‘Thumbs up’ for future development of European security certifications: ENISA issues six recommendations.
The European Network and Information Security Agency ENISA’s report gives an overview on information security certifications of products, people and processes. It addresses common concepts, definitions, certifications of different types, as well as clarifies the mandatory and legal background for some certifications. It also explores the analogies and disparities between a number of existing certification schemes. Finally, it analyses current trends in certification and offers six recommendations to improve network and information security in Europe through a wider use of security certification.
Some of the key ENISA recommendations in the report include, in brief:
-
Generally speaking, organisations should verify their information security management systems, choose certified security products and encourage security employees to choose appropriate personal information security certifications.
-
For processes, the development of the complementary standards of the 27000 family for public and private organisations should be encouraged, e.g. an ISO27001 ‘light’ for SMEs.
-
As concerns products, the EU should extend the intergovernmental Mutual Recognition Agreement on Common Criteria to all Member States, as a tool for a more secure e-Communication market. EU Framework Programme 7 should sponsor research to analyse the economics of the certification of products.
-
About people, the EU should strength accreditation schemes related to people certification in IT security and encourage the development of people certification adapted to different profiles, from the end-user level (Computer Driving Licence) to the most professional one (e.g. IT security officer).The EU should also reinforce bridges between education (schools and universities) and the certification process (private training and certificate providers).
For full recommendations, please refer to the full report.
The Executive Director of ENISA and the Head of Technical Department Dr Alain Esterle comment:
"ENISA's report is setting the right course for an improved market of IT security certifications, which are crucial for products, people and processes"
Why is studying certifications important?
Accreditation and certification schemes are a major vector to strengthen user’s confidence in network and information security and improve business and competitiveness in Europe. In that sense, certification prolongs and complements standardization. It provides guidance and may be used as a marketing tool.