New 2018 version of Security Verified standard

| Sieuwert van Otterloo | Security

The open standard ‘Security Verified’, has been updated in August 2018. It is a minor update to improve readability and to make the standard fully aligned with GDPR. The recent update should make this standard even easier to use for organisations that want a good Information Security Policy based on the same principle as ISO 27001.

Security Verified Background

Security Verified was introduced in October 2016 as an open standard for information security. It was developed to provide more alternatives for organisations that need a certified security policy or ISMS. They need this because customers or other stakeholders require evidence of adequate security. Indeed in many request for proposals, ISO 27001 or a comparable standard is required. Full ISO 27001 certification is unfortunately a slow process, which is why many organisations opt to use the more agile Security Verified standard to set up their ISMS. Security Verified is completely open: the latest criteria can be found here.

Changes in the Security Verified criteria

The official criteria of Security Verified consists of two parts.

  • The first part consists of mandatory requirements, mostly about the information security process. Organisations must implement all these elements.
  • The second part is a list of 28 controls. Organisations must implement at least 14 of these.

The idea behind this structure is that organisations should do risk based decision making. An organisation must set up their own risk management process. Based on these risks, they must choose which controls are valuable to them. This structure is similar to how ISO 27001 and ISO 27002 work: ISO 27001 contains mandatory process requirements. ISO 27002 contains recommended best practices that organisations can choose from.
The changes to the criteria are relatively small. Some new criteria were added to make Security Verified aligned with GDPR. Security Verified has been designed for use in the EU. To make it easier to read, mandatory GDPR requirements have been included in the standard as mandatory. If organisations do not comply to legal requirements, they do not qualify for Security Verified.

Other changes involved restructuring. Some complicated requirements have been split. The order of controls in part 2 has been changed to make the list easier to check.

Audit, reviews and certification

Anyone can use the Security Verified criteria as a checklist for their own Information Security policy. This is useful for instance in internal audits of for organisations that want a good Information Security Management System but are not required to be certified. Organisations that need external certification can ask ICT Institute for a review. The main benefit of getting Security Verified certification over ISO 27001 certification is speed. The Security Verified review process is faster. The official review process for organisations is described here. There is an open register of certified organsiations, to make it easy to check the certification status of companies. As of august 2018, there are 11 organisations that have received a certificate.

Future plans

The standard Security Verified is stable and will only receive minor changes when needed. This way people know what to expect from certified organisations. Any further development is focused on the supporting material. In 2018 we focused on providing GDPR support and templates and background articles (checklist, explanation of terminology). After 2018 we will also continue our series of articles on implementing a good information security policy. People interested in the updates can join our special interest group Information Security NL for free.

Image credit: Angela Litvin via unsplash

Author: Sieuwert van Otterloo
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.