PD CENCLCTS 18072 2025.docx

上传人:peixunshi0 文档编号:107728 上传时间:2025-07-10 格式:DOCX 页数:43 大小:141.30KB
下载 相关 举报
PD CENCLCTS 18072 2025.docx_第1页
第1页 / 共43页
PD CENCLCTS 18072 2025.docx_第2页
第2页 / 共43页
PD CENCLCTS 18072 2025.docx_第3页
第3页 / 共43页
PD CENCLCTS 18072 2025.docx_第4页
第4页 / 共43页
PD CENCLCTS 18072 2025.docx_第5页
第5页 / 共43页
点击查看更多>>
资源描述

1、PDCEN/CLC/TS18072:2025BSIStandardsPublicationRequirementsforConformityAssessmentBodiescertifyingCloudServicesbsi.NationalforewordThisPublishedDocumentistheUKimplementationofCENCLCTS18072:2025.TheUKparticipationinitspreparationwasentrustedtoTechnicalCommitteeIST/33/3,SecurityEvaluation,TestingandSpec

2、ification.Alistoforganizationsrepresentedonthiscommitteecanbeobtainedonrequesttoitscommitteemanager.ContractualandlegalconsiderationsThispublicationhasbeenpreparedingoodfaith,howevernorepresentation,warranty,assuranceorundertaking(expressorimplied)isorwillbemade,andnoresponsibilityorliabilityisorwil

3、lbeacceptedbyBSIinrelationtotheadequacy,accuracy,completenessorreasonablenessofthispublication.Allandanysuchresponsibilityandliabilityisexpresslydisclaimedtothefullextentpermittedbythelaw.Thispublicationisprovidedasis,andistobeusedattherecipientsownrisk.Therecipientisadvisedtoconsiderseekingprofessi

4、onalguidancewithrespecttoitsuseofthispublication.Thispublicationisnotintendedtoconstituteacontract.Usersareresponsibleforitscorrectapplication.ThispublicationisnottoberegardedasaBritishStandard.TheBritishStandardsInstitution2025PublishedbyBSIStandardsLimited2025ISBN9780539314526ICS03.120.20;35.030Co

5、mpliancewithaPublishedDocumentcannotconferimmunityfromlegalobligations.ThisPublishedDocumentwaspublishedundertheauthorityoftheStandardsPolicyandStrategyCommitteeon30April2025.Amendments/corrigendaissuedsincepublicationDateTextaffectedTECHNICALSPECIFICATIONCEN/CLC/TS18072SPECIFICATIONTECHNIQUETECHNlS

6、CHESPEZlFIKATlONApril2025ICS03.120.20;35.030EnglishversionRequirementsforConformityAssessmentBodiescertifyingCloudServicesExigencesapplicablesauxOrganismesdevaluationdeAnforderungenanKonformitatsbewertungsstellen,dielaConformitepourlacertificationdesservicesenCloud-DiensteZertifizierennuageThisTechn

7、icalSpecification(CENTS)wasapprovedbyCENon13October2024forprovisionalapplication.TheperiodofvalidityofthisCEN/TSislimitedinitiallytothreeyears.AftertwoyearsthemembersofCENandCENELECwillberequestedtosubmittheircomments,particularlyonthequestionwhethertheCEN/TScanbeconvertedintoaEuropeanStandard.CENan

8、dCENELECmembersarerequiredtoannouncetheexistenceofthisCEN/TSinthesamewayasforanENandtomaketheCEN/TSavailablepromptlyatnationallevelinanappropriateform.Itispermissibletokeepconflictingnationalstandardsinforce(inparalleltotheCEN/TS)untilthefinaldecisionaboutthepossibleconversionoftheCEN/TSintoanENisre

9、ached.CENandCENELECmembersarethenationalstandardsbodiesandnationalelectrotechnicalcommitteesofAustria,Belgium,Bulgaria,Croatia,Cyprus,CzechRepublic,Denmark,Estonia,Finland,France,Germany,Greece,Hungary,Iceland,Ireland,Italy,Latvia,Lithuania,Luxembourg,Malta,Netherlands,Norway,Poland,Portugal,Republi

10、cofNorthMacedonia,Romania,Serbia,Slovakia,Slovenia,Spain,Sweden,Switzerland,TiirkiyeandUnitedKingdom.CEN-CENELECManagementCentre:RuedelaScience23,B-1040BrusselsRef.No.CEN/CLC/TS18072:2025E2025CEN/CENELECAllrightsofexploitationinanyformandbyanymeansreservedworldwideforCENnationalMembersandforCENELECM

