SIST-TS CEN/CLC/TS 18026:2024

SLOVENSKI STANDARD
01-julij-2024
Tristopenjski pristop za nabor zahtev kibernetske varnosti za storitve v oblaku
Three-level approach for a set of cybersecurity requirements for cloud services
Mehrschichtiger Ansatz für einen Anforderungskatalog für
Informations-/Cybersicherheitsmaßnahmen für Cloud Dienste
Ta slovenski standard je istoveten z: CEN/TS 18026:2024
ICS:
35.030 Informacijska varnost IT Security
35.210 Računalništvo v oblaku Cloud computing
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL SPECIFICATION CEN/TS 18026

SPÉCIFICATION TECHNIQUE
TECHNISCHE SPEZIFIKATION
April 2024
ICS 35.030; 35.210
English version
Three-level approach for a set of cybersecurity
requirements for cloud services
Mehrschichtiger Ansatz für einen Anforderungskatalog
für Informations-/Cybersicherheitsmaßnahmen für
Cloud Dienste
This Technical Specification (CEN/TS) was approved by CEN on 27 February 2024 for provisional application.

The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN and CENELEC will be
requested to submit their comments, particularly on the question whether the CEN/TS can be converted into a European
Standard.
CEN and CENELEC members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the
CEN/TS available promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in
force (in parallel to the CEN/TS) until the final decision about the possible conversion of the CEN/TS into an EN is reached.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2024 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. CEN/TS 18026:2024 E
reserved worldwide for CEN national Members and for
CENELEC Members.
CEN/CLC/TS 18026:2024 (E)
Contents Page
European foreword . 3
Introduction . 4
1 Scope . 8
2 Normative references . 8
3 Terms and definitions . 8
4 Organisation of Information Security . 35
5. Information Security Policies . 39
6. Risk management . 45
7. Human Resources . 49
8. Asset Management . 57
9. Physical Security . 63
10.     Operational Security ……………………………………………………………………… ………………………….93
11. Identity, Authentication and Access Control Management . 94
12. Cryptography and Key Management .113
13. Communication Security .117
14. Portability and Interoperability .125
15. Change and Configuration Management .128
16. Development of Information Systems .134
17. Procurement Management .144
18. Incident Management .152
19. Business Continuity .160
20. Compliance .164
21. User Documentation .168
22. Dealing with Investigation Requests from Government Agencies .172
23. Product Security .174
Bibliography .178

CEN/CLC/TS 18026:2024 (E)
European foreword
This document (CEN/CLC/TS 18026:2024) has been prepared by Technical Committee CEN/CLC /JTC 13
“Cybersecurity and Data protection”, the secretariat of which is held by DIN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document is developed to support the Cybersecurity Act, EUCSA, Regulation (EU) 2019/881 on
information and communications technology cybersecurity certification.
Any feedback and questions on this document should be directed to the users’ national standards body. A
complete listing of these bodies can be found on the CEN website.
CEN/CLC/TS 18026:2024 (E)
Introduction
General
This document presents requirements for cybersecurity of cloud services. These requirements are also
strongly related to information security. ISO 27100 states that cybersecurity is primarily concerned with
protecting entities including people, society, organisations and nations from cyber risks, while
information security addresses maintaining confidentiality, integrity and availability of information with
consequences. Information security and cybersecurity therefore have different perspectives and
concerns while they are closely related and overlapping as both address cyber threats. The requirements
primarily address the cloud service, but unavoidably also raise expectations and impose requirements on
organisations developing and operating such services.
Organisations wishing to demonstrate conformance to these requirements might prefer to do so using a
single free-standing certification or build on existing certifications held by that organisation or the cloud
service. To facilitate this, the requirements are written so as to allow coverage by composition of multiple
certifications, or a single-step complete coverage via a single certification.
In addition, the organisational requirements align closely with the requirements and controls of ISO/IEC
27001, ISO/IEC 27002 and other international schemes for cybersecurity and information security
requirements and controls. This means that organisations already holding certifications, for the
organisation or the service, can build from those prior audits and certifications. Similarly, if the
requirements of this document are the first ones ever certified for this organisation or service, the
evaluation materials will have the potential to be used to support additional certifications thereafter.
