Establishing Accredited Cybersecurity Test Certification Programs, Part 1

08 Dec 2020

Program Support for ITS Products/Systems

Developing an accredited test-certification cybersecurity program requires a top-down approach in defining needs, operational concepts, objectives and requirements for the establishment of accredited security test labs and certification authority involved in programs/schemes for testing and certifying information technology security (ITS) products/systems.

First, it is important to understand the terms related to the process.

• "Accreditation" refers to an organization (security test lab, certification body, etc.) being accredited by an authority to perform testing and certification of products in accordance with approved test methods. 
• "Certification" refers to the due process of testing and certification that a product performs as specified in accordance with a product security requirement standard.  A certified product is granted a product certification and associated product certification report. 
• A "conformity assessment body (CAB)" refers to either an accredited security test lab or certification body (CB). When both a test lab and CB are implemented, this defines a test-certification scheme where the CB is the governing authority for the scheme.  Accreditation Bodies are regulated by an authority/cooperation such as the International Laboratory Accreditation Cooperation (ILAC).

Test-certification programs involve testing and certifying ITS products within accredited security labs for specific categories of products, including:

• Information and Communications Technology (ICT)
• Industrial Control Systems (ICS) /Operational Technology (OT)
• Information Technology Security (ITS) systems
• Internet of Things (IOT) solutions

Test Certification & Accreditation Program Support (TCAPS) Process

There are several key entities working together in an accredited test-certification program, all of which need to abide by specific ISO standards. These include:

• Security test labs, which are accredited to ISO 17025 with a scope of accreditation defined by the lab's test methods. Scopes of accreditation can be increased by the addition of other test methods.
• CB accredited to ISO 17065, approves/licenses security test labs.
• Accreditation body/authority, accredited to ISO 17011, who accredits security test labs and CBs. As previously stated, accreditation bodies are regulated by an authority/cooperation such as the ILAC.

Relationship of Stakeholders in Accreditation/Certification

The following figure illustrates the relationships of regulator, accreditation body/authority, certification body and security test lab. The figure also shows the governing ISO standards for these stakeholders/entities involved with accreditation/certification.

Fundamental Principles for an Accredited Test-Certification Program

There are several fundamentals for an accredited program:

• Vendors maintain certification of products/systems over their life cycle
• Security test lab and CB maintain conformance to all accreditation requirements for their defined scopes and conditions of accreditation
• Security test lab and CB validate that they are doing things right through periodic internal audits
• Security test lab and CB verify that they are doing the right things through periodic management reviews

Accreditation Process/Steps

The eight layers of documentation and activity shown in the following diagram illustrate the accreditation process leading to an initial accreditation of the ITS security test lab and/or CB. TCAPS service includes preparation of all the documentation for all the activities that must take place leading to an initial accreditation of a security test lab and/or CB.

All these factors should come together in a testing process, which we will go over in more detail in the second part of this two-part feature on TCAPS. Learn more about Intertek's cybersecurity solutions, including TCAPS services.