The Inner Circle

Hi All,

Attached is the present version of the European Union Cybersecurity Certification Scheme for Cloud Services (EUCS), which is a
draft version, to be used as the basis for an External Review. Find the link to the review at the end of this post.

The objective of this review is to validate the principles and general organization of the proposed scheme and to
gather feedback on the proposed wording of the sections and annexes.

The candidate EUCS scheme (European Cybersecurity Certification Scheme for Cloud Services), looks into the
certification of the cybersecurity of cloud services. The scheme draws from many different sources, the first one being
the report of the CSP-CERT Working Group, which was delivered in 2019 and provided a basic framework on which
the candidate scheme has been developed.

EUCS supports the three assurance levels in the EUCSA: 'basic', 'substantial' and 'high'. The security requirements on
cloud services and on their assessment increase with levels in several dimensions: scope, rigour and depth. The
requirements at level 'high' are demanding and close to the state-of-the-art, whereas the requirements at level 'basic'
define a minimum acceptable baseline for cloud cybersecurity. That baseline is nevertheless comprehensive, as it
covers all major aspects of cloud security. Cloud service providers of any size can use it to demonstrate that they have
set up a framework for guaranteeing some security of their customers. The 'substantial' level, in between, will serve to
protect business, and may be the level of choice for many applicants and their users.

The terminology is not final only defines essential words, and it is complemented by the terminology defined in
Annex I: (Terminology).

The instructions for completing the external review can be found via the link below:

Draft Cybersecurity Certification Scheme for Cloud Services - EUCS - Public Consultation - https://ec.europa.eu/eusurvey/runner/Public_Consultation_EUCS

------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------

Thanks Michael! Chunky document - but will try to review.

Happy end of year for you.

------------------------------
Saan Vandendriessche CCSP | CISSP | CRISC
Brussels - Belgium
------------------------------

Original Message:
Sent: Dec 27, 2020 04:10:26 AM
From: Michael Roza
Subject: ENISA - EUCS – CLOUD SERVICES SCHEME - Draft For External Peer Review

Hi All,

Attached is the present version of the European Union Cybersecurity Certification Scheme for Cloud Services (EUCS), which is a
draft version, to be used as the basis for an External Review. Find the link to the review at the end of this post.

The objective of this review is to validate the principles and general organization of the proposed scheme and to
gather feedback on the proposed wording of the sections and annexes.

The candidate EUCS scheme (European Cybersecurity Certification Scheme for Cloud Services), looks into the
certification of the cybersecurity of cloud services. The scheme draws from many different sources, the first one being
the report of the CSP-CERT Working Group, which was delivered in 2019 and provided a basic framework on which
the candidate scheme has been developed.

EUCS supports the three assurance levels in the EUCSA: 'basic', 'substantial' and 'high'. The security requirements on
cloud services and on their assessment increase with levels in several dimensions: scope, rigour and depth. The
requirements at level 'high' are demanding and close to the state-of-the-art, whereas the requirements at level 'basic'
define a minimum acceptable baseline for cloud cybersecurity. That baseline is nevertheless comprehensive, as it
covers all major aspects of cloud security. Cloud service providers of any size can use it to demonstrate that they have
set up a framework for guaranteeing some security of their customers. The 'substantial' level, in between, will serve to
protect business, and may be the level of choice for many applicants and their users.

The terminology is not final only defines essential words, and it is complemented by the terminology defined in
Annex I: (Terminology).

The instructions for completing the external review can be found via the link below:

Draft Cybersecurity Certification Scheme for Cloud Services - EUCS - Public Consultation - https://ec.europa.eu/eusurvey/runner/Public_Consultation_EUCS

------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------