Unexpected Side Effect of the CSA—How CABs Could Demonstrate Their Competency in Information Security Area? ITSEF Use Case (U11c)
In 2020, first European cybersecurity certification scheme was published under the name EUCC. In general, it is intended to be a successor of SOG-IS MRA i.e. the Agreement that gathers European national schemes issuing certificates according to CC/CEM , and sets up conditions under the certificates are mutually recognized. However, the CSA stipulates different conditions to ensure that technical competencies of CABs providing evaluations (ITSEFs) are confirmed than SOG-IS MRA. In particular, there is no licensing procedures conducted by the CB towards its ITSEFs anymore. Instead of, the accreditation performed by National Accreditation Bodies (NABs) is intended to cover all requirements regarding ITSEFs. The issue is that NABs cannot perform any accreditation activities that are subject to the certification area of other CABs performing certifications of management systems (conflict of interest). It relates to information security management. This presentation shows how to resolve this issue and to introduce integrated management system for the ITSEF that is effective and efficient and allows to meet all requirements stipulated by the CSA. Additionally, it provides confidence that the level of security offered by the ITSEF meets expectations of customers seeking evaluations of their products at higher level of assurance.