Further guidance on this issue is available in .
This document presents a set of requirements for cybersecurity of cloud services with two key concepts:
• It provides for three different assurance levels, i.e. Basic, Substantial and High: some
requirements are present at all levels, sometimes being extended at higher levels, while others
only come into effect at the higher levels; and
• A risk assessment is undertaken to determine the cloud service specific risks, taking also into
account the opportunities with the level and the cloud service specific cyber risks; risk treatment
then involves the selection of appropriate controls by the organisation to satisfy the requirements
for that level. The requirements themselves that are included in the document are mandatory for
the chosen level.
Nothing written in this document is to be taken as indicating requirements for how evaluations will be
conducted by bodies offering conformance testing for certification schemes. Requirements for bodies
offering conformance testing for certification schemes based on this document are given in .
The three assurance levels: Basic, Substantial and High offer increasing levels of assurance as to the
security of the cloud service. As this document addresses cybersecurity for cloud services, it is important
to appreciate that an information security management system (ISMS) certification alone is not sufficient
to demonstrate conformance with the requirements in this document. Nonetheless, having an ISMS will
assist the organisation in developing and operating their cloud services and in satisfying some
requirements in this document.
Assurance level Basic should be suitable for cloud services that are designed to meet typical security
requirements on services for non-critical data and systems, while Substantial targets cloud services that
are designed to meet typical security requirements on services for business-critical data and systems.
Assurance level High should be suitable for cloud services that are designed to meet specific (exceeding
level ‘substantial’) security requirements for mission-critical data and systems. Similarly, the assurance
levels are intended to be achievable for cloud services being offered to cloud service customers (CSCs)
who themselves target the indicated data and systems, and related criticality levels. The EUCS is not
intended to address the needs of national security purposes and the activities of the State in areas of
criminal law.
CEN/CLC/TS 18026:2024 (E)
Assurance levels
The requirements defined in the document are labelled Basic, Substantial or High:
• Requirements labelled Basic apply to assurance level Basic. They carry over to assurance levels
Substantial and High, unless replaced by stronger requirements;
• Requirements labelled Substantial apply to assurance level Substantial and will in some cases be
considered as guidance for level Basic (i.e., the reference method to achieve the Basic requirements,
which are often less detailed); and
• Requirements labelled High only apply to assurance level High.
Typically, the requirements corresponding to a cybersecurity objective are organized as follows:
• Basic requirements define a baseline in bold text, often with limited details or constraints;
• Substantial requirements add to that baseline further details and constraints in bold text. In addition,
specific Substantial requirements are introduced; and
• High requirements add further details or constraints in bold text. Some are also related to automated
monitoring, or to additional testing and review requirements, contributing to an increase in
confidence in the security of the service.
Certification schemes define evaluation levels as a combination of assurance components that
corresponds to an assurance level (and the requirements defined for this assurance level), and to
appropriate levels of depth and rigour in the assessment, corresponding to a category of security
problems.
Applicability of requirements
The risk assessment and risk treatment that the Cloud Service Provider (CSP) performs in accordance with
RM-01 includes the determination of controls that are needed to satisfy the requirements in this document
and to address identified risks. The implementation of controls may vary depending on the characteristics
of the certified cloud service. The CSP can design further controls or determine them from other resources
to address the results of the risk assessment, in addition to the requirements in the document. The
similarities with this document’s requirements to controls and or requirements in existing EN standards
such as the ISO 27000 series can support the fulfilment of requirements by using these documents in
addition. The CSP provides justifications for all the requirements present in this document applicable to
the cloud service and to which level of assurance. The CSP explains in the description of the cloud service
if individual Basic, Substantial, and High requirements are not applicable due to the design and
implementation of the cloud service and how these requirements are addressed in other ways. Based on
the information provided by the CSP, conformity assessment will be conducted to cover the scope for
certification of the cloud service for the actual assurance level, as defined in the assessment methodology
.
