The diagram demonstrates the ISO assurance system in terms of management systems. The following are common management systems:

• Quality Management System (QMS, ISO 9001)
• Environmental management systems (EMS, ISO 14001)
• Food Safety Management System (FSMS, ISO 22001)
• Business Continuity Management System (BCMS, ISO 22301)
• Information Security Management System (ISMS, ISO 27001)
• Occupational health and safety management systems (OHSMS, ISO 45001)

What is Assurance?

Assurance is the confidence that a subject is compliant with or meet specific standards or requirements.

• A certification body (CB) attested by an accreditation body (AB) to conduct the assessment of compliance.
• Assurance comes with both confidence and acceptance to a level of risk.

Assurance in Information Security

Assurance of information systems can be rendered through the V&V or formal C&A process. Verification and validation (V&V) are conducted as systems engineering processes, while certification and accreditation (C&A) are more formal and relies on the third-party or independent assessor.

V&V is conducted throughout the SDLC (System Development Life Cycle), but C&A typically is part of the SDLC as C&A is generally performed after the system has been implemented or completed.

Both V&V and C&A deliver assurance of information systems.

• The private sector typically may not conduct formal C&A against In-house systems. The requirements, designs, implementations, deliverables, etc. are verified by the development team and validated by the user department, internal customers, or stakeholders.
• In the US government agencies, C&A is a regulatory requirement. NIST RMF is the unified C&A at the information systems level.

More on V&V and C&A

• Jargons: V&V and C&A
• V&V, RMF, and ISO SDLC
• CISSP PRACTICE QUESTIONS – 20200623

Assurance

1. ISO/TS 21089:2018
   • grounds for confidence that an entity meets its claimed level of protection, including security objectives
   • Health informatics — Trusted end-to-end information flows
2. ISO/TS 14441:2013
   • result of a set of compliance processes through which an organization achieves confidence in the status of its information security management
   • Health informatics — Security and privacy requirements of EHR systems for use in conformity assessment
3. ISO 14016:2020
   • result of a process of validation (3.1.12) and/or verification (3.1.13) to provide confidence as to the degree of reliance that can be placed on an environmental report (3.3.1)
   • Environmental management — Guidelines on the assurance of environmental reports
4. ISO/IEC/IEEE 15026-1:2019
   • grounds for justified confidence that a claim (3.1.4) has been or will be achieved
   • Systems and software engineering — Systems and software assurance — Part 1: Concepts and vocabulary
5. ISO/TR 11633-2:2009
   • result of a set of compliance processes through which an organization achieves confidence in the status of its information security management
   • Health informatics — Information security management for remote maintenance of medical devices and medical information systems — Part 2: Implementation of an information security management system (ISMS)
6. ISO/IEC 21827:2008
   • grounds for confidence that a deliverable meets its security objectives
   • Information technology — Security techniques — Systems Security Engineering — Capability Maturity Model® (SSE-CMM®)
7. ISO/IEC/IEEE 24765:2017
   • grounds for justified confidence that a claim has been or will be achieved
   • Systems and software engineering — Vocabulary
8. NIST
   • Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy. (CNSSI 4009)
   • The grounds for confidence that the set of intended security controls in an information system are effective in their application. (CNSSI 4009-2015)
   • Grounds for justified confidence that a [security or privacy] claim has been or will be achieved. (NIST SP 800-37 Rev. 2)

