Leveraging an ISO/IEC 27001 Management System to Provide the Governance Framework for Certifications According to the EU Cybersecurity Act (C11b)
The Cybersecurity Act introduces EU wide rules for the cybersecurity certification of products, processes and services. For many years certification to ISO/IEC 27001 has been used to demonstrate compliance with globally recognized best practices to protect information. This is because adherence to the standard ensures that the organization has processes and controls in place addressing risks to information related to Confidentiality, Integrity and Availability. The very same issues a company may face in case of the cyber security incident. A management system based on ISO/IEC 27001 will provide the required governance structure for an organization to obtain certification for their products, processes and services to the EU Cybersecurity Act.
Organizations aiming for certification of their products, processes and services will need to demonstrate that they have a systematic approach to ensure that internal processes are well executed and adequate safeguards are in place.
Examples of the IS02700 applicability under the CSA can be found under the ongoing EUCS, by providing the underlaying foundation of an Information Security management.
ISO 27001 is the governance standard that lays the foundation that any Cyber-security program depends on. TISAX, an industry specific Information Security assessment program focused on how a supplier protects sensitive information (incl. prototype) of OEMs, provides the blueprint on how future certification requirements in areas like automotive can work. Finally, under the GDPR, a complementary regulation to the CSA, certification schemes might need to be modular structured and require the organizations to be certified to 27001 and 27701 to ensure that the necessary governance framework is in place.
In this presentation we will provide a overview of ISO/IEC 27001 applicability, explaining the advantages to leverage a globally recognized framework as the governance framework for a certification according to the Cybersecurity Act.
Besides informing the audience, hopefully we trigger the interest of the participant starting the dialog on any of those field, while reinforcing our value proposition around the CSA implementation.