Automated monitoring
The requirements related to “automated monitoring” or “monitor with automation“, are about gathering
and pre-processing data by non-human means. Automated monitoring should be distinguished from
continuous monitoring. The latter refers to monitoring for an enduring period of time that can be applied
both with or without automation. The introduction of automated monitoring requirements is intended to
utilize the available technology, and to manage the complexity of security monitoring of cloud services,
since standards focus on outcomes (i.e. "what" shall be achieved) there will be limited references to
methods (i.e. "how" it shall be achieved) except in instances where automated monitoring requirements
are specifically needed. For instance, automated monitoring will be required for processing, logging and
CEN/CLC/TS 18026:2024 (E)
storing large amounts of data to increase the efficiency of business processes and the cybersecurity of
cloud services.
Structure of the document
This document presents twenty categories of requirements, each category is divided into themes. Each
theme is structured as follows:
• A cybersecurity objective that the requirements aim to achieve.
• Requirements to be satisfied in the context of the cybersecurity objective with each requirement
associated to an assurance level.
• The requirements within a single theme have to be read as a flow.
There are many cross-references between requirements and themes. For instance, the ISP-02 theme,
which defines how policies and procedures are to be defined, is referenced many times.
The categories, and their intended purposes, are (with their clause numbers):
4. Organisation of Information Security

Plan, implement, maintain and continuously improve the information security framework
applicable to the cloud service.
5. Information Security Policies

Provide an information security policy, derived into topic-specific policies and procedures
regarding security of the cloud service to support business requirements.
6. Risk Management
Provide a risk management framework, to manage the risks associated to the cloud service, from
identification to treatment.
7. Human Resources
Ensure that personnel understand their responsibilities based on job role descriptions, are aware
of their responsibilities with regard to information security, and that the assets that are used to
provide the cloud service are protected in the event of changes in responsibilities or termination.
8. Asset Management
Identify the assets that are used to provide the cloud service and ensure an appropriate level of
protection throughout their lifecycle.
9. Physical Security
Prevent unauthorised physical access and protect against theft, damage, loss and outage of
operations.
10. Operational Security
Ensure proper and regular operation, including appropriate measures for planning and
monitoring capacity, protection against malware, logging and monitoring events, and dealing with
vulnerabilities, malfunctions and failures.
11. Identity, Authentication and Access Control Management
Limit access to information and information processing facilities.
12. Cryptography and Key Management
Ensure appropriate and effective use of cryptography to protect the confidentiality, authenticity
or integrity of information.
CEN/CLC/TS 18026:2024 (E)
13. Communication Security
Ensure the protection of information in networks and the corresponding information processing
systems.
14. Portability and Interoperability
Enable the ability to access the cloud service via other cloud services or IT systems of the CSCs, to
obtain the stored data at the end of the contractual relationship and to securely delete it from the
cloud service.
15. Change and Configuration Management
Ensure that changes and configuration actions to information systems guarantee the security of
the delivered cloud service.
16. Development of Information Systems
Ensure information security in the development cycle of information systems.
17. Procurement Management
Ensure the protection of information that suppliers related to the cloud service can access and
monitor the agreed services and security requirements.
18. Incident Management
Ensure a consistent and comprehensive approach to the capture, assessment, communication and
escalation of information security incidents related to the cloud service.
19. Business Continuity
Plan, implement, maintain and test procedures and measures for business continuity and
emergency management for the cloud service.
20. Compliance
Avoid non-compliance with legal, regulatory and contractual information security and compliance
requirements related to the cloud service.
21. User Documentation
Provide up-to-date information on the secure configuration and known vulnerabilities of the
cloud service for CSCs.
22. Dealing with Investigation Requests from Government Agencies
Ensure appropriate handling of government investigation requests for legal review, information
to CSCs, and limitation of access to or disclosure of data.
23. Product Security
Provide appropriate cybersecurity mechanisms and controls in cloud services and the underlying
infrastructure, products and components relied upon by the CSCs.

