ISO27001 and CPA certification – Apples and Bananas
Comparing ISO27001 and CPA is like comparing apples with bananas. They are both recognised industry standards associated with cybersecurity in much the same way that apples and bananas are both fruit, but they are designed to do different things. In a nutshell, CPA certifies an individual product and ISO27001 certifies a whole company covering all of its processes and procedures around information security, and the way that it develops its products.
At Armour we are well qualified to talk about both ISO27001 and CPA as we have achieved both. Here is an explanation of each, with plus and minus points for both.
What is CPA
Commercial Product Assurance (CPA) was a scheme introduced in 2014 by CESG, the UK’s National Technical Authority for Information Assurance which is now part of the National Cyber Security Centre (NCSC). It was launched to coincide with the replacement of the Government Protective Marking Scheme (GPMS) by the Government Security Classifications Policy (GSCP) where data is categorised into just three levels of classification for UK information assets, OFFICIAL, SECRET and TOP SECRET (<uhttps://www.gov.uk/government/publications/government-security-classifications). The three classifications didn’t give quite enough granularity so a ‘handling caveat’ of OFFICIAL-SENSITIVE was also introduced for the subset of OFFICIAL information that required additional protection (https://www.gov.uk/guidance/official-sensitive-data-and-it).
For the CPA scheme, the NCSC sets a series of standards which independent test laboratories use to assess products for their suitability to handle OFFICIAL data. (Formally, SECRET use required High Grade products assessed using the even more costly CAPS process https://www.ncsc.gov.uk/information/products-cesg-assisted-products-service). The CPA standards are published so that both the companies and potential purchasers of the products can see the requirements against which testing has been performed.
In other words, CPA certification confirms that the product does what the vendor says it does, giving a level of assurance for purchasing organisations, that they know what they are buying, and that it does what they think it does. The more experienced (cynical) among you will know that this is not always a forgone conclusion in the world of software.
What is ISO27001
ISO27001 is an international standard specific to Information Security Management, originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013 and again for European markets in 2017. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organisations make the information assets they hold more secure. Organisations that meet the standards are audited by an independent body and certified as such.
ISO/IEC 27001 requires that management:
- Initiates processes that examine the organisation’s information security assets, and assesses risks, threats, vulnerabilities and the associated possible impacts
- Implements a series of integrated and comprehensive controls and risk management strategies that address risks to information security assets
- Undertakes a program of continuous assessment and improvement to ensure that information security controls evolve to meet current and ongoing requirements
Comparing ISO 27001 and CPA
The main limitation of the CPA scheme is that it is product based, so only ever relates to an individual product. If that product is updated, for example, to introduce new features and benefits, or simply to run on a newer version of hardware, it needs to be re-assessed (and CPA also requires a full re-certification every 2 years). This is costly and time-consuming. It makes it difficult for vendors to keep pace with the rapid pace of technology (particularly in the mobile space) and reduces the choice for purchasers.
ISO27001 is not product specific, therefore does not provide the very specific assurance offered by CPA certification. However, it does provide a more holistic approach to information security and ensures that organisations are managing the processes within their declared scope. For Armour, this means the entirety of our product development, delivery and support operations as well as all supporting aspects of the company (finance, HR, etc.) follow security best practices. (The scope is important – some suppliers only certify a subset of their processes/operations.) This provides purchasers with broad confidence that products and services delivered by ISO 27001-certified organisations should be secure and – just as importantly – that they will be updated over time to mitigate new security concerns.
Both CPA and ISO27001 are expensive and time consuming for the vendor, however they do demonstrate a certain commitment to providing quality products that comply with recognised industry standards.
And why is all of this important?
NCSC is discontinuing the CPA scheme for all products with the exception of smart meters. At the moment there is no replacement scheme, causing a dilemma for security conscious organisations that would normally opt for a CPA certified solution. How can they be assured that any new solutions they use to handle classified data are suitable and up to the job?
This is where we believe ISO27001 is becoming increasingly important. ISO27001 covers much more than simply IT, and certainly more than a single product, making it significantly different to CPA, but in many ways, we believe better. In essence, with ISO27001, the processes and controls within the company or organisation are assessed and certified, meaning that any and all products developed will have been done so using tried and tested means. This enables a more flexible approach for the vendor and purchaser alike. Under ISO27001 it is much easier for products to be updated to keep pace with rapidly changing technology and security threat landscape.
In the meantime we continue to work closely with NCSC with the aim of supporting whatever assurance scheme they implement to supersede CPA.
To hear our CTO Andy Lilly further discuss the differences between CPA and ISO27001 listen to our podcast here: <uhttps://www.youtube.com/watch?v=4v9aojG3EeQ&feature=youtu.be
If you or your security accreditors have any questions please get in touch. sale@armourcomms.com