In a nutshell, CPA certifies an individual product and ISO27001 certifies a whole company covering all of its processes and procedures around information security, and the way that it develops its products.
What is CPA
Commercial Product Assurance (CPA) was a scheme originally introduced by CESG, the UK’s National Technical Authority for Information Assurance which is now part of the National Cyber Security Centre (NCSC), in April 2014 to replace its previous Government Protective Marking Scheme (GPMS). It was launched to coincide with the introduction of a new system where data is categorised into just three levels of classification for UK information assets, OFFICIAL, SECRET and TOP SECRET (https://www.gov.uk/government/publications/government-security-classifications). The three classifications didn’t give quite enough granularity so OFFICIAL-SENSITIVE was introduced a bit later. OFFICIAL-SENSITIVE is not a classification, but a ‘handling caveat’ for a small subset of information marked as OFFICIAL (https://www.gov.uk/guidance/official-sensitive-data-and-it).
For the CPA scheme, the NCSC sets a series of standards which independent test laboratories use to assess products for their suitability to handle OFFICIAL data (just to note that formally, SECRET use required High Grade products assessed using the even more costly CAPS process https://www.ncsc.gov.uk/information/products-cesg-assisted-products-service). These standards are published so that both the companies and potential purchasers of the products can see the standards against which testing has been performed.
In other words, CPA certification confirms that the product does what the vendor says it does, giving a level of assurance for purchasing organisations, that they know what they are buying, and that it does what they think it does. The more cynical (experienced) among you will know that this is not always a forgone conclusion in the world of software.
What is ISO27001
ISO27001 is an international standard specific to Information Security Management, originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013 and again for European markets in 2017. It details requirements for establishing, implementing, maintaining and continually improving an information security management system – the aim of which is to help organisations make the information assets they hold more secure. Organisations that meet the standards are audited by an independent body and certified as such.
ISO/IEC 27001 requires that management:
- Initiates processes that examine the organisation’s information security assets, and assesses risks, threats, vulnerabilities and the associated possible impacts
- Implements a series of integrated and comprehensive controls and risk management strategies that address risks to information security assets
- Undertakes a program of continuous assessment and improvement to ensure that information security controls evolve to meet current and ongoing requirements
What are the downsides?
The main limitation of the CPA scheme is that it is product based, so only ever relates to an individual product. If that product is updated, for example, to introduce new features and benefits, or simply to run on a newer version of hardware, it needs to be re-assessed (and CPA also requires a full re-certification every 2 years). This is costly and time-consuming. It makes it difficult for vendors to keep pace with the rapid pace of technology (particularly in the mobile space) and reduces the choice for purchasers.
ISO27001 is not product specific, therefore does not provide the very specific assurance offered by CPA certification. However, it does provide a more holistic approach to information security and ensures that organisations are managing the processes within their product development operations consistent with security best practice. This provides purchasers with broad confidence that products and services delivered by ISO 27001-certified organisations should be secure and – just as importantly – that they will be updated over time to mitigate new security concerns.
On a more positive note, while both CPA and ISO27001 are expensive and time consuming for the vendor, they do demonstrate a certain commitment to providing quality products that comply with recognised industry standards.
And why is all of this important?
NCSC is discontinuing the CPA scheme for all products with the exception of smart meters. At the moment there is no replacement scheme, causing a dilemma for security conscious organisations that would normally opt for a CPA certified solution. How can they be assured that any new solutions they use to handle classified data are suitable and up to the job?
This is where we believe ISO27001 is becoming increasingly important. ISO27001 covers much more than simply IT, and certainly more than a single product, making it significantly different to CPA, but in many ways, we believe better. In essence, with ISO27001, the processes and controls with the company or organisation are assessed and certified, meaning that any and all products developed will have been done so using tried and tested means. This enables a more flexible approach for the vendor and purchaser alike. Under ISO27001 it is much easier for products to be updated to keep pace with rapidly changing technology and security threat landscape.
In the meantime we continue to work closely with NCSC with the aim of supporting whatever assurance scheme they implement to supersede CPA.
If you or your security accreditors have any questions please get in touch.