CEN/CLC/TS 18026:2024 (E)
1. Scope
This document provides a set of cybersecurity requirements for cloud services.
This document is applicable to organisations providing cloud services and their subservice organisations.
2. Normative references
There are no normative references in this document.
3. Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
• IEC Electropedia: available at https://www.electropedia.org/
• ISO Online browsing platform: available at https://www.iso.org/obp
3.1
access control
means to ensure that physical and logical access to assets is authorised and restricted based on business
and information security requirements
[SOURCE: ISO/IEC 27002:2022, 3.1.1]
3.2
access right
permission for a subject to access a particular object for a specific type of operation
[SOURCE: ISO/IEC 2382:2015, 2126298]
3.3
account data
class of data specific to each cloud service customer that is required to administer the cloud service
Note 1 to entry: Account data is typically generated when a cloud service is purchased and is under the control of the
cloud service provider.
Note 2 to entry: Account data consists of data elements provided by the cloud service customer, such as; name,
address, telephone, etc.
[SOURCE: ISO/IEC 22123-1:2023(en), 3.9.4]
3.4
activity
specified pursuit or set of tasks
[SOURCE: ISO/IEC 22123-1:2023(en), 3.3.8]
CEN/CLC/TS 18026:2024 (E)
3.5
administration actions
set of actions for installing, deleting, modifying and consulting the configuration of a system participating
in the service’s information system and likely to modify its operation or security
[SOURCE: SecNumCloud Version 3.2, paragraph 1.3.2. Definitions (March 8, 2022)]
3.6
anonymization
process by which personally identifiable information (PII) is irreversibly altered in such a way that a PII
principal can no longer be identified directly or indirectly, either by the PII controller alone or in
collaboration with any other party
[SOURCE: ISO/IEC 29100:2011(en), 2.2]
3.7
application capabilities type
cloud capabilities type in which the cloud service customer can use the cloud service provider's
applications
[SOURCE: ISO/IEC 22123-1:2023(en), 3.5.2]
3.8
appropriate level of management
person or group of persons to whom top management has delegated a task or responsibility with the
required mandate and authority
Note 1 to entry: In security controls, the appropriate level of management would typically be responsible for topic-
specific policies and procedures.
3.9
asset
anything that has value to the organization
Note 1 to entry: In the context of information security, two kinds of assets can be distinguished:
— the primary assets:
— information;
— business processes and activities;
— the supporting assets (on which the primary assets rely) of all types, for example:
— hardware;
— software;
— network;
— personnel;
— site;
— organization’s structure.
[SOURCE: ISO/IEC 27002:2022(en), 3.1.2]
CEN/CLC/TS 18026:2024 (E)
3.10
asset life
period from asset creation to asset end-of-life
[SOURCE: ISO 55000:2014(en), 3.2.2]
3.11
assurance
grounds for justified confidence that a product, service or process meets specified requirements
[SOURCES: Adapted from ISO/IEC 15408-1:2022(en), 3.6 and ISO/IEC/IEEE 15026-1(2019):3.1]
3.12
assurance information
information including a claim about a system, evidence supporting the claim, an argument showing how
the evidence supports the achievement of the claim, and the context for these items
[SOURCE: ISO/IEC/IEEE 15026-1(2019):3.4]
3.13
assurance level
basis for confidence that an ICT product, ICT service or ICT process meets the security requirements of a
specific European cybersecurity certification scheme, indicates the level at which an ICT product, ICT
service or ICT process has been evaluated but as such does not measure the security of the ICT product,
ICT service or ICT process concerned
Note 1 to entry: The definition is identical to article 2.21 of the European Cybersecurity Act (EC 881/2019) (EUCSA).
The EUCSA defines three assurance levels, ‘basic’, ‘substantial’ and ‘high’, and each scheme defines discrete evaluation
levels, each one defining a degree of confidence in the fulfilment of the scheme’s objectives by the ICT product, ICT
service, or ICT process; each evaluation is mapped to one of the three assurance levels defined in the EUCSA.