11、embers.ContentsPageIntroduction51 Scope62 Normativereferences63 Termsanddefinitions64 Generalrequirements84.1 Legalandcontractualmatters84.1.1 Legalresponsibility84.1.2 Certificationagreement84.1.3 Useoflicense,certificatesandmarksofconformity84.2 Managementofimpartiality84.2.1 General84.2.2 Nonconf

12、lictingactivities84.3 Liabilityandfinancing84.4 Non-discriminatoryconditions84.5 Confidentiality94.6 Publiclyavailableinformation95 StructuralRequirements95.1 Organizationalstructureandtopmanagement95.2 Mechanismsforsafeguardingimpartiality96 ResourceRequirements96.1 CertificationbodypersonnelDeterm

13、inationofcompetencecriteria96.2 ResourcesforEvaluation97 Processrequirements97.1 Generalrequirements97.2 Application97.3 Applicationreview97.4 Evaluation107.4.1 General107.4.2 Typesofevaluations107.4.3 Preparationoftheevaluation107.4.4 Conductingevaluations177.4.5 Generalrequirementsonconductingeval

14、uations257.5 Review297.6 Certificationdecision297.7 CertificationDocumentation297.8 Directoryofcertifiedproducts307.9 Surveillance307.9.1 Introduction307.9.2 General307.9.3 SurveillanceEvaluation307.9.4 RecertificationEvaluation307.9.5 SpecialEvaluation317.10 Changesaffectingcertification317.11 Term

15、ination,reduction,suspensionorwithdrawalofcertification327.12 Records327.13 Complaintsandappeals328 Managementsystemrequirements328.1 Options328.1.1 General328.1.2 OptionA328.1.3 OptionB328.2 Managementsystemdocumentation(OptionA)328.3 Controlofdocuments(OptionA)328.4 Controlofrecords(OptionA)328.5

16、Managementreview(OptionA)328.5.1 General328.5.2 Reviewinputs328.5.3 Reviewoutputs328.6 InternalAudits(OptionA)328.7 Correctiveactions(OptionA)338.8 Preventiveactions(OptionA)33Annex A (normative)RequiredKnowledgeandSkills34Annex B (normative)DependencyAnalysis43Bibliography45EuropeanforewordThisdocu

17、ment(CEN/CLC/TS18072:2025)hasbeenpreparedbyTechnicalCommitteeCEN/CLC/JTC13“CybersecurityandDataprotection1,thesecretariatofwhichisheldbyDIN.Attentionisdrawntothepossibilitythatsomeoftheelementsofthisdocumentmaybethesubjectofpatentrights.CENshallnotbeheldresponsibleforidentifyinganyorallsuchpatentrig

18、hts.ThisdocumentisdevelopedtosupporttheCybersecurityAct,EUCSA,Regulation(EU)2019/881oninformationandcommunicationstechnologycybersecuritycertification.Anyfeedbackandquestionsonthisdocumentshouldbedirectedtotheusersnationalstandardsbody.AcompletelistingofthesebodiescanbefoundontheCENwebsite.According

19、totheCEN/CENELECInternalRegulations,thenationalstandardsorganisationsofthefollowingcountriesareboundtoannouncethisTechnicalSpecification:Austria,Belgium,Bulgaria,Croatia,Cyprus,CzechRepublic,Denmark,Estonia,Finland,France,Germany,Greece,Hungary,Iceland,Ireland,Italy,Latvia,Lithuania,Luxembourg,Malta

20、Netherlands,Norway,Poland,Portugal,RepublicofNorthMacedonia,Romania,Serbia,Slovakia,Slovenia,Spain,Sweden,Switzerland,TurkiyeandtheUnitedKingdom.IntroductionTheoverallaimofcertifyingproducts,processesorservicesistogiveconfidencetoallinterestedpartiesthataproduct,processorservicefulfilsspecifiedrequ

21、irements.Thevalueofcertificationisthedegreeofconfidenceandtrustthatisestablishedbyanimpartialandcompetentdemonstrationoffulfilmentofspecifiedrequirementsbyathirdparty.ISO/IEC17065specifiesrequirements,theobservanceofwhichisintendedtoensurethatcertificationbodiesoperatecertificationschemesinacompeten

22、t,consistentandimpartialmanner,therebyfacilitatingtherecognitionofsuchbodiesandtheacceptanceofcertifiedproducts,processesandservicesonanationalandinternationalbasisandsofurtheringinternationaltrade.ISO/IEC17065givesgeneralizedrequirementsforoperatingcertificationschemesforabroadrangeofproducts,proce

23、ssesorservices.WhilethegeneralrequirementsgivenbyISO/IEC17065aresharedbyallCertificationBodies,theyareahigh-levelset.Theconformityassessmentbodiesprovidingevaluationandcertificationofcloudserviceshavesomespecificrequirementsforevaluationproceduresandcompetence.TohelpImplementerslthisdocumentisnumber

