Before ISO/IEC 27005:2018: Information technology — Security techniques — Information security risk management, the typical four responses to risk or risk treatment were avoid, mitigate, transfer, and accept. ISO/IEC 27005:2018 rebrands the definitions in risk treatment to modification, retention, avoidance, and sharing.
- Modification: Course of action that implements controls that are technical, environmental, or cultural
- Retention: Retaining the risk without further action
- Avoidance: The activity or condition that precipitates the risk is avoided
- Sharing: The risk is shared with another party (e.g., could be contractual, sub-contractual, insurance of some type)
Certification and Accreditation
The implementation guidance for ISO/IEC 27005:2018 encourages, when possible, a blending of risk treatment options depending on the overall risk treatment plan and impact of combined risks. If an organization does risk treatment that leads to selecting Modification, then they may choose to apply a control. That control will need to be technically appropriate and should have managements final approval.
Certification is the technical evaluation or assessment of security compliance of the information system within its operational environment.
Accreditation or authorization process reviews the certification information and grants the official authorization to place the information system into operational use.
System/Subsystem Product Certifications
The Common Criteria is an international set of guidelines and specifications (ISO/IEC 15408) developed for evaluating information security products to ensure they meet an agreed-upon security standard for government entities and agencies. Until 2005, this standard was known as The Trusted Computer System Evaluation Criteria.
The Common Criteria has four key components:
- Protection profiles (PP): A protection profile defines a standard set of security requirements for a specific type of product, such as a firewall, IDS, or unified threat management (UTM)
- Target of evaluation (ToE): The vendor product is examined against this specific profile by a third-party evaluation lab using a common evaluation methodology (CEM)
- Security target (ST): An overview, provided by the vendor, of the product and product’s security features, an evaluation of potential security threats, and the vendor’s self-assessment detailing how the product conforms to the relevant protection profile
- Evaluation assurance levels (EALs): This defines how thoroughly the product is tested
Evaluation assurance levels are rated using a sliding scale from one to seven, with one being the lowest-level evaluation and seven being the highest. The higher the level of evaluation, the more quality assurance (QA) tests it has undergone.
NOTE: This does not necessarily mean more secure!
EAL1: Functionally tested
EAL2: Structurally tested
EAL3: Methodically tested and checked
EAL4: Methodically designed, tested, and reviewed
EAL5: Semi-formally designed and tested
EAL6: Semi-formally verified design and tested
EAL7: Formally verified design and tested
Criteria Evaluation Process
The goal of Common Criteria certification is to assure customers that the products they are buying have been evaluated and that a vendor-neutral third party has verified the vendor’s claims.
To submit a product for evaluation:
- The vendor must first complete a security target (ST) description, which includes an overview of the product and product’s security features, an evaluation of potential security threats, and the vendor’s self-assessment detailing how the product conforms to the relevant protection profile at the evaluation assurance level the vendor chooses to test against.
- The laboratory (which must comply with ISO/IEC 17025) then tests the product to verify the product’s security features and evaluates how well it meets the specifications defined in the protection profile.
- The results of a successful evaluation form the basis for an official certification of the product.
Note that Common Criteria looks at certifying a product only and does not include administrative or business processes. The negative aspects of Common Criteria include that it may take more than one year to test a product, the process is very expensive, and the vendor may have improved the product since the submission for testing.