3.14
attestation
issue of a statement, based on a decision, that fulfilment of specified requirements has been demonstrated
Note 1 to entry: The resulting statement is intended to convey the assurance that the specified requirements have
been fulfilled. Such an assurance does not, of itself, afford contractual or other legal guarantees.
Note 2 to entry: First-party attestation and third-party attestation are distinguished by the terms declaration,
certification, and accreditation, but there is no corresponding term applicable to second-party attestation.
[SOURCE: ISO/IEC 17000:2020(en), 7.3]
CEN/CLC/TS 18026:2024 (E)
3.15
audit
process for obtaining relevant information about an object of conformity assessment and evaluating it
objectively to determine the extent to which specified requirements are fulfilled
Note 1 to entry: The specified requirements are defined prior to performing an audit so that the relevant information
can be obtained.
Note 2 to entry: Examples of objects for an audit are management systems, processes, products and services.
Note 3 to entry: For accreditation purposes, the audit process is called “assessment”.
[SOURCE: ISO/IEC 17000:2020(en), 6.4]
3.16
audit plan
description of the activities and arrangements for an audit
[SOURCE: ISO 19011:2018(en), 3.6]
3.17
audit programme
arrangements for a set of one or more audits planned for a specific time frame and directed towards a
specific purpose
[SOURCE: ISO 19011:2018(en), 3. 4]
3.18
auditor
person who conducts an audit
Note 1 to entry: In the schemes and related documents, 'the auditor' is typically used as the subject of requirements
related to audit of the form "the auditor shall.".
[SOURCE: ISO/IEC 17021-1:2015(en), 3.6]
3.19
authenticity
property that an entity is what it claims to be
[SOURCE: ISO/IEC 27000:2018(en), 3.6]
3.20
automated monitoring, monitor with automation
gathering and pre-processing of data to analyse some aspects of the activity being monitored at discrete
intervals at a sufficient frequency by non-human means
Note 1 to entry: Automated monitoring and monitor with automation have the same meaning in this document
CEN/CLC/TS 18026:2024 (E)
3.21
business continuity
capability of an organization to continue the delivery of products and services within acceptable time
frames at predefined capacity during a disruption
[SOURCE: ISO 22301:2019(en), 3.3]
3.22
business continuity plan
documented information that guides an organization to respond to a disruption and resume, recover and
restore the delivery of products and services consistent with its business continuity objectives
[SOURCE: ISO 22301:2019(en), 3.4]
3.23
business impact analysis
process of analysing the impact over time of a disruption on the organization
Note 1 to entry: The outcome is a statement and justification of business continuity requirements.
[SOURCE: ISO 22301:2019(en), 3.5]
3.24
capacity management
process for monitoring, analysis, reporting and improvement of capacity
[SOURCE: ISO/IEC TS 22237-7:2018(en), 3.1.2]
3.25
certification
third-party attestation related to an object of conformity assessment, with the exception of accreditation
[SOURCE: ISO/IEC 17000:2020(en), 7.6]
3.26
certification scheme
conformity assessment scheme that includes a certification activity
Note 1 to entry: In a certification scheme, a successful assessment leads to the issuance of a certificate.
3.27
certified cloud service
cloud service that has been awarded a currently valid certificate covering requirements defined in the
present document, and that still fulfils these requirements
Note 1 to entry: This is a restrictive definition in use solely in the EUCS scheme.
CEN/CLC/TS 18026:2024 (E)
3.28
change management
process for recording, coordination, approval and monitoring of all changes
[SOURCE: ISO/IEC TS 22237-7:2018(en), 3.1.3]
3.29
characteristic
distinguishing feature
Note 1 to entry: A characteristic can be inherent or assigned.
Note 2 to entry: A characteristic can be qualitative or quantitative.
[SOURCE: ISO 9000:2015(en), 3.10.1]
3.30
claim
statement of something to be true including associated conditions and limitations
Note 1 to entry: The statement of a claim does not mean that the only possible intent or desire is to show it is true.
Sometimes claims are made for the purpose of evaluating whether they are true or false or undertaking an effort to
establish what is true.
