Skip to main content

the-process

2.1 The Process

The Framework sets out a comprehensive set of security requirements for aspects of the organisation and product. A response to each requirement needs to be recorded, with supporting statements or evidence. The Assurance Questionnaire is available to IoTSF Members to facilitate evidence collation. For requirements deemed “not applicable”, an explanation must be provided as to why. Any alternative countermeasures to reduce any security risk should also be listed.

The assurance process breaks down into a number of steps:

Figure 1 Assurance process step

2.1.1 Risk Assessment

In security terms, context is everything - each application differs in use-case and operating environment. It is the responsibility of the Framework user to determine their risk appetite within their stated usage environment and therefore the specific assurance class (section 2.2) of the security measures applied.

To achieve this, a comprehensive risk assessment is a pre-requisite to using the Framework. The risk assessment process will help determine the assurance class for the product/service. Section 2.2 has more details on assurance classes and how they relate to the Confidentiality, Integrity and Availability, otherwise known as the CIA Triad [ref 46]1 model, commonly used by security professionals. Generally, the highest possible assurance class should be adopted, considering not just the immediate context of the product, but also the potential hazards to the system(s) that the product/service may eventually be used in.

A basic outline of the risk assessment process can be found in Appendix A. Risk management techniques can also be found in publications from organisations such as NCSC, ENISA and NIST [ref 40, 41 and 42]234.

Footnotes

  1. CIA Triad has no original source, but for more info visit: [ https://www.techrepublic.com/blog/it-security/the-cia-triad]

  2. UK Government Cyber security risk assessment guidance [https://www.ncsc.gov.uk/guidance/risk-management-collection]

  3. NIST Special Publication 800-30 guidance for conducting risk assessments [ https://www.nist.gov/publications/guide-conducting-risk-assessments]

  4. EU ENISA guidance of Cyber Security Risk Management [https://www.enisa.europa.eu/topics/threat-risk-management/risk-management]