Thursday, October 21, 2010

CESG IL2/IL3 Accreditation (224 & 334)

This is an overview of the implementation process for a telecoms operator or service provider ("communications provider") seeking to acquire IL2 (224) or IL3 (334) accreditation. It is available as a PDF file here.

Version: 1.0 - Revision date: October 21st 2010 – First version


1. Introduction
Many people are aware of the ISO 9000 family of standards for Quality Management. The corresponding standards for Information Security (ISO 27001, 27002, 27011) may be less familiar but are steadily growing in importance as threat levels increase. The ISO 27k standards are neutral as regards technology and industry: they need to be specialised in each distinct case.

When the UK Government, specifically its information assurance arm the CESG turned its attention to accrediting providers of communications services it published a particular specialisation of the ISO 27k standards called “Security Procedures Telecommunications Systems and Services”. This is more informally known as the NGN Good Practice Guide.

Increasingly bids and tenders from UK Government Departments require products and services to be accredited to IL2 or IL3. These terms, Business Impact Levels 2 or 3, essentially require the telecoms operator or service provider to pass an audit based on ISO 27k as additionally extended by the NGN Good Practice Guide.

2. Business Impact Levels

The Business Impact Levels are correlated with the Government’s security classification hierarchy as follows.
• IL0 = n/a
• IL1 = n/a
• IL2 = Protect (= ‘Best Commercial Practice’)
• IL3 = Restricted
• IL4 = Confidential
• IL5 = Secret
• IL6 = Top Secret.

IL2, IL3, IL4 are also correlated with CIA values as follows:
• IL2 corresponds to 2-2-4
• IL3 corresponds to 3-3-4
• IL4 corresponds to 4-4-4

where Confidentiality (C) means that data cannot be eavesdropped or stolen, Integrity (I) means that data cannot be changed or corrupted, Availability (A) means that in the presence of certain kinds of attacks the system retains its ability to provide communications services.

IL2 is the security level which the UK Government believes that all service providers should be operating at and should be implemented across the organisation. IL3, with its requirement for enhanced data security (C, I) carries far more stringent and expensive requirements. Data, systems and processes need to be segregated, supported by secure IT systems and databases, widespread use of encryption, enhanced physical security and higher levels of personnel screening. As a consequence a product or service accredited to IL3 will usually be delivered via a special purpose overlay system.

3. The IL2/IL3 Accreditation Programme Framework

IL2/IL3 accreditation is the UK Government’s ‘Next-Generation Network’ enhancement of accreditation to Information Security Standards ISO 27001, ISO 27002 and ISO 27011. The “Bible” for IL2 accreditation, the CESG NGN Good Practice Guide with its 139 controls explicitly cross-references these standards. An IL2/IL3 accreditation programme should follow the ISMS Implementation framework as defined in the standards documents and should consist of the four phases described below.

Note what is being audited and accredited - it is not a piece of technology, or a collection of programs or people. What is being audited and accredited is a management system – specifically an Information Security Management System (ISMS), which has a defined scope and owner, and which identifies risks and the requisite controls/countermeasures to address them. The ISMS is the complete system of management processes and mechanisms which should be in place to assure the organisation against those threats which come within its scope.

Phase 1: PLAN

In the planning phase the ISMS (Information Security Management System) is established and scoped, risks are analysed, a risk treatment plan developed and the applicable controls (countermeasures) are identified.

In this first phase the documentation to scope the specific ISMS to be audited is specified, identifying the departments and key individuals who will participate in setting up and running the ISMS and in achieving accreditation. The NGN Good Practice Guide has a number of paragraphs (pp. 12 – 16) detailing the assets, users, staff, equipment, systems, utilities and physical sites which are required to be in scope. The target of the accreditation - the scope, assets, functionality and connectivity of the components making up the service slice to be accredited – also needs to be clearly defined.

As part of the planning phase it is necessary to conduct a Risk Analysis. ISO 27k does not mandate a methodology; it only indicates the areas a Risk Analysis has to cover. The NGN Good Practice Guide goes further (p. 10) itemising the threats, risks and vulnerabilities which the Risk Assessment must consider. The CESG has a preferred Risk Assessment Methodology of its own, IS1, which UK Government Departments are required to make use of. It is probably a good idea for a service provider to use this same methodology.

Phase 1 documents required

1. Phase 1 document set for ISO 27001:2005
• The ISMS Policy.
• The scope of the ISMS.
• Procedures and controls in support of the ISMS.
• A description of the risk assessment methodology.
• A risk assessment report.
• The risk treatment plan.
• Documented procedures needed by the organisation to ensure effective planning, operation and control of its information security processes and to describe how to measure the effectiveness of controls.
• Records required by ISO 27001.
• The Statement of Applicability (i.e. which controls are taken to be relevant and why).

2. IS1 Risk Analysis (typically produced by a CLAS consultant)

3. Detailed architecture/high-level system design with diagrams.

4. Relevant technical design documents for reference.

5. Detailed application/network design documents and diagrams. These will help in documenting those components in scope and will include:
• IT documentation showing all relevant IT systems and their interconnection
• Network documentation showing firewall, NAT, switch, router placement
• Network diagrams showing client and server applications for relevant IT systems
• Network and application protocols and end-to-end scope including diagrams
• The security architecture.

These will need to be cross-referenced to departments (people) and processes and will certainly include operations support systems and service management systems.

6. Geographical location of network devices and servers and security information relevant to physical/personnel security at those locations.

7. Table showing all the departments which are involved in all processes around the system (e.g. Provide, Operate, Assure, Bill, 3rd/4th line support, customer self-service, etc) and a designated point of contact in each.

