What is an ISO/IEC 21827 Maturity Assessment?
ISO/IEC 21827 Information technology - Security techniques - Systems Security Engineering - Capability Maturity Model® (SSE-CMM®) is a real holistic approach to maturity modeling.
The ISO 21827 SSE-CMM® is a process reference model. It is focused upon the requirements for implementing security in a system or series of related systems that are the Information Technology Security (ITS) domain. However, experience with the Model has demonstrated its utility and applicability to other security domains other than the IT domain. Within the ITS domain the SSE-CMM® Model is focused on the processes used to achieve ITS, most specifically on the maturity of those processes.
As in the true ISO fashion, it is common sense based. The intent is that the organization making use of the SSE-CMM® Model should use its existing processes, and improve upon those or revise as appropriate.
ISO 21827 notes that:
"A wide variety of organizations practice security engineering in the development of computer programs, whether as operating systems software, security managing and enforcing functions, software, middleware or applications programs. Appropriate methods and practices are therefore required by product developers, service providers, system integrators, system administrators, and even security specialists. However many of these organizations deal with high-level issues (e.g., ones dealing with operational use or system architecture), others focus on low-level issues (e.g., mechanism selection or design), and some do both. Organizations may specialize in a particular type of technology or a specialized context. The SSE-CMM® is designed for all these organizations".
Use of the SSE-CMM should not imply that one focus is better than another. An organization's business focus need not be biased by use of the SSE-CMM®. It is simply to facilitate the Define Measure, Analyze, Improve and Control process in order to reach true optimization and reach the required level of maturity.
Why do you need an ISO/IEC 21827 Assessment?
With the increasing reliance of society on information, the protection of that information is becoming increasingly important. Many products, systems, and services are needed to maintain and protect information. The focus of security engineering has expanded from one primarily concerned with safeguarding classified government data to broader applications including financial transactions, contractual agreements, personal information, and the Internet. These trends have elevated the importance of security engineering.
Increasing your maturity level; if done properly, improves the bottom line and means more profit because you have a more holistic tactical approach concentrating on the areas and data that have been identified as most critical to your security system and have the biggest impact on your business and ultimately your bottom line.
If you are ISO/IEC 27001 certified, an ISO/IEC 21827 assessment can identify key areas for improvement and provide international best practices that if implemented can raise your maturity to the next level, providing a valuable differentiator in today's competitive market.
If you are not ISO/IEC 27001 certified an ISO/IEC 21827 assessment can evaluate your internal unique security processes and prove to be even more valuable as you can concentrate on a very specific scope that you have identified as critical to you internally and your customer base.
How can eFortresses assist?
eFortresses has developed an exclusive approach and evaluation tool that has been field tested and shown to complement the ISO/IEC 21827 standard. The evaluation will provide valuable information and guidance.
Our approach to the SSE-CMM and the method for applying the model (i.e., appraisal method) can be used as a:
||Tool for organizations to evaluate their security engineering practices and define improvements to them,
||Method by which organizations can establish confidence in the its capability as one input to system or product/security assurance,
||Weighted self appraisal - This brings a common sense approach to maturity modeling. You don't spend time and money improving processes that you have identified as not critical to your organization.
||Standard mechanism for customers to evaluate a provider's security engineering capability .e.g. Supply-chain.
Our appraisal techniques can be used in applying the model for self improvement and in selecting suppliers, at eFortresses we have invested numerous hours of development and research on our unique approach to the model and appraisal method. We are one of the very few organizations that can say we thoroughly understand the proper application of this internationally accepted standard and its proper use.
For more information, please contact us by filling out this form