CSM27001
Is MS ISO/IEC 27001 an internationally recognised standard?
Yes. IDT on the front cover indicates an identical standard i.e. a standard where the technical content, structure, and wording (or is an identical translation) of a Malaysian Standard is exactly the same as in an International Standard or is identical in technical content and structure although it may contain the minimal editorial changes specified in clause 4.2 of ISO/IEC Guide 21-1.
What are the benefits of the certification?
Please read our Benefit page.
What are the steps towards achieving certification?
Please read our Services to find out the certification steps.
How does the certification body handles complaints?
Please read our Appeal, Disputes and Complaints procedure.
What services does the CSM27001 Scheme offer?
Please read our Services to find out more.
How do I confirm whether CyberSecurity Malaysia is an accredited certification body?
CyberSecurity Malaysia is listed under the Directory of Accredited Certification Bodies at http://www.standardsmalaysia.gov.my/accreditation-of-certification-bodies-acb-/directory-of-acb
MyTrustSEAL
Who will be involved during the assessment process?
Prior to assessment, the company is required to identify the person in charge for the project to ease the communication with MyTrustSEAL evaluation team. During the assessment phase, the evaluation team also need to communicate with website administrator for any technical clarification.
How do I maintain the certification validity?
MyTrustSEAL is a yearly validation. This is part of security requirement due to frequently changes in technology and information vulnerabilities. However, the company may contact MyTrustSEAL team to clarify on the service packages to maintain the MyTrustSEAL trust mark.
MyCC
MyCC scheme
What is MyCC scheme?
Malaysian Common Criteria Evaluation and Certification Scheme (MyCC Scheme) is a systematic process for evaluating and certifying the security functionality of ICT products against defined criteria or standards.MyCC Scheme evaluates and certifies the security functionality within ICT products against International standard:
- ISO/IEC 15408 (Information technology -- Security techniques-- Evaluation criteria for IT security) also known as Common Criteria (CC) and;
- ISO/IEC 18405 (Information technology -- Security techniques-- Methodology for IT security evaluation) also known as Common Evaluation Methodology (CEM).
Malaysian Common Criteria Certification Body (MyCB) is a department under CyberSecurity Malaysia. The primary responsibility is to carrying out certification and overseeing day-to-day operation of the MyCC Scheme.
Are there policies explaining the MyCC framework for CC evaluations?
The Malaysian Certification Body (MyCB) administers the regulations for conducting CC evaluations through the following MyCC Publications:- PRODUCT_SP: MyCC Scheme Policy;
- MyCC_P2: MyCC Certified Product Register;
- ISCB_EFM: MyCC Scheme Evaluation Manual;
What is MyCC Scheme Maintenance of Assurance?
Maintenance of assurance is a voluntary process that leverages a certified TOE baseline as changes are made to the certified TOE. The MyCC Scheme has adopted the CCRA compliant process for assurance continuity or for maintenance of assurance in a TOE certified within the MyCC Scheme and in conformance with MyCC Scheme Rules. This service provides customers with a cost effective method of maintaining a level of confidence in the security provided by a TOE as it is updated. Details of the MyCC Scheme Maintenance of Assurance service can be found in PRODUCT_SP: MyCC Scheme Policy.
Common Criteria and Mutual Recognition
What is the Common Criteria (CC)
Common Criteria (CC) was created to harmonise criteria produced by a number of nations including the United States (TCSEC), European (ITSEC) and Canada (CTCPEC) for carrying out security evaluations, into a single set of common criteria. The CC is now recognised as the ISO (International Organization for Standardization) standard, ISO/IEC 15408 (Information technology -- Security techniques-- Evaluation criteria for IT security), and regarded as the international benchmark for IT security evaluation criteria.
What is the Common Criteria Recognition Arrangement (CCRA) and mutual recognition?
Common Criteria Recognition Arrangement (CCRA) is a formal international arrangement between a great numbers of countries. This mutual recognition ensures that certificates issue by one of the member states certification body is recognised by all member states. This will helps vendors to cut their costs by having a single product or system evaluation which is recognisable by all participating nations. Common Criteria certifications from EAL1 to EAL4 are mutually recognised by all CCRA members. Further information about the CCRA can be found at http://www.commoncriteriaportal.org/
What is an Evaluation Assurance Level (EAL)?
Common Criteria (CC) operates the concept of assurance levels which is called Evaluation Assurance Level (EAL). For CC, the levels are EAL1 to EAL7. These scales represent ascending levels of confidence that can be placed in the ICT product which corresponded with security objectives. The higher the EAL the greater the degree of rigour is applied in assessing whether the ICT product has met its security requirements.
What is Assurance Continuity?
The purpose of Assurance Continuity is to enable developers to provide assured products to the IT consumer community in a timely and efficient manner. The awarding of a Common Criteria evaluation certificate signifies that all necessary evaluation work has been performed to convince the evaluation authority that the TOE meets all the defined assurance requirements as grounds for confidence that an IT product or system meets its security objectives. Assurance Continuity recognises that as changes are made to a certified TOE or its environment, evaluation work previously performed need not be repeated in all circumstances. Assurance Continuity therefore defines an approach to minimising redundancy in IT Security evaluation, allowing a determination to be made as to whether independent evaluator actions need to be re-performed.