8. Process charts documenting the processes at the level of detailed work-practices which are relevant to the NGN Good Practice Guide controls. An example would be the processes for granting, revoking and storing passwords securely.

9. Availability analysis for the system based in its design.

10. Availability Performance Documentation
• How this will be collected from Operational Measurements and how the calculations will be done.
• How root-cause-analysis of availability-affecting faults will be carried out and documented.
• In the absence of historical data, test plans and measurements must be provided.
• This relates to the NGN Good Practice Guide Chapter 3.

Phase 2: DO (Gap Analysis and Fix programme)

In the implementation phase we undertake the Gap Analysis, to determine for each relevant asset within scope which relevant controls are satisfactorily in place and which controls need further work. This typically requires that the NGN Good Practice Guide with its 139 controls should be checked for each of the relevant departments in scope where a threat/vulnerability has been identified. The Statement of Applicability (SOA) will need to be created to identify which controls are relevant to each department and asset. Note that the Mandatory Controls in the NGN Good Practice Guide must be included.

The NGN Good Practice Guide Controls are often stated at a high-level and may need to be cross-correlated with more operationally-oriented security procedures which will be specific to the operator/platform. These may have been defined already in a prior ISO 27k activity.

In this phase we may also conduct penetration testing to check for vulnerabilities prior to the audit (which will also test in this way). Testing may be carried out on a mix of live and suitably-configured laboratory systems.

The Gap Analysis may well identify areas where certain threats are inadequately countered due to some form of non-compliance. Costed proposals now have to be drawn up to fix these problems and a fix programme executed.

Once the fix programme has been carried out, an internal audit should be carried out both to check readiness and also to prepare everyone for the external audit. The internal audit should follow exactly the audit requirements as specified by ISO 27k and the NGN Good Practice Guide.

Phase 2 documents required

1. Security questionnaires distributed to each relevant department (and possibly work-shopped) based on the NGN Good Practice Guide Controls and/or (suitably cross-referenced) operator security policies. This process is controlled by the Statement of Applicability (SOA) to determine which controls apply in each case (note that the Mandatory Controls must be applied).

2. Collation of responses to questionnaires.

3. Formal Gap Analysis report.

4. Documentation of Costed Fix Programme (budget, project plans).


Phase 3: CHECK (the IL2 audit - preparation and implementation)

This phase starts with a preparatory engagement (stage 1) with the auditor to plan the audit, to check the completeness of the ISMS document set and to review the ISMS documentation set for clarity and conformance. Issues identified here will feed forward into the audit proper.

During the implementation (stage 2) the auditors will further inspect documentation and undertake interviews, site visits and the random sampling of information such as logs and security clearances.

Phase 3 documents required for the audit

ISO 27001:2005 Documents
• The ISMS Policy.
• The scope of the ISMS.
• Procedures and controls in support of the ISMS.
• A description of the risk assessment methodology.
• A risk assessment report.
• The risk treatment plan.
• Documented procedures needed by the organisation to ensure effective planning, operation and control of its information security processes and to describe how to measure the effectiveness of controls.
• Records required by ISO 27001.
• The Statement of Applicability (i.e. which controls are taken to be relevant and why).

Additional documentation from the NGN Good Practice Guide requirements
• Architecture/High-Level Design documentation.
• Availability Test Plan and Report.
• Availability Performance Documentation (not in an initial certification).
• Security Impact Analysis (not in an initial certification).

These documents should be assembled and reviewed by a team fully conversant with ISO 27001 and NGN Good Practice Guide standards and procedures.


Phase 4: ACT (the remedial programme)

ISO 27011 (and the NGN Good Practice Guide) require an ongoing process of continual improvement, corrective and preventive action. For a well-prepared organisation the most likely outcome of an IL2 audit is a conditional award of certification together with a list of issues which will need to be fixed, typically within six months at which point a follow-up supplementary audit will be carried out to check.

Phase 4 documents required
• Auditor Report.
• Documentation of Costed Remedial Programme (budget, project plans).

4. IL2 and IL3

As discussed above, the additional Confidentiality and Integrity requirements for IL3 (334) as compared to IL2 (224) create a significantly increased cost and workload to acquire and maintain accreditation. It should however be noted that IL3 is a superset of IL2 and any effort expended in acquiring IL2 accreditation also covers off issues which are in scope of the IL3 accreditation. It therefore makes sense to start an IL2 accreditation activity even if it is not entirely clear whether in the end IL3 will be required or not.


5. Further Reading

There is a large amount of material in addition to the ISO 27k standards themselves which can be purchased. Some material I have found useful:

1. The booklet “Implementing Information Security Based on ISO 27001/ISO 27002: A Management Guide, 2nd Edition” by Alan Calder is a short top-down overview of all the steps involved in an ISMS implementation and accreditation process, providing an invaluable map of the territory.

2. The handbook “Are you ready for an ISMS Audit based on ISO/IEC 27001?” by Ted Humphreys and Angelika Plate provides a detailed checklist for all the items auditors will be looking for. It lists all the controls found in the NGN Good Practice Guide although the latter also includes additional NGN-oriented guidance for many of these.

3. For a detailed walk-through of an ISMS implementation including examples of required documents see this free ISMS Implementation Guide.


If you have further queries about the IL2/IL3 accreditation process feel free to contact me at Interweave Consulting (


Nigel Seel.

Interweave Consulting
mobile: +44 (0)7940 800 564
© Nigel Seel 2010

No comments:

Post a Comment

Comments are moderated. Keep it polite and no gratuitous links to your business website - we're not a billboard here.