Security Standards and Certifications

From Dan Shearer CV
Revision as of 14:40, 30 November 2021 by Dan (talk | contribs)

I have been lead implementer of the main security and privacy standards several times each. These are not beautiful instruments, but properly used they improve security overall, and contrary to common opinion they do not have to be a giant pile of paperwork that slows everything down.

It is useful to see how Computer Science and Information Management Science apply to these standards, and how they meet the hard reality of industry practices and cultures.

The reason that ISO9001 is relevant to security practices is because it is a Management System that operates in the same way as ISO27001 and GDPR compliance management systems. Whether it is implemented in paper, a collection of Word documents or anything else, it is still a Management System according to Information Management Science. CompSci professionals need to be familiar with these sorts of systems because they are a repeating pattern found throughout the field of software quality and safety. Hopefully we can do better than a large collection of documents, but it is the process that matters.

The Big Standards

ISO27001/9001 and GDPR have a dreadful reputation in industry because one or more of the following points are overlooked:

  1. In the 21st century, realistically we must implement a Records Management System (RMS), ie, every document is tracked in a database through its lifecycle until deletion, and
  2. The social impact needs to be a top priority. An organisation's staff need to feel that they are in charge of the RMS, with personal responsibility for the parts most relevant to them, and that it is easy to use.
  3. Funding. As well as organisation-wide involvement with change authority delegated all the way down, there needs to be specific funding to support culture change. It will save much more in the long run.

Next the core matter of these standards needs to be addressed, which is about applying two more disciplines, Information Management and Cybersecurity:

  1. quality measurement (ISO9001), or security implementation (ISO27001), or privacy compliance (GDPR), all of which are both academic and applied topics, and
  2. Information Management to define the data and documents the RMS is to be managing. An early step is often to discover all the data the organisation is responsible for, which is usually a shock to the IT department.

A sound understanding of Open Source stacks really helps too, from sniffing out data repositories and potential security issues, to implementing RMS software and processes that are as lightweight as possible.

Cyber Essentials

In addition to these standards, the UK government responded to the EU Cybersecurity initiatives by setting up the National Cyber Security Centre (NCSC). The NCSC is effectively a subsidiary of GCHQ the UK's electronics spying organisation, and billions have been given to NCSC from various government budgets. It is NCSC who responded to the EU Network Information Security Directive with a standard assessment and framework, and then a few years later came up with the idea of the CyberSecurity certifications. A company called IASME has been given the UK-wide monopoly on issuing the CyberEssentials certifications, and I have asked NCSC if they will reconsider this decision.


IASME Certifications

CyberEssentials seems to be effective as intended to improve the UK's average security, but the positioning is confusing to say the least.

IASME Cyber Essentials - £300 Entry Level

Sold as Easy to do, and addresses 80% of external attacks. Also required by Government departments.

  • Self-assessed, with sanity checking by a contractor to IASME
  • Cyber Essentials Plus is an external review of the same thing, rather than self-assessed



graph LR i1((Cyber Essentials <br/> basic security product <br/> costs 300 pounds <br/> 77 questions and 5 controls)) -- 100% compliant with --> u1[NCSC Requirements for Infrastructure Document] i1 -- 10% compliant with --> s2[the 114 Controls in ISO27001/27002] i1 -- does not breach, and 50% coverage of --> u2[UK Data Protection Act 2018] -- which fully implements --> s3[EU GDPR] classDef green fill:#9f6,stroke:#333,stroke-width:2px; classDef orange fill:#f96,stroke:#333,stroke-width:4px; classDef blue fill:#99f,stroke:#333,stroke-width:2px; class s1,s2,s3 green class u1,u2,u3 blue class i1 orange

Diagram source code here: IASME Cyber Essentials


IASME Governance - £400 Top Level

Sold as an excellent alternative to ISO 27001 for small and medium sized organisations.

  • Certification includes Cyber Essentials for free
  • Includes all of the 5 Cyber Essentials technical topics, and adds topics related to people and processes from other standards as per diagram
  • Will take a lot longer and cost the company a lot more effort than Cyber Essentials
  • The assessed version involves a site visit, but covers the same questions


graph LR i1((IASME Governance <br/> premium product <br/>Costs 400 pounds <br/> has 160 questions, 8 controls)) -- 20% compliant with --> s1[the 114 controls in ISO27001/27002]; i1 -- 85% compliant with --> u1[UK NCSC Cyber Assessment Framework] -- which fully implements --> s2[EU NIS - Network Information Security] i1 -- 99% compliant with --> u3[UK ICO Accountability Framework] -- one of seven key parts of --> s3[EU GDPR] i1 -- does not breach, and 60% coverage of --> u2[UK Data Protection Act 2018] -- which fully implements --> s3[EU GDPR] classDef green fill:#9f6,stroke:#333,stroke-width:2px; classDef orange fill:#f96,stroke:#333,stroke-width:4px; classDef blue fill:#99f,stroke:#333,stroke-width:2px; class s1,s2,s3 green class u1,u2,u3 blue class i1 orange

Diagram source code here: IASME Governance