Accreditation

1. ISO/IEC 17011:2017
   • third-party attestation related to a conformity assessment body (3.4) conveying formal demonstration of its competence to carry out specific conformity assessment tasks
   • Conformity assessment — Requirements for accreditation bodies accrediting conformity assessment bodies
2. ISO 18079-1:2018
   • process in which certification of competency, authority, or credibility is presented to the servicing station by the manufacturer
   • Ships and marine technology — Servicing of inflatable life-saving appliances — Part 1: General
3. ISO 15513:2000
   • process of granting official formal recognition to assessors and other successful candidates of competency assessments
   • Cranes — Competency requirements for crane drivers (operators), slingers, signallers and assessors
4. NIST
   • The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls. (FIPS 200)
   • Formal declaration by a designated accrediting authority (DAA) or principal accrediting authority (PAA) that an information system is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards.
     See authorization to operate (ATO). Rationale: The Risk Management Framework uses a new term to refer to this concept, and it is called authorization. (CNSSI 4009-2015)
   • also known as authorize processing (OMB Circular A-130, Appendix III), and approval to operate. Accreditation (or authorization to process information) is granted by a management official and provides an important quality control. By accrediting a system or application, a manager accepts the associated risk. Accreditation (authorization) must be based on a review of controls. (NIST SP 800-16)

Attestation

1. ISO/TS 17573-2:2020
   • issue of a statement, based on a decision that fulfilment of specified requirements (3.176) has been demonstrated
   • Electronic fee collection — System architecture for vehicle related tolling — Part 2: Vocabulary
2. ISO 20252:2019
   • declaration of conformity by the service provider (3.92) related to the statement of applicability (SoA)
   • Market, opinion and social research, including insights and data analytics — Vocabulary and service requirements
3. ISO/TS 27790:2009
   • process of certifying and recording legal responsibility for a particular unit of information
   • Health informatics — Document registry framework
4. ISO/IEC 27039:2015
   • variant of public-key encryption that lets IDPS software programs and devices authenticate their identity to remote parties.
     Remote attestation refers to processes of using digital certificates to ensure the identity, as well as the hardware and software configuration, of IDPS and to securely transmit this information to a trusted operations centre.
   • Information technology — Security techniques — Selection, deployment and operations of intrusion detection and prevention systems (IDPS)

Certification

1. ISO 17090-1:2013
   • procedure by which a third party gives assurance that all or part of a data processing system conforms to security requirements
   • Health informatics — Public key infrastructure — Part 1: Overview of digital certificate services
2. ISO/IEC 10641:1993
   • Procedure resulting in the issuance of a certificate.
   • Information technology — Computer graphics and image processing — Conformance testing of implementations of graphics standards
3. ISO/IEC 24727-5:2011
   • formal confirmation of successful conformance testing by a certified party
   • Identification cards — Integrated circuit card programming interfaces — Part 5: Testing procedures
4. ISO 19301:2020
   • third party attestation related to products, processes, systems, or persons
   • Graphic technology — Guidelines for schema writers — Template for colour quality management
5. ISO 7240-1:2014
   • third party attestation related to products, processes, systems, or persons
   • Fire detection and alarm systems — Part 1: General and definitions
6. ISO/IEC 24709-1:2017
   • acknowledgement that a validation (3.17) has been completed and the criteria established by the certifying organization have been met
   • Information technology — Conformance testing for the biometric application programming interface (BioAPI) — Part 1: Methods and procedures
7. ISO 8178-1:2020
   • process of obtaining a certificate of conformity
   • Reciprocating internal combustion engines — Exhaust emission measurement — Part 1: Test-bed measurement systems of gaseous and particulate emissions
8. ISO/IEC 29109-1:2009
   • third-party attestation related to products
   • Information technology — Conformance testing methodology for biometric data interchange formats defined in ISO/IEC 19794 — Part 1: Generalized conformance testing methodology
9. ISO 15849:2001
   • process of formal approval, by an authority empowered to do so, of arrangements or systems for the reception, storage or transmission of data and intelligence relative to the management, operation or control of vessels
   • Ships and marine technology — Guidelines for implementation of a fleet management system network
10. NIST
    • A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. (FIPS 200)
    • Comprehensive evaluation of an information system component that establishes the extent to which a particular design and implementation meets a set of specified security requirements. (CNSSI 4009-2015)
    • a formal process for testing components or systems against a specified set of security requirements. Certification is normally performed by an independent reviewer rather than one involved in building the system. Certification can be part of the review of security controls identified in OMB Circular A-130, Appendix III, which calls for security reviews to assure that management, operational, and technical controls are appropriate and functioning effectively. (NIST SP 800-16)