24、edidenticallytoISO/IEC17065:2012.SupplementaryrequirementsarepresentedasclausesandsubclausesadditionaltoISO/IEC17065:2012.Anysupplementaryrequirementsarepresentedinthisdocumentwiththesameclause/subclausenumberasinISO/IEC17065:2012.1 ScopeThisdocumentcomplementsandsupplementstheproceduresandgeneralre

25、quirementsfoundinISO/IEC17065:2012forconformityassessmentbodiesperformingcertificationofcloudservicesunderadedicatedEuropeancybersecuritycertificationscheme(forexample,thosedefinedinRegulation(EU)2019/881(CybersecurityAct),basedonconceptsdefinedinthisregulation,suchasthethreeassurancelevelsBasic,Sub

26、stantialandHigh).2 NormativereferencesThefollowingdocumentsarereferredtointhetextinsuchawaythatsomeoralloftheircontentconstitutesrequirementsofthisdocument.Fordatedreferences,onlytheeditioncitedapplies.Forundatedreferences,thelatesteditionofthereferenceddocuments(includinganyamendments)applies.ISO/I

27、EC17000,ConformityassessmentVocabularyandgeneralprinciplesISO/IEC17065:2012,ConformityassessmentRequirementsforbodiescertifyingproducts,processesandservicesCEN/CLC/TS18026,Three-IevelapproachforasetofcybersecurityrequirementsforcloudserviceslUnderpreparation.Stageatthetimeofpublication:FprCEN/CLC/TS

28、180263 TermsanddefinitionsForthepurposesofthisdocument,thetermsanddefinitionsgiveninISO/IEC17000,ISO/IEC17065andCEN/CLC/TS180261andthefollowingapply.ISOandIECmaintainterminologicaldatabasesforuseinstandardizationatthefollowingaddresses: ISOOnlinebrowsingplatform:availableathttps:WWW.iso.org/obp IECE

29、lectropedia:availableathttp/www.rlectropedia.org/1.1appropriatenessofevidencemeasureoftherelevanceandreliabilityofevidenceinprovidingsupportfortheevaluatorsconclusionSOURCE:InternationalStandardonAssuranceEngagements(ISAE)3000,definition12.i.ii1.2carve-outmethodevaluationmethodwherethedescriptionoft

30、hesystemincludestheservicesprovidedbythesubserviceproviderbutthecontrolsandcontrolsobjectivesfromthesubserviceproviderareexcludedfromthedescriptionandthescopeoftheevaluationNote1toentry:Whencarve-outmethodisused,thescopeoftheevaluationincludescontrolsimplementedbytheclienttomonitortheeffectivenessof

31、controlswhichcanincludethereviewofassurancedocumentationofthesubserviceprovider.1.3complementaryuserentitycontrolCUECcontrolthatthecloudserviceprovider(CSP)assumes,inthedesignofitsservice,willbeimplementedbyitscustomer1.4complementaryserviceorganizationcontrolsCSOCcontrolsthatthecloudserviceprovider

32、assumesthattheirsubserviceproviderswillhaveinplaceinorderforthemtosecurelyoperatetheircloudservice1.5evaluationcombinationoftheselectionanddeterminationfunctionsofconformityassessmentactivitiesNote1toentry:Evaluationsincludeinitial,surveillance,recertificationevaluations,andcanalsoincludespecialeval

33、uations.SOURCE:ENISO/IEC17065:2012,definition3.31.6evaluationcriteriareferencetowhichconformityisdeterminedNote1toentry:Evaluationcriteriaincludetherequirementsofadefinedschemeforservicesapplicabletoadefinedevaluationlevelandcorrespondingassurancelevel.Note2toentry:Evaluationcriteriaincludetherequir

34、ementsonthedefinedprocessesanddocumentationoftheserviceoperatedbytheclientandofitsassociatedcontrols.1.7fairpresentationaccurate,truthfulandtransparentdescriptionofaclientsserviceNote1toentry:Additionalinformationaboutthecontentofafairpresentationisincludedinthecertificationscheme.1.8inclusivemethod

35、evaluationmethodwherethecontrolsfromthesubservicethatsupportscloudserviceprovideroperationsareincludedinscopeandwillbereviewedbytheevaluatorsNote1toentry:Wheninclusivemethodisused,thedescriptionoftheclientsserviceincludestheservicesprovidedbythesubserviceprovider,therelevantcontrolobjectivesandrelat

36、edcontrolsifexisting.1.9suitabilityofthedesignofacontrolcontroldesignwhichensuresthatactionsoreventsthatcompriseariskareprevented,ordetectedandcorrectedNote1toentry:Typicalriskareinformationsecurityrisks.4 Generalrequirements4.1 Legalandcontractualmatters4.1.1 LegalresponsibilityTherequirementsofISO

