The EU Agency ENISA releases a new study on security certification schemes. The recently published EU Cybersecurity Strategy stated the need to develop industrial and technical resources for cybersecurity. Among the actions is to “create incentives to carry out appropriate risk management and adopt security standards and solutions, as well as possibly establish voluntary EU-wide certification schemes building on existing schemes in the EU and internationally”. Consequently, ENISA has produced this report on security certification.
Objectives
This study has two objectives: The first objective is to provide expertise from other certification areas to the reform of the European data protection legislation, as the new proposed legislation identifies privacy certification as a means to achieve implementation of data protection requirements.
The second objective is to identify recommendations and steps to be followed for achieving the objectives of the EU cyberstrategy, namely the development of voluntary EU-wide certification schemes building on existing schemes in the EU. In order to collect experiences from existing certification schemes and given the broad range of existing certification schemes, this study looks at Information Security Management Systems (ISMS) certification.
Survey
For the collection of practical experiences of private companies and public organisations for Information Security Management Systems certification a survey was conducted in a set of Member States. The respondents are representing more than 50% of EU population and covered Austria, Belgium, France, Germany, Italy, the Netherlands, Poland, Spain, Sweden, Slovakia, United Kingdom.
The survey provides information on existing accreditation bodies and schemes, as well as on certification bodies and schemes.
Some of key findings of the survey:
- In certain MSs national legislation requires information security certification in specific sectors, such as public healthcare.
- National authorities are encouraging the implementation of certification processes for ISMS (e.g. by introducing specific information security certification requirements in case of participation in public procurement).
- The large majority of companies that own a security certificate consider this as useful for their functioning, as the certification process ensures a regular and systematic identification of risks and evaluation, etc. and also provides competitive advantages.
Some key recommendations of this study:
- There are limitations in the statistics on existing certification processes. We recommend that policy makers (i.e. the European Commission) or the responsible authorities (i.e. national supervising authorities in the area of accreditation and certification) should demand reliable statistics on certification. The bodies issuing certificates should keep updated public records on certificates that they have issued, on the specific version of products/systems they certified including information on the validity of the certificates.
- Introducing and possibly requiring an additional certification related to privacy may be cumbersome especially for SMEs. Under the lead of the European Commission, standardization bodies, and responsible stakeholders should work together to develop best practices and standards combining the requirements for security and data protection in order avoid duplication of work for the two certification areas.
- There is a well-established legislation regarding accreditation and certification in the MSs. When considering introducing certification for other purposes, i.e. for privacy/data protection, the European Commission together with national policy makers should link such initiatives with existing national accreditation structures.
- Companies should not be able to get certificates without really having implemented the processes and controls that have been written down in the audited documents. The national policy makers should ensure enforcement of such requirements for genuine compliance for instance by applying sanctions and/or ad-hoc assessments carried on by third parties.
For the full report: Security certification practice in the EU - Information Security Management Systems - A case study