Cookies Notice. We use cookies on our website. However cookie settings can be changed at any time.

If you continue without changing your settings, we will assume you are consenting to the use of cookies on the SaaSAssurance website. See the privacy page to find out more about cookies.

CLOSE
UKAS accredited bodies INAB accredited bodies


The importance of UKAS accreditation
Have you ever wondered why as a company you often get the suggestion to get your ISO 27001 certification from a "UKAS accredited certification body"? What exactly does that mean?

In the world of standards impartiality, openness and competence are very important. So it is key that companies who perform audits and issue certifications (the certification bodies, or CBs) adhere to those principles. To make sure they do, they have to be audited themselves. This is done by a national accreditation body (NAB).

In the UK this is UKAS. Other countries have their own national accreditation body: ANAB in the USA, INAB in Ireland, DAkkS in Germany, etc. All of these national accreditation bodies (NABs) are overseen by the IAF (International Accreditation Forum).

In summary:
NAB: National accreditation body - audits and accredits the certification bodies.
CB: Certification body - audits management systems and issues ISO certificates for them.
Accreditation Body Structure The reason why certification bodies accredited by the NABs are recommended is that their certificates are recognised globally by governments. For example for the accreditation process of the UK government’s G-Cloud platform, only certification issued by certification bodies accredited by NABs are accepted (exact detail here). In other words, to get accredited in the G-Cloud you need to get your ISO 27001 certification from a certification body accredited by UKAS, INAB, DAkkS or equivalent national accreditation body.

How do you find out if the certification body you are about to use is accredited by a national accreditation body? Most NABs publish the accredited CBs on their website. The list of UKAS approved CBs is at http://bit.ly/1aGkKBN. For INAB this list can be found at http://bit.ly/1b823ty.

What are the risks if you don’t check this? Well, several other accreditation bodies, which are not members of the IAF, have been set up over the years. The certification bodies they accredit are not always recognised by governments and the ISO certificates they issue will for example be of no value for accreditation on the UK G-Cloud. Also bigger corporates and other potential customers who may want to verify your company’s ISO certification often disregard certificates from these certification bodies.

The reason for this is that some of these certification bodies have been accused of selling companies consultancy and then certifying those same companies. In effect giving a stamp of approval for their own consultancy work. This may go against the impartiality that is required from a certification body, and may cast doubts over whether the management system that is certified is really achieving the objectives the ISO standard set out to achieve.

The moral of the story is to really check whether your certification body is on the list of the national accreditation bodies if you want to get the most value out of your certification.

I’ll end this blog with a list of useful links on this topic:



New version of ISO 27001 standard released
The long awaited new version of ISO 27001 has now been published. The ISO 27001:2013 and ISO 27002:2013 standards went to “published” status on the iso.org site yesterday, 25 September.

For more than 8000 companies worldwide who are currently certified against the ISO 27001 standard, this means they can now start planning how to migrate their Information Security Management System to the new version of the standard. The transition period for upgrading typically is two-three years from when the new edition is published.

At SaaSAssurance we have based ourselves on the final draft version of the standard to be prepared for the requirements of this new version. Our current and future customers have the tools inside the product to gain certification against the new standard.

You can check out our previous blog here to read about some of the changes this new version introduces.



Government frameworks for cloud assurance
In the current economic climate, governments are increasingly turning to the cloud for procurement of IT products and services. The use of the cloud is a way to cut costs, but it’s not only that. Some governments, such as the UK Government, see it as a way to reach SMEs. In the cloud SMEs can play on a more level playing field with big international organisations. This helps keep the government spending local. The UK see the cloud as a way to help achieve their goal of having 25% of Central Government procurement spend go to the SME.

Of course, when considering the cloud one of the first questions that pops up is around security. Governments around the world are addressing this with frameworks to help provide trust and assurance. The US government has set up FedRAMP, which provides a standardised approach to security assessment and authorisation of cloud providers. The UK government has the G-Cloud, which through its Pan-Government Accreditation allows cloud providers to get accredited once, and then have the accreditation reused by public sector bodies while purchasing.

In plain English, both FedRAMP and G-Cloud use the “certify once, re-use many times approach”.

The certification in both frameworks is built on a foundation of industry best-practise standards for Information Security, such as ISO 27001.

This is only the start of what surely will be a model used by governments all around the world. India has for example recently started piloting an e-Gov application store under their G-Cloud initiative. More will follow.

Meanwhile, in the UK, the G-Cloud has yesterday launched its fourth call for cloud applications to join the G-Cloud. Known as “G-Cloud 4”, companies can start applying now for their cloud services to be listed in the Cloudstore by the end of the year.

At SaaSAssurance we help cloud providers obtain the information security assurance and standards such as ISO 27001 they need to be able to get accredited and sell on the Cloudstore.



An update for ISO 27001
The current ISO 27001 standard dates back to 2005. A time when Rackspace did not have a cloud computing offering and Amazon Web Services did not exist. Back then, there was no real demand from staff to use their own devices to access work-related resources either. A lot has changed since then, so the international standard ISO 27001 was overdue an update.

A revised version of ISO 27001 entered the final draft stage (FDIS) on 3 July. If the draft gets approved, it will be the new international standard for the management of information security for the next few years. There will also be a new version of ISO 27002, describing the information security controls to consider while implementing your ISMS.

There are quite a few changes to the standard. First of all, there is a change in the structure. ISO 27001 will be one of the first standards to be written according to the new structure for management system standards. For example, it has the exact same headings as the ISO 22301 standard for business continuity, others such as ISO 9001 will follow. This common structure will make it easier to integrate the different management systems within your business.

Another change is that the risk assessment in ISO 27001 will now be aligned to the ISO 31000 standard on risk management.

Finally, the ISO 27002 controls have undergone some change as well. There are 14 different groups of controls, containing a total of 114 controls. From a cloud computing point of view, the creation of a separate “Supplier Relationships” group of controls is probably the most noteworthy. However, to get a full set of ISO controls specific to the cloud, we’ll probably have to wait for the release of ISO 27017. In the meantime the SaaSAssurance product has all of the cloud controls that you will need built in.

When the new standard gets published, the SaaSAssurance product will have the modules to allow our existing customers to transition to the requirements of the new standard. And our new customers will immediately be able to build the new requirements into their ISO 27001 project and get themselves ready to be certified against the ISO 27001:2013 standard.



Integrating SaaS with your local business systems
Integrating SaaS with your local business systems is immature in the marketplace right now and needs at least 12 months to mature according to some.

A lot of SaaS applications are very functional and beautifully designed and work very well, but unfortunately, when it comes to data integration they can be pretty much silo’d from the day to day business applications that the SaaS customer currently uses.

The question to ask is, beyond the 12 months of catching up, how secure will data integration be? What will the security auditor think of the data integration? It will all depend on the types of data in use on the business system at the on-premise end and what data is in use in the cloud.

For now, I would recommend the middle manager who is looking at SaaS apps to reduce cost, to focus on the applications that would require less data integration and not get him/her in hot water with compliance officers if integration is necessary. These things will take a lot of planning and as always, the security team should play a part in the decision making process.

In the meantime, have a look at a great article from Cliff Saran:
http://www.computerweekly.com/feature/How-to-integrate-SaaS-with-your-local-business-systems