Responsibility for assessment of cybersecurity auditors in Slovakia was recently taken over by a brand-new Conformity Assessment Body, the Cyber Security Competence and Certification Centre. The point is that along with it: a completely new certification scheme has been introduced. The certification scheme is based on accreditation according to the ISO/IEC 17024 Conformity assessment – General requirements for bodies operating within the certification of individuals.
The Centre was founded at the beginning of the year as a contributory organization of the National Security Authority, Following a proposal for regulation by the European Parliament and Council which should establish the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres. The Slovak National Accreditation Service decided on its accreditation for the certification of auditors this week.
The need for the establishment of such a body is based on the Decree of the National Security Authority No. 436/2019 Coll. on Cybersecurity Audit and Auditors Knowledge Standard, which is a decree of Act No. 69/2018 Coll. on cybersecurity and on Amendment and Supplementing of certain Acts (Cybersecurity Act). The Cybersecurity Act No. 69/2018 Coll. is a national transposition from the Directive (EU) 2016/1148 of the European Parliament and the Council on 6th July 2016 concerning measures for a high level of security of network and information systems across the Union. Based on that, the Cyber Security Competence and Certification Centre is to ensure that the auditors shall evaluate the security measures for the essential services who will themselves also meet the formal requirements for this work. It is mainly about their expertise, objectivity, and impartiality.
All operators of essential services are obliged to verify the efficiency of the security measures adopted and meeting the requirements by the Slovak Cybersecurity Act by performing an audit every two years as well as after each change having a significant impact on the security measures.
The Certification Centre plans to launch the certification of the first auditors in the coming weeks. So far, a number of applicants have applied to the Centre. In order to obtain a certificate, each of them will have to pass a certification exam to verify their knowledge of generally binding legal regulations, technical standards, and safety measures. The validity of the certificate is three years.
However, according to its CEO Ivan Makatura, the Centre will not be limited to the certification of individuals: “The current accreditation is about the certification of people based on ISO/IEC 17024. The ENISA, according to the recently adopted EU Cybersecurity Act, is working on the European framework for specific certification schemes for ICT products, services, and processes, hence ISO/IEC 17065. So, we certainly plan to prepare for accreditation under the future scheme as soon as it is effective.”
Clearly, assessing the safety of technological components will require special resources including a technical laboratory and highly educated staff with specific skills.
In summary, there is a certification scheme developed that can be reused by other member states. Any certification body interested in this scheme can utilize this framework with just small changes, which have to be done with the intention to align it with their local cybersecurity legislation.
« Späť na zoznam