Other standards relevant to your organisation

Other standards relevant to your organisation  

Your own organisation will have procedures in place specific to them and their operations, so on top of the global standards you’ll have to guide you, there’s information in place to support you in your day-to-day tasks.

But, you’re not just protected by the guidance in place. Can you think of how else your systems might be protected? 

Decorative image: Lock icon with ‘Cyber security’ written beside it

Security products and evaluations  

The security products you use have to go through strict measures, ensuring they receive certifications, meet the common standards set by the ISO and others, and complete their security level testing. Not only are there standards for you to follow, but the tools you use too. Time for a little more detail on this… 

Security products and certification 

Security related products require a measure of confidence that the security enforcing functions they deliver are implemented properly. The industry regulates the claims made by vendors through product certifications. These involve testing by an independent body specialising in security evaluation. 

In the past, evaluations have primarily been carried out by, or on behalf of, government agencies. However, this approach meant certifications were at a national level, so products certified in the US needed to be re-certified in the UK. This was a cost that the vendor had to bear so wasn’t often pursued. 

The common criteria  

The Common Criteria for Information Technology Security Evaluation (CC), based on ISO 15408 is the latest method which moves away from national level certifications to ones that are transferrable across borders. 

Each time a product – known as the target of evaluation (or ToE) – is tested under ISO 15408, it’s evaluated against security criteria known as the security target. After the evaluation it achieves an evaluation assurance level, the EAL, ranging from 1 (the lowest) to 7 (the highest). This specifies how thoroughly the product has been tested. 

Security testing and EAL   

Evaluation Assurance Level is a category ranking assigned to an IT product that indicates to what level it was tested. The highest EAL only applies to products that have been thoroughly tested and evaluated, down to the level of code analysis and mathematical modelling of failure conditions. As EAL 7 is a very expensive process, very few products attain this level of confidence, typically only military grade cryptographic devices.  


The National Cyber Security Centre is an organisation of the United Kingdom Government that provides advice and support for the public and private sector in how to avoid computer security threats. Included in this, the NCSC provides Commercial Product Assurance (CPA) on Smart Meters and smart metering products. THE NCSC also have approved test laboratories (such as the British Standards Institute) who can carry out services such as the Tailored Assurance Services (CTAS) do where they evaluate the IT security attributes of a system. For more from NCSC on product testing click here

Another Essential Partner for the NCSC is the Information Assurance for Small and Medium Enterprises Consortium, who manage Cyber Essentials schemes to ensure the very basic cyber security controls are in place and effective. If you want to work with MOD, you’ll need to meet these MOD standards which build on cyber essentials foundation but are more robust depending on the cyber risk profile.

Other standards

Federal Information Processing Standards Publications (FIPS)

Federal Information Processing Standards Publications, known as FIPS PUBS in the US, are used to publish the most pertinent standards for their security industry. NIST will also test products and publishes a directory, similar to the Common Criteria directory, of products that have achieved various levels of security testing.

Many of these FIPS standards are transferable to the UK where the certification of a security product as FIP compliant, means it’s been tested by the US government NIST labs and assured against a specific level of testing. For example, FIPS 140-3 is the certification scheme for Security Requirements for Cryptographic Modules.

Capability Maturity Model (CMM)

CMM (Capability Maturity Model) and CMMI (Capability Maturity Model Integration) created at Carnegie Mellon University, provides a framework for organising evolutionary steps into five maturity levels that lay successive foundations for continuous process improvement. The main difference between CMM (Capability Maturity Model) and CMMI (Capability Maturity Model Integration) ISO/IEC 62443 is that the former focuses on evaluating whether an organisation completes specific tasks related to the process or not, while the latter focuses on building an architecture for the whole development process. Both CMM and CMMI have five stages in their model, but the stages are different from each other. While CMM has- Initial, Repeat, Defined, Managed, Optimised. CMMI has Initial, Managed, Defined, Quantitively Managed, and Optimised foundations.

What’s next?  

So, now that you have a better understanding of what goes into the software you use, as well as the guidance provided for you, you should feel assured that a great deal of effort goes into ensuring that our information is protected on a global scale. It would be naive though, to assume that nothing ever goes wrong, so, time to read more on Security Incident Management and gather the tools necessary to deal with disruptions.


In this course on Malicious software, you will learn about the various types of Malicious code in detail, contrast the different types before looking at the countermeasures used to combat them. You’ll also encounter non-technical controls, and our expert Mark will show you the OWASP top ten security threats.

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.