37、/IEC17065:2012,4.1.1apply.4.1.2 CertificationagreementTherequirementsofISO/IEC17065:2012,4.1.2apply.Inaddition,thefollowingrequirementsandguidanceapply.Thecertificationagreementshallincludethescopeandtheevaluationlevel.4.1.3 Useoflicense,certificatesandmarksofconformityTherequirementsofISO/IEC17065:

38、2012,4.1.3apply.4.2 Managementofimpartiality4.2.1 GeneralTherequirementsofISO/IEC17065:2012,4.2apply.Inaddition,thefollowingrequirementsandguidancein4.2.2apply.4.2.2 NonconflictingactivitiesThecertificationbody(CB)anditspersonnelmaycarryoutadditionalactivitiesprovidedtheydonotconstitutearisktoitsimp

39、artiality.Theseactivitiesmayinclude:a) organizingandparticipatingininformationmeetingsaboutthecertificationschemeingeneral;b) arrangingandparticipatingasalecturerintrainingcourses,providedthat,wherethesecoursesrelatetocloudservices,relatedsecurityrequirementsandcontrols,evaluationsorauditing,lecture

40、rsshallconfinethemselvestotheprovisionofgenericinformationandadvicewhichispubliclyavailable;c) activitiespriortoevaluation,solelyaimedatdeterminingreadinessforevaluation;however,suchactivitiesshallnotresultintheprovisionofrecommendationsoradviceforspecificsolutionsandshallnotresultinareductioninthee

41、ventualevaluationduration;d) performingthirdpartyevaluationsaccordingtostandards,publiclyavailablespecificationsorregulatoryrequirementsotherthanthosebeingpartofthescopeofaccreditation;ore) addingvalueduringevaluationswithoutrecommendingspecificsolutions.NOTEAddingvalueduringevaluationsmayincludeide

42、ntifyingopportunitiesforimprovement,astheybecomeevidentduringtheevaluation.4.3 LiabilityandfinancingTherequirementsofISO/IEC17065:2012,4.3apply.4.4 Non-discriminatoryconditionsTherequirementsofISO/IEC17065:2012,4.4apply.4.5 ConfidentialityTherequirementsofISO/IEC17065:2012,4.5apply.4.6 Publiclyavail

43、ableinformationTherequirementsofISO/IEC17065:2012,4.6apply.5 StructuralRequirements5.1 OrganizationalstructureandtopmanagementTherequirementsofISO/IEC17065:2012,5.1apply.5.2 MechanismsforsafeguardingimpartialityTherequirementsofISO/IEC17065:2012,5.2apply.6 ResourceRequirements6.1 Certificationbodype

44、rsonnelDeterminationofcompetencecriteriaTherequirementsofISO/IEC17065:2012,6.1apply.Inaddition,thefollowingrequirementsandguidanceapply.Theoutputoftheprocessfordeterminingthecompetencecriteriaforpersonnelinvolvedinthemanagementofevaluationsorothercertificationactivitiesshallbethedocumentedcriteriaof

45、requiredknowledgeandskillsnecessarytoeffectivelyperformevaluationandcertificationtaskstobefulfilledtoachievetheintendedresults.AnnexAprovidesasummaryofcompetencerequirementsforpersonnelinvolvedinspecificcertificationfunctions.6.2 ResourcesforEvaluationTherequirementsofISO/IEC17065:2012,6.2apply.7 Pr

46、ocessrequirements7.1 GeneralrequirementsTherequirementsofISO/IEC17065:2012,7.1apply.7.2 ApplicationTherequirementsofISO/IEC17065:2012,7.2apply.7.3 Applicationreview7.3.1 TherequirementsofISO/IEC17065:2012,7.3.1apply.Inaddition,thefollowingrequirementsapply.TheCBshallconductadditionalreviewoftheinfor

47、mationobtainedtoensurethat:a) theapplicationcontainsalltheinformationrequiredbythecertificationschemeincludingtheidentificationofsubservicesoperatedbysubserviceprovidersusedbytheclientintheoperationofitscloudservice;b) theclienthasacknowledgedandunderstandsitsresponsibilitiesasdefinedinthecertificat

48、ionscheme;c) theCBunderstandstheareaofactivityoftheclientandtheassociatedbusinessrisks;d) theCBhasthecompetenceandcapabilitytoperformthecertificationactivity;e) CBhastheresources,capabilitiesandcompetencesareavailabletoperformallevaluationactivities.7.3.2 TherequirementsofISO/IEC17065:2012,7.3.2apply.7.3.3 TherequirementsofISO/IEC17065:2012,7.

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > 医学/心理学 > 肿瘤学

宁ICP备18001539号-1