My company develops a range of products in the desktop software, cloud and hardware spaces for the IT domain.
I have been looking into a process for gaining third party validation and certification for the various products and would be interested in hearing peoples thoughts on what would make sense from their perspective.
There are a variety of options to choose from.
For the cloud products we are looking at ISO27001 and CSA Star and I would be comfortable that we are moving in the right direction with is one.
The hardware products space is a little more difficult.
There is ISO15408 (Common Criteria), UL2900, IEC62443 (focussed more on the OT space than the IT space but seems to be gaining more recognition) or we could just have products independently tested by a reputable third party as an intermediate step.
For anyone purchasing IT equipment into a datacenter or computer room today what requirements/standards would you expect equipment to have?
For anyone making a decision on product certification for their IT equipment today what direction would you go ?
I would be interested in hearing peoples thoughts on this. Thanks very much in advance !
Well from experience, if you want to interact with federal government, it is a mandatory item, unless the organisations goes through exhaustive risk management processes and formal testing independently.
However, often cited is the fact that the Target of Evaluation (ToE) is often out of date, due to the amount of time it takes to go through the evaluation process and the associated costs. Some Governments now use NIAP instead, due to the fact, updates can be applied more frequently and be evaluated etc.
However, I understand there has been some issues with backlogs, and now that the Malaysian Security Lab has been allowed to join in too, whether or not even ISO 15408 or NIAP are provide sufficient assurance. So often the security lab doing the actual evaluation is important too.