Skip to main content
Version: 4.0

the-process

2.1 The Process

The Framework sets out a comprehensive set of security requirements for aspects of the organisation and product. A response to each requirement needs to be recorded, with supporting statements or evidence. The Assurance Questionnaire is available to IoTSF Members to facilitate evidence collation. For requirements deemed “not applicable”, an explanation must be provided as to why. Any alternative countermeasures to reduce any security risk should also be listed.

The assurance process breaks down into a number of steps:

Figure 1 Assurance process step

2.1.1 Risk Assessment

In security terms, context is everything - each application differs in use-case and operating environment. It is the responsibility of the Framework user to determine their risk appetite within their stated usage environment and therefore the specific assurance class (section 2.2) of the security measures applied.

To achieve this, a comprehensive risk assessment is a pre-requisite to using the Framework. The risk assessment process will help determine the assurance class for the product/service.

Risk Assessment is a documented process that starts by identifying the key “assets” of a product/service this could be encryption keys, intellectual Property (IP) or personal information (or other items of value). The next stage is to look at possible attacker characteristics and the threat they pose, then finally creation of a risk register table or database with the mitigations for each threat [SCHNEIER.AT]1 [SHOSTACK.TM]2 [TARANDACH.TM]3.

Section 2.2 has more details on assurance classes and how they relate to the Confidentiality, Integrity and Availability, otherwise known as the CIA Triad [VAN.DER.HAM]4 model, commonly used by security professionals. Generally, the highest possible assurance class should be adopted, considering not just the immediate context of the product, but also the potential hazards to the system(s) in the environment where the product/service will be used.

A basic outline of the risk assessment process can be found in Appendix A. Risk management techniques can also be found in publications from organisations such as NCSC [GOV.UK.RISKMAN]5, ENISA [ENISA.RMF]6 and NIST [NIST.SP.800-30]7.

Footnotes

  1. Schneier on Security – "Attack Trees" by Bruce Schneier December 1999. https://www.schneier.com/academic/archives/1999/12/attack_trees.html.

  2. Book "Threat Modeling: Designing for Security", Adam Shostack, 2014. https://shostack.org/books/threat-modeling-book.

  3. Book "Threat Modeling: A Practical Guide for Development Teams", Izar Tarandach & Matthew J. Coles, O'Reilly, 2021. https://threatmodeling.dev/.

  4. Jeroen van der Ham, "Toward a Better Understanding of “Cybersecurity”. ACM Digital Threats: Research and Practice , Volume 2, Issue 3, June 2021. https://dl.acm.org/doi/10.1145/3442445.

  5. NCSC Guidance "Risk management". https://www.ncsc.gov.uk/collection/risk-management.

  6. ENISA "Interoperable EU Risk Management Framework", January 2023. https://www.enisa.europa.eu/publications/interoperable-eu-risk-management-framework.

  7. NIST Special Publication 800-30 "Guide for Conducting Risk Assessments", September 2012. https://www.nist.gov/publications/guide-conducting-risk-assessments.