065:2012,7.1apply.7.2 ApplicationTherequirementsofISO/IEC17065:2012,7.2apply.7.3 Applicationreview7.3.1 TherequirementsofISO/IEC17065:2012,7.3.1apply.Inaddition,thefollowingrequirementsapply.TheCBshallconductadditionalreviewoftheinfor

47、mationobtainedtoensurethat:a) theapplicationcontainsalltheinformationrequiredbythecertificationschemeincludingtheidentificationofsubservicesoperatedbysubserviceprovidersusedbytheclientintheoperationofitscloudservice;b) theclienthasacknowledgedandunderstandsitsresponsibilitiesasdefinedinthecertificat

48、ionscheme;c) theCBunderstandstheareaofactivityoftheclientandtheassociatedbusinessrisks;d) theCBhasthecompetenceandcapabilitytoperformthecertificationactivity;e) CBhastheresources,capabilitiesandcompetencesareavailabletoperformallevaluationactivities.7.3.2 TherequirementsofISO/IEC17065:2012,7.3.2apply.7.3.3 TherequirementsofISO/IEC17065:2012,7.