Establishing Accredited Cybersecurity Test Certification Programs, Part 1
Program Support for ITS Products/Systems
08 December 2020
Developing an accredited test-certification cybersecurity program requires a top-down approach in defining needs, operational concepts, objectives and requirements for the establishment of accredited security test labs and certification authority involved in programs/schemes for testing and certifying information technology security (ITS) products/systems.
First, it is important to understand the terms related to the process.
- "Accreditation" refers to an organization (security test lab, certification body, etc.) being accredited by an authority to perform testing and certification of products in accordance with approved test methods.
- "Certification" refers to the due process of testing and certification that a product performs as specified in accordance with a product security requirement standard. A certified product is granted a product certification and associated product certification report.
- A "conformity assessment body (CAB)" refers to either an accredited security test lab or certification body (CB). When both a test lab and CB are implemented, this defines a test-certification scheme where the CB is the governing authority for the scheme. Accreditation Bodies are regulated by an authority/cooperation such as the International Laboratory Accreditation Cooperation (ILAC).
Test-certification programs involve testing and certifying ITS products within accredited security labs for specific categories of products, including:
- Information and Communications Technology (ICT)
- Industrial Control Systems (ICS) /Operational Technology (OT)
- Information Technology Security (ITS) systems
- Internet of Things (IOT) solutions
Test Certification & Accreditation Program Support (TCAPS) Process
There are several key entities working together in an accredited test-certification program, all of which need to abide by specific ISO standards. These include:
- Security test labs, which are accredited to ISO 17025 with a scope of accreditation defined by the lab's test methods. Scopes of accreditation can be increased by the addition of other test methods.
- CB accredited to ISO 17065, approves/licenses security test labs.
- Accreditation body/authority, accredited to ISO 17011, who accredits security test labs and CBs. As previously stated, accreditation bodies are regulated by an authority/cooperation such as the ILAC.
Relationship of Stakeholders in Accreditation/Certification
The following figure illustrates the relationships of regulator, accreditation body/authority, certification body and security test lab. The figure also shows the governing ISO standards for these stakeholders/entities involved with accreditation/certification.
Fundamental Principles for an Accredited Test-Certification Program
There are several fundamentals for an accredited program:
- Vendors maintain certification of products/systems over their life cycle
- Security test lab and CB maintain conformance to all accreditation requirements for their defined scopes and conditions of accreditation
- Security test lab and CB validate that they are doing things right through periodic internal audits
- Security test lab and CB verify that they are doing the right things through periodic management reviews
The eight layers of documentation and activity shown in the following diagram illustrate the accreditation process leading to an initial accreditation of the ITS security test lab and/or CB. TCAPS service includes preparation of all the documentation for all the activities that must take place leading to an initial accreditation of a security test lab and/or CB.
All these factors should come together in a testing process, which we will go over in more detail in the second part of this two-part feature on TCAPS. Learn more about Intertek's cybersecurity solutions, including TCAPS services.