The European Network and Information Security Agency, ENISA has issued a report that gives an overview on information security certifications

The European Network and Information Security Agency, ENISA has issued a report that gives an overview on information security certifications of products, people and processes.

It addresses common concepts, definitions, certifications of different types, as well as clarifies the mandatory and legal background for some certifications.

The report also explores the analogies and disparities between a number of existing certification schemes. Finally, it analyses current trends in certification and offers six recommendations to improve network and information security in Europe through a wider use of security certification.

Some of the key ENISA recommendations in the report include, in brief:

• Organisations should verify their information security management systems, choose certified security products and encourage security employees to choose appropriate personal information security certifications.

• The development of the complementary standards of the 27000 family for public and private organisations should be encouraged, e.g. an ISO27001 ‘light’ for SMEs.

• The EU should extend the intergovernmental Mutual Recognition Agreement on Common Criteria to all Member States, as a tool for a more secure e-Communication market. EU Framework Programme 7 should sponsor research to analyse the economics of the certification of products.

• The EU should strength accreditation schemes related to people certification in IT security and encourage the development of people certification adapted to different profiles, from the end-user level (Computer Driving Licence) to the most professional one (e.g. IT security officer).The EU should also reinforce bridges between education (schools and universities) and the certification process (private training and certificate providers).