Note 2 to entry: In its entirety, a claim conforming to ISO/IEC 15026-2 is an unambiguous declaration of an assertion
with any associated conditionality giving explicit details including limitations on values and uncertainty. It could be
about the future, present, or past.
[SOURCE: ISO/IEC 15026-1:2010(en), 2.4]
3.31
cloud capabilities type
classification of the functionality provided by a cloud service to the cloud service customer, based on
resources used
Note 1 to entry: The cloud capabilities types are application capabilities type, infrastructure capabilities type and
platform capabilities type.
[SOURCE: ISO/IEC 22123-1:2023(en), 3.5.1]
3.32
cloud computing
paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual
resources with self-service provisioning and administration on-demand
Note 1 to entry: Examples of resources include servers, operating systems, networks, software, applications, and
storage equipment.
Note 2 to entry: Self-service provisioning refers to the provisioning of resources provided to cloud services performed
by cloud service customers through automated means.
[SOURCE: ISO/IEC 22123-1:2023(en), 3.1.1]
CEN/CLC/TS 18026:2024 (E)
3.33
cloud service
one or more capabilities offered via cloud computing invoked using a defined interface
[SOURCE: ISO/IEC 22123-1:2023(en), 3.1.2]
3.34
cloud service customer
CSC
party that is acting in a cloud service customer role
[SOURCE: ISO/IEC 22123-1:2023(en), 3.3.2]
3.35
cloud service customer data
class of data objects under the control, by legal or other reasons, of the cloud service customer that were
input to the cloud service, or resulted from exercising the capabilities of the cloud service by or on behalf
of the cloud service customer via the published interface of the cloud service
Note 1 to entry: An example of legal controls is copyright.
Note 2 to entry: It can be that the cloud service contains or operates on data that is not cloud service customer data;
this might be data made available by the cloud service providers, or obtained from another source, or it can be
publicly available data. However, any output data produced by the actions of the cloud service customer using the
capabilities of the cloud service on this data is likely to be cloud service customer data, following the general
principles of copyright, unless there are specific provisions in the cloud service agreement to the contrary.
[SOURCE: ISO/IEC 22123-1:2023(en), 3.9.1]
3.36
cloud service customer role
CSC role
set of activities for the purpose of using cloud services
[SOURCE: ISO/IEC 22123-1:2023(en), 3.3.14]
3.37
cloud service derived data
class of data objects, specific to the operation of the cloud service, under the control of the cloud service
provider
Note 1 to entry: Cloud service provider data includes but is not limited to resource configuration and utilization
information, cloud service specific virtual machine, storage and network resource allocations, overall data centre
configuration and utilization, physical and virtual resource failure rates, operational costs and so on.
[SOURCE: ISO/IEC 22123-1:2023(en), 3.9.2]
CEN/CLC/TS 18026:2024 (E)
3.38
cloud service provider
CSP
party that is acting in a cloud service provider role
[SOURCE: ISO/IEC 22123-1:2023(en), 3.3.3]
3.39
cloud service provider data
class of data objects, specific to the operation of the cloud service, under the control of the cloud service
provider
Note 1 to entry: Cloud service provider data includes but is not limited to resource configuration and utilization
information, cloud service specific virtual machine, storage and network resource allocations, overall data centre
configuration and utilization, physical and virtual resource failure rates, operational costs and so on.
[SOURCE: ISO/IEC 22123-1:2023(en), 3.9.3]
3.40
cloud service provider role
CSP role
set of activities that make cloud services available
[SOURCE: ISO/IEC 22123-1:2023(en), 3.3.15]
3.41
cloud service user
CSU
natural person, or entity acting on their behalf, associated with a cloud service customer that uses cloud
services
Note 1 to entry: Examples of such entities include devices and applications.
