The “EU Cybersecurity Agency”
In September 2017 the EU issued a proposal for the “Regulation of the European Parliament and of the Council on EINSA, the EU Cybersecurity Agency, and on Information and Communication Technology cybersecurity certification (“Cybersecurity Act”)”. This document provides for a comprehensive set of measures that build on previous actions and fosters mutually reinforcing specific objectives. These six objectives are each addressed below with a commentary on the way APMG International actively contributes towards them with the certifcations and tools it currently has available.
Increasing capabilities and preparedness of Member States and businesses
Increasing the cybersecurity capabilities of any organisation, large or small, must start with an effective audit or assessment of their current maturity in the critical areas at least. This can be done against a standard such as ISO27001. In reality this is often far too unwieldy for most organisations who simply want to know they are spending their money on the right things and that the control capabilities they have put in place are working effectively and as expected/needed. APMG has licensed the Cyber Defence Capability Assessment Tool (CDCAT®), a tool developed by the MOD and Dstl that has been designed to achieve exactly that - in a timely and cost-effective way. The tool combines multiple frameworks to create a base set of cyber security capabilities. It then compares those capabilities with real-world evidence to determine which ones are the most effective and necessary, before facilitating an assessment of the maturity of those capabilities as found in the target system. The assessment can take less than half a day for any system regardless of technology, size, location or purpose.
Once such an assessment has been made, the tool provides advice on the most effective way to allocate effort and resource in order to increase the cybersecurity of the system. This advice is based on well-established maturity models combined with an awareness that without an effective service management capability, cybersecurity can never be as mature as may be required. In turn this allows the preparedness of the organisation to be improved in a phased and manageable way as resources permit.
Improving cooperation and coordination across Member States and EU institutions, agencies and bodies
APMG international works in over 50 countries worldwide, and has a very strong presence in many EU countries in particular. Many of the certification schemes run by APMG are available internationally and can help to establish common standards across national boundaries. CDCAT is one such tool and it also has a unique input from all NATO countries as well as from other ‘Five Eye’ countries allowing it to offer a comprehensive international assessment of what really matters in cybersecurity capabilities.
The GCHQ Certified Training (GCT) scheme, run by APMG on behalf of the UK’s GCHQ, ensures that cyber training delivered by commercial companies is of a high standard. All training materials, the trainers and the parent organisation are checked against standards agreed with GCHQ and given the stamp of approval. It is then rechecked at least annually, to ensure the standard is being maintained. Whilst the course must be delivered in the UK to gain accreditation, it can also be delivered anywhere in the world.
APMG has already engaged with the Foreign and Commonwealth Office (FCO) to produce cybersecurity advice and assistance in a number of different countries. This can clearly extend to other countries as appropriate and desired. APMG is also a member of the London Digital Security Centre (LDSC) helping particularly smaller businesses in the UK to develop their own cyber security to an appropriate level but in a cost-effective way. The use of the UK’s Cyber Essentials scheme (for which APMG is an accreditation body) can provide the basic security checks and assurance that even the smallest business can achieve an adequate level of cyber security.
Increasing EU level capabilities to complement the action of Member States, in particular in the case of cross-border cyber crises
Enhancing the capabilities of countries in the EU is a critical element of the CDCAT tool. It can provide a real-world based assessment of the current and planned capabilities. This tool can assess effectively the inter-national cooperation of the cyber security capabilities in place. APMG also operates a scheme on behalf of the NCSC that checks the competence, skill and experience of those who work in the cyber security industry. The Certified Cyber Security Professional (CCP) scheme provides a certification based on twenty-five skill areas together with four business skills ensuring that the individual is not only technically capable but also can assist an organisation to enhance its own security through the provision of well-founded advice and guidance.
Increasing awareness of citizens and businesses on cybersecurity issues
APMG provides certifications that can ensure that the level of awareness and understanding of individuals (as well as businesses) is enhanced through effective awareness-raising sessions. Many of the courses assessed through the GCT scheme are at awareness level and these are checked to ensure the messages they give are clear, consistent and in accordance with current good practice and advice.
RESILIA™ is a cyber security product offered by APMG. It is a course which is a combination of a training and awareness-raising, together with a simple and quick assessment of the current capabilities of an organisation. APMG have also accredited another online course Mitigate, which has a free module available on our website for those who are keen to get start increasing awareness of individuals and businesses.
Cyber Essentials is a way of promoting businesses, especially smaller businesses, that have taken the necessary basic steps to safeguard their own and others’ information which is stored or processed on their systems. Although it is a UK-based certification, it is being taken up in many other countries and this helps to raise the awareness of the essential basic steps that all organisations should be taking to protect their digital assets.
Increasing the overall transparency of cybersecurity assurance of ICT products and services to strengthen trust in the digital single market and in digital innovation
Transparency of cybersecurity assurance means providing users with sufficient information on cybersecurity properties which enables users to objectively determine the level of security of a given ICT product, service or process. APMG has always been keen to demystify the seemingly “black art” of cyber security. Trusting other organisations is a key part of the international electronic trading community of today. This is increasingly dependent on the trust placed in another organisation’s cyber security capabilities. CDCAT can be used to assess throughout the supply chain. This means that for example, prime contractors can easily and effectively check the relevant and appropriate level of cyber security in each part of their supply chain. It also provides a realistic, evidence-based assessment upon which business managers (who are rarely also cyber experts), are equipped with the necessary information to make informed business decisions. Without this awareness and transparency, the heads of businesses cannot make effective and appropriate decisions on the way to spend limited resources on cyber security.
Avoiding fragmentation of certification schemes in the EU and related security requirements and evaluation criteria across Member States and sectors
APMG has, for many years been using both UK-based certifications and standards and international standards to promote good practice in a wide range of different areas. This includes cyber security. We offer a certification in the international standard ISO27001:2013 at both foundation and practitioner level. Several of the schemes APMG run can be used internationally and others allow organisations certified to operate around the world.
The work undertaken with CDCAT through the FCO has taken APMG to several different countries and this helps to promote both the UK and European approaches as good practice. The tool utilises several different standards including some from Europe and helps to reinforce the links between the different frameworks and standards rather than differentiating between them.
The Cyber Essentials scheme is now being adopted by companies in many countries and this too helps to promote common standards and practices to the benefit of all. Combined with the GCT and CCP schemes, and the international use of CDCAT, these all help to unify the way different EU countries can share common standards and criteria for the necessary cyber security of their citizens and businesses.