4.2.5 Processes
Participants and core components within the IDS ecosystem shall fulfill common requirements to ensure the security of data being processed in the IDS. Therefore, the certification of operational environments (as explained in Section 4.2.3) and core components (as explained in Section 4.2.4) is mandatory. Involved partners are the Applicant, Evaluation Facility and the Certification Body which were introduced in Section 4.2.2.
Approval of Evaluation Facilities
In order to ensure the high quality and transparency of the IDS certification process all Evaluation Facilites need to be approved by the impartial Certification Body first.
The approval process is structured in the same way for both types of future Evaluation Facilities (operational environment and components) and includes the following phases:
Preparatory Phase
Audit Phase
Approval Phase
These phases will be described in the following sections.
1. Preparatory Phase
This phase serves to collect all important documents and information needed for a smooth approval process, but also to discuss the process flow. This phase also offers the opportunity to clarify any questions related to the process within an (optional) inquiry meeting. It begins with the completion of an application form and the signing of a contract between the potential Evaluation Facility and the IDS Certification Body.
2. Audit Phase
Each Evaluation Facility is audited in order to ensure that it will conduct evaluations in adherence with the IDS certification scheme. The audit has the aim to check that the requirements for a proper IDS certification are implemented and effective. It consists of collecting evidence in form of documentation and interviews with employees in four different assessments:
Quality Management System
Security Management System
Competence of the Evaluators
Testing equipment and its usage (only relevant for Component Certification)
Based on the audit the Certification Body prepares a report including the deviations and potential improvements which will be communicated in a final discussion. Deviations related to the Management System which could affect its effectiveness must be corrected before closing the audit phase within a two-month period at most, with exceptions for critical deviations. If necessary, the correction of the deviations can be verified by an additional audit.
3. Approval Phase
On the basis of the audit report, the Certification Body decides on the approval of the applying Evaluation Facility. The decision is made in an objective and comprehensible manner, i.e. exclusively on the basis of the documented criteria. In case of a positive decision, the Certification Body issues an approval statement. The approval is valid for a limited time period of two years. If a negative approval decision is made, the applying Evaluation Facility is informed of the reasons for the rejection before the application is formally rejected.
For quality assurance of the certification process, the approval regularly needs to be renewed. In addition, it is possible to restrict, suspend or withdraw approval in case of major compliance issues.
The full approval scheme can be found here
Certification Process for Operational Environments and Core Components
The certification follows the same process for all certification profiles in Operational Environment and Component Certification. It consists of the following three phases:
Application Phase: The main goal of this stage is the successful start of the IDS evaluation and certification process.
Evaluation Phase: The main goal of this stage is the evaluation of an applicant or core component based on the defined evaluation criteria.
Certification Phase: The main goal of this stage is the examination of the evaluation report by the certification body, which issues a certificate if the result of the evaluation process is positive.
However, the details for each phase differ slightly between the Assurance Levels as described below and illustrated in the figures. For Assurance Level 1, the Applicant must apply directly to the Certification Body to trigger the start of the certification process. Once the Certification Body accepts the application, the Applicant is responsible for the Evaluation Phase by conducting a self-assessment and providing the results to the Certification Body. In the Certification Phase, the Certification Body reviews the self-assessment and issues the certificate, if the self-assessment meets the defined requirements.
Figure 4.2.5.1: Certification Process for Assurance Level 1
Assurance Level 2 and 3 require an independent Evaluation Facility to conduct the evaluation of the component or operational environment. The Applicant must contract an Evaluation Facility which was approved as described in the first section of this chapter. Together, Applicant and Evaluation Facility finalize the application for certification with the Certification Body. Afterwards, the Evaluation Facility is responsible for carrying out the evaluation according to the IDS certification schema. The Evaluation Facility documents their progress and findings in an evaluation report which is passed on to the Certification Body at the end of the Evaluation Phase. In the Certification Phase, the Certification Body examines the evaluation report and issues a certificate, if the evaluation was conducted properly and led to a positive evaluation result.
Figure 4.2.5.2: Certification Process for Assurance Level 2 and 3
After a successfully completed evaluation process, the Certification Body awards an International Data Spaces certificate to the Applicant. This certificate has a limited validity period. If changes become necessary during this period, a Change Certification Process can be followed to get the proposed changes evaluated with reduced effort. The validity of the certification can be renewed after a re-assessment of the component or operational environment with regards to changes in the IDS certification schema and current state-of-the-art solutions. More details on those processes are provided in the Certification Scheme and the IDSA Rule Book.
Last updated