Please be advised that a New Work Item Proposal has been loaded to the BSI Standards Development Portal for comment. We hope this will assist in increasing awareness of the Standards Development Portfolio.
Any comments received will be submitted to IST/33 – Information security, cybersecurity, for consideration when deciding the UK response to CEN.
Proposal: CEN/CLC/JTC 13 N 507 Multi-layered approach for a set of requirements for information/cyber security controls for Cloud Services.
Comment period end date: 18/05/2021
This Technical Specification (TS) provides a set of information security requirements for information/cyber security controls for Cloud Services
This TS is applicable for organizations providing cloud services and their subservice organizations.
ENISA is developing several certification schemes based on the provisions stated in the Cybersecurity Act (CSA). One of these schemes will address information security aspects for companies providing cloud services within the European Union. The current draft for this certification scheme includes an Annex stating mandatory requirements for these Cloud Service Providers.
It is the shared understanding of ENISA and CEN-CLC JTC13 that this Annex should not be part of the certification scheme itself but rather be an European standard which will be referred to by the certification scheme.
These controls and their requirements shall be determined by a risk management approach, and be updated regularly or whenever needed.
Therefore it is necessary for CEN-CLC JTC13 to take the existing Annex – provided by ENISA – , transfer it into a draft for a Technical Specification and use its established procedures to develop such a Technical Specification.
Proposal: CEN/CLC/JTC 13 N 502, Revision of EN ISO/IEC 27002 Information security, cybersecurity and privacy protection — Information security controls.
Comment period end date: 15/05/2021
This document provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organizations:
a) within the context of an ISMS based on ISO/IEC 27001;
b) for implementing information security controls based on internationally recognized best practices;
c) for developing their own information security management guidelines.
SO/IEC 27002 is widely recognised standard within the 2700x ISMS family of standards. The international standard ISO/IEC 27002 is currently under revision, therefore the EN ISO/IEC 27002:2017 is proposed for revision to harmonize with the new version of the international standard.
Proposal: CEN/CLC/JTC 13 N 508 Requirements for Conformity Assessment Bodies certifying Cloud Services.
Comment period end date: 18/05/2021
This TS provides requirements and ISO/IEC 17065 interpretations for Conformity Assessment Bodies (CABs) assessing Cloud Services
This TS is intended to be used by the National Accreditation Bodies (NABs), as well as CABs.
This NWI intends to answer to the ENISA request to JTC13 given in document JTC13 N484, in particular providing a new Technical Specification that addresses interpretations and specifics of the accreditation assessment process as an extension to ISO/IEC 17065 that suites the requirements for Conformity Assessment Bodies (CABs) assessing Cloud Services for the candidate Cloud Services Scheme defined by ENISA (EUCS).
This TS is aims to achieve to achieve harmonisation in the effective implementation of the EUCS, by providing common accreditation baseline requirements and assessment criteria when accrediting those CABs that are to issue EUCS certificates. Users of this TS are expected to be both the National Accreditation Bodies (NABs), as well as CABs.
This TS is intended to be widely applicable.
If you have any comment or need more information, please contact Sami Ortiz at email@example.com