An organization approached us (NAB) with a request for accreditation, and we are not sure if ISO/IEC 17025 or rather ISO/IEC 17020 would be a better option. The organization deals in performing cyber-attack simulations on an existing or experimental OT (a challenge test of sorts). In your opinion, are these activities compatible with accreditation, and if so, to which standard?
This question was discussed in the TN Electrical and IT, and then forward to the TMB.
The TMB Resolution 2022 (09) 01) Cybersecurity Act – EUCC candidate scheme and the role of ITSEFs, applies.
“The best suitable standard for the accreditation of bodies performing evaluation/on-site audits and surveillance as described in the EUCC scheme would be ISO/IEC 17065. But considering that these activities are performed for many years by ITSEFs (laboratories) and that has been accepted in Mutual Recognition Arrangements (CCRA and SOGIS-MRA) and by all parties involved, the TMB accepts the application of these activities under ISO/IEC 17025. But ENISA is asked to transition those activities, which do not fit under ISO/IEC 17025, to certification bodies which shall be accredited according to ISO/IEC 17065. The recommended transition period is 5 years.”