[SOURCE: ISO/IEC 22123-1:2023(en), 3.3.4]
3.42
competence
ability to apply knowledge and skills to achieve intended results
[SOURCE: ISO/IEC 17021-1:2015(en), 3.7]
CEN/CLC/TS 18026:2024 (E)
3.43
compliance
conformity in the context of the rules and requirements defined in a certification scheme that apply to the
provider of the certified product, service or process
Note 1 to entry: This is a refinement of ISO19011, which defines compliance as conformity in the context of a statutory
requirement or regulatory requirement. In this case, compliance is conformity in the context of a given scheme.
Note 2 to entry: The term is used to differentiate between compliance of a cloud service provider to the requirements
defined in the scheme and conformity of a cloud service to the requirements on controls defined in the scheme.
[SOURCE: Adapted from ISO 19011:2018(en), 3.7]
3.44
composition
reuse of the results of certification activities of a certified cloud service in the evaluation of a primary cloud
service using that certified cloud service as secondary cloud service
3.45
compromise
loss of confidentiality, integrity, or availability of information, including any resultant impairment of (1)
processing integrity or availability of systems or (2) the integrity or availability of system inputs or outputs
3.46
configuration management
management activity that applies technical and administrative direction over the life cycle of a product
and service, its configuration identification and status, and related product and service configuration
information
[SOURCE: ISO/IEC ISO 10007:2017(en), Introduction]
3.47
conformity
fulfilment of a requirement
Note 1 to entry: when used in opposition with compliance, conformity relates to the requirements related to the object
of conformity assessment rather than to the requirements related to the certification scheme.
[SOURCE: ISO/IEC 19011:2018(en), 3.20]
3.48
conformity assessment
demonstration that specified requirements are fulfilled
Note 1 to entry: The process of conformity assessment […] can have a negative outcome, i.e. demonstrating that the
specified requirements are not fulfilled.
Note2 to entry: The subject field of conformity assessment includes selection activities, determination activities such
as testing, inspection and audit, review activities, and attestation activities such as certification, as well as the
accreditation of conformity assessment bodies.
Note 3 to entry: [ISO/IEC 17000] does not include a definition of “conformity”. “Conformity” does not feature in the
definition of “conformity assessment”. Nor does [ISO/IEC 17000] address the concept of compliance.
CEN/CLC/TS 18026:2024 (E)
Note 4 to entry: The definition is similar to article 2.17 of the EUCSA that refers to “conformity assessment’ as the
process demonstrating whether specified requirements relating to a product, process, service, system, person or body
have been fulfilled.
[SOURCE: ISO/IEC 17000:2020(en), 4.1, some modifications in notes]
3.49
conformity assessment body
body that performs conformity assessment activities, excluding accreditation
Note 1 to entry: The definition is similar to article 2.18 of the EUCSA that refers to “conformity assessment body’ as a
body that performs conformity assessment activities including calibration, testing, certification and inspection.
[SOURCE: ISO/IEC 17000:2020(en), 4.6]
3.50
conformity assessment scheme
conformity assessment programme
set of rules and procedures that describes the objects of conformity assessment, identifies the specified
requirements and provides the methodology for performing conformity assessment
Note 1 to entry: A conformity assessment scheme can be managed within a conformity assessment system.
Note 2 to entry: A conformity assessment scheme can be operated at an international, regional, national sub-national,
or industry sector level.
Note 3 to entry: A scheme can cover all or part of the conformity assessment functions.
[SOURCE: ISO/IEC 17000:2020(en), 4.9]
3.51
control
measure that maintains and/or modifies risk
Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice or other conditions
and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
[SOURCE: ISO 31000:2018, 3.8 / ISO/IEC 27002:2022(en), 3.1.8]
3.52
credential
representation of an identity
Note 1 to entry: A credential is typically made to facilitate data authentication of the identity information in the
identity it represents.
Note 2 to entry: The identity information represented by a credential can be printed on paper or stored within a
physical token that typically has been prepared in a manner to assert the information as valid.
EXAMPLE: A credential can be a username, a username with a password, a PIN, a smartcard, a token, a fingerprint, a
passport, etc.
