When certification scope is reduced, risk transparency suffers

How are risk owners and agency heads able to make informed decisions about ICT system accreditation without being provided with adequate information?


The scope of an ICT system certification is a vital influencer upon the findings of an independent system audit. Exclusion of parts of a system, or other capabilities on which it depends, from the scope of an audit can affect the usefulness of the audit in providing assurance to the business owner of the system, especially if those out of scope parts are yet to be (or are unlikely to ever be) included in the formal agency C&A process.

These out of scope items may have a considerable effect on risks for the ICT system, which may not be included in the risk assessment due to the scope limitation. How accurate then will the assessment of risk for the system as a whole actually be?

As professionals in the field of security audits, we must be impartial and factual when conducting assessments and communicating our findings. However, we can be limited when reporting back these findings if they fall outside the scope of the contracted deliverable, as instructed by the Certification Authority.

The Certification Authority is the party responsible for assessing the audit report as an input into gauging the residual level of risk posed to the ICT system, and to deliver an accreditation recommendation to their agency Accreditation Authority on whether to award accreditation or not. There is a responsibility and an obligation of the Certification Authority to ensure that all the controls identified to manage the risks of the system are appropriate, effective and that they comply with the PSR and/or relevant NZISM components.

Unfortunately, if the recommendation provided by a Certification Authority is primarily concerned with ticking a compliance process box, or achieving ‘green’ residual risk ratings, then the assessment has lost sight of the reason why the Certification and Accreditation process was mandated to begin with.
It’s no wonder then that an Accreditation Authority rarely appears comfortable providing an Accreditation that is not conditional. Following up on these conditions also seems to be an area which requires more focus and management to ensure that remedial actions are addressed within the agreed timeframe.

In order for this to change, there is a need for a change in perspective for those accountable parties to become less concerned with meeting deadlines and achieving favourable reports, than managing an agencies risk by operating a secure ICT system.