Separation of Duties: Evaluation vs Consulting (B22b)

Separation of Duties: Evaluation vs Consulting (B22b)

ISO17025 lays down a mandate for impartiality among conformity assessment bodies, and the Cybersecurity Act (CSA) explicitly emphasizes the prohibition of partiality, particularly concerning consultancy services. Paradoxically, in the present landscape, the majority, if not all, of Information Technology Security Evaluation Facilities (ITSEFs) provide various forms of consultancy services to their clientele. This apparent incongruity raises questions about the necessary adaptations that ITSEFs must undertake under the European Cybersecurity Certification (EUCC) framework. Moreover, this prompts a closer examination of the repercussions that may affect developers, especially those with limited prior exposure to the European (EU) Cybersecurity Certification processes.