[SOURCE: ISO/IEC 24760‑1:2011, 3.3.5]
CEN/CLC/TS 18026:2024 (E)
3.53
criteria
rules on which a judgment or decision can be based, or by which a product, service, result, or process
(3.1.20) can be evaluated
[SOURCE: ISO/IEC/IEEE 15289:2019(en), 3.1.6]
3.54
cyber risk
risk caused by cyber threat
Note 1 to entry: Cyber risks include risks associated with the loss of confidentiality, integrity and availability of
information
[SOURCE: ISO/IEC 27102:2019(en), 3.4 and note added for clarification]
3.55
cybersecurity
activities necessary to protect network and information systems, the users of such systems, and other
persons affected by cyber threats
Note 1 to entry: The definition is identical to article 2.1 of the EUCSA.
3.56
Cybersecurity Act, EUCSA
Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the
European Union Agency for Cybersecurity) and on information and communications technology
cybersecurity certification and repealing Regulation (EU) No 526/2013
3.57
cyber threat
potential circumstance, event or action that could damage, disrupt or otherwise adversely impact
network and information systems, the users of such systems and other persons
Note 1 to entry: The definition is identical to article 2.8 of the EUCSA.
3.58
data at rest
structure, or group of structures, dedicated to the centralized accommodation, interconnection and
operation of information technology and network telecommunications equipment providing data storage,
processing and transport services together with all the facilities and infrastructures for power distribution
and environmental control together with the necessary levels of resilience and security required to provide
the desired service availability
Note 1 to entry: A structure can consist of multiple buildings and/or spaces with specific functions to support the
primary function.
Note 2 to entry: The boundaries of the structure or space considered the data centre, which includes the information
and communication technology equipment and supporting environmental controls, can be defined within a larger
structure or building.
[SOURCE: ISO/IEC 30134-1:2016(en), 3.6]
CEN/CLC/TS 18026:2024 (E)
3.59
data centre
location hosting CSP infrastructure or the equipment from which the cloud service operates
3.60
data in motion
data being transferred from one location to another
Note 1 to entry: These transfers typically involve interfaces that are accessible and do not include internal transfers
(i.e., never exposed to outside of an interface, chip, or device).
[SOURCE: ISO/IEC 27040:2015(en), 3.8]
3.61
de-identification process
process of removing the association between a set of identifying attributes and the data principal
[SOURCE : ISO/IEC 20889:2018(en), 3.6]
3.62
demilitarized zone
DMZ
perimeter network (also known as a screened sub-net) inserted as a “neutral zone” between networks
[SOURCE: ISO/IEC 27033-1:2015(en), 3.8]
3.63
development environment
environment in which changes to software are developed
Note 1 to entry: The environment may be local to an individual developer’s workstation or distributed, possibly based
on external services.
3.64
disruption
incident, whether anticipated or unanticipated, that causes an unplanned, negative deviation from the
expected delivery of products and services according to an organization’s objectives
[SOURCE: ISO 22301:2019(en), 3.10]
3.65
document
recorded information or material object, which can be treated as a unit
[SOURCE: ISO 5127:2001, 1.2.02]
3.66
effectiveness
extent to which planned activities are realized and planned results achieved
[SOURCE: ISO Supplement:3.6]
CEN/CLC/TS 18026:2024 (E)
3.67
employee
a person under contract with the CSP to whom human resource management controls apply
3.68
evaluation
combination of the selection and determination functions of conformity assessment activities
[SOURCE: ISO/IEC 17065:2012(en), 3.3]
3.69
evaluation level
combination of assurance components within an evaluation methodology that corresponds to an assurance
level and appropriate level of depth and rigour, corresponding to a category of security problems
Note 1 to entry: The definition is identical to article 52.8 of the EUCSA.
3.70
feature
abstract functional characteristic of a system of interest that end-users and other stakeholders can
understand
Note 1 to entry: In systems engineering, features are syntheses of the needs of stakeholders. These features will be
used, amongst others, to build the technical requirement baselines.
[SOURCE: ISO/IEC 26550:2015(en), 3.14]
3.71
functional component
functional building block needed to engage in an activity, backed by an implementation
[SOURCE: ISO/IEC 22123-1:2023(e
...