gpg 32 audit handbook for cesg assured service - issue 2.0 dec

December 2015 Issue No: 2.0

Good Practice Guide

Audit Handbook for CESG Assured Service

(Telecoms)

Good Practice Guide No. 32

Audit Handbook for CESG Assured Service (Telecoms)

Issue No: 2.0 December 2015

The copyright of this document is reserved and vested in the Crown.

Document History

Version Date Comment

1.0 October 2010 First issue

1.1 August 2011 See Key Changes

1.2 October 2013 Changes due to new approach defined in the standard

2.0 December 2015 ISO/IEC 27001:2005 to ISO/IEC 27001:2013 Changes to information classification Alignment with the new CAS(T) Specification

Audit Handbook for

CESG Assured Service (Telecoms)

Intended Readership This guide is for:

Implementers

Implementers’ internal auditors

CAS Companies

of telecommunications systems and services for government. Advice in this guide may also be relevant to the wider public sector and to organisations belonging to the Critical National Infrastructure.

Executive Summary This Good Practice Guide (GPG) covers all aspects of conducting audits and achieving certification of telecommunications systems and

services under the CESG Assured Service (Telecoms) known as CAS(T).

Operating within CESG’s CAS framework, CAS(T) aims to ensure appropriately audited secure telecommunications for government in line with relevant HMG IA policy and guidance.

The assessment specification is based on the ISO/IEC 27001:2013 standard. CAS(T) extends the ISO standard in some areas and focuses assessment in others to ensure that issues important to HMG networks are addressed.

Scope and Purpose

This GPG provides comprehensive reference on conducting audits of telecommunications systems and services under CAS(T).

It can be used by:

Implementers to ensure that the Information Security Management System (ISMS) is designed and operated to meet CAST(T) requirements

Internal auditors to help determine whether the ISMS is ready for a third party audit

CAS Companies to manage the audit process

The CAS assessment process is defined in Process for Performing CESG Assured Service (CAS) assessments (reference [a]). This GPG provides additional requirements to that overarching CAS document.

The CAS(T) service requirement is detailed in CESG Assured Service, CAS Service Requirement Telecommunications (reference [b]). Full details of the CAS(T) requirement, including alignment with and interpretation of ISO/IEC 27001:2013 (reference [c]) plus additional requirements is described in CESG Security Procedures, Telecommunications Systems and Services (reference [d]).

The word ‘must’ is used in this document to identify a requirement that is essential for CAS(T) certification.

Audit Handbook for


Key Changes

ISO/IEC 27001, with which CAS(T) is aligned, has been revised and reissued as ISO/IEC 27001:2013.

This document has been aligned with the Process for Performing CESG Assured Service (CAS) assessments (reference [a]) and the CAS Service Requirement Telecommunications (reference [b]). Those two documents define the framework within which CAS(T) operates.

References to CAS have been changed to CAS(T) to avoid confusion with other services that are now assessed under the CESG Assured Services scheme.

Information that is needed by Communications Providers (CPs) has been moved to CESG Security Procedures, Telecommunications Systems and Services (reference [d])

The CAS(T) Lead Assessor exam has been discontinued.

HMG policy for asset valuation and risk assessment has changed.

Feedback CESG welcomes feedback and encourages readers to inform CESG of their experiences, good or bad in this document. Please email: [email protected]

mailto:[email protected]

Audit Handbook for


Contents:

Chapter 1 – Overall Scheme Requirements and Guidance .......... 4

CAS Companies and Auditors ......... 4 Lead Assessor Qualifications .......... 4 Lead Assessor Conversion Course . 4 Use of Technical Experts ................. 5 Scope of ISMS ................................. 5

Risk Management ............................ 6 Statement of Applicability (SoA) ...... 6 Availability of Service Slices and E2E services ........................................... 6 Change Management ...................... 6

Chapter 2 - Assessment Team and Roles ................................................. 7

Audit Teams .................................... 7 Lead Assessor ................................. 7

Lead Assessor Competency Records ........................................................ 8

Technical Experts ............................ 8 Technical Domain Requirements for Technical Experts ............................ 9

Technical Expert Domains ............... 9 Technical Expert Competency Records ......................................... 11 Overall Audit Process .................... 11

Joint Audits .................................... 12 The Audit Cycle ............................. 12

Chapter 3 - Assessment Planning ........................................................ 13

Implementing the audit plan - Defining the objectives, scope and criteria ............................................ 13

Chapter 4 - Assessment Activities ......................................................... 15

Conducting the audit activities – Preparing Audit Conclusions ......... 15 Requirements for Specific Audit Types ............................................ 15

Auditing Availability ....................... 17 Handling Nonconformities ............. 17 Availability Audit ............................ 19 Design Review .............................. 19 Historical Data Review for E2E Services (not Service Slices) ........ 20

Chapter 5 - Review and Rework ... 21

Key Principles ............................... 21 Nonconformities ............................ 21 General Criteria ............................ 22 Criteria for Controls ....................... 22

Chapter 6 - Assurance Maintenance ......................................................... 24

Key Principles ............................... 24 Surveillance Audits ....................... 24 Special Audits ............................... 25

Audit and Change Management ... 26 Principles ...................................... 27

Management Approaches ............. 27 Technology Approaches ............... 27

Service Availability Calculations Example ........................................ 28

References ..................................... 30

Abbreviations ................................. 31

Glossary ......................................... 33

Audit Handbook for


Chapter 1 – Overall Scheme Requirements and Guidance

Key Principles

CAS(T) is based on the requirements of ISO/IEC 27001:2013 (reference [c]) but has some significant differences. This chapter outlines the main differences between CAS(T) and the accredited ISO 27001 schemes

There is no requirement to produce availability evidence or perform availability calculations for service slices, because service slice availability is just a design based prediction

An End-to-End (E2E) service does involve availability calculations performed with historical data

CAS Companies and Auditors

1. CAS(T) aims to set a consistent security standard for all individual components and combinations of components (service slices and E2E services). The controls on accreditation, certification, competencies and training are designed to ensure consistent quality, so that purchasers of CAS(T) certified E2E services can be confident that they meet all aspects of the security standards.

2. CAS(T) takes a more integrated approach to the accreditation of CAS Companies, training of auditors, competencies of audit teams and certification of Communications Provider (CP) systems than is required by ISO 27006:2011 (reference [e]) when certifying companies against ISO 27001.

3. The CAS Authority in CESG approves companies to conduct CAS assessments, manages the CAS(T) scheme and acts as the Certification Body for CAS(T) assessments.

4. Assessment of CPs can only be provided by an approved CAS Company.

5. All audits must be led by a Lead Assessor who satisfies the CAS(T) Lead Assessor requirements.

Lead Assessor Qualifications

6. CAS(T) follows the broad principles of ISO/IEC 27001:2013 (reference [c]) audits but adds specific requirements for training and experience.

7. The one-day Lead Assessor Conversion Course provides training to bridge the gap between the ISO 27001 scheme and the operation of CAS(T).

Lead Assessor Conversion Course

8. ISO/IEC 27001:2013 (reference [c]) Lead Auditors are typically trained by the United Kingdom Accreditation Service (UKAS) accredited CAS Company they work for. The training includes classroom and field-based elements. The course is normally developed by the CAS Company and approved by the International

Audit Handbook for


Register of Certificated Auditors (IRCA). Other training providers that are not CAS Companies also offer auditor training which is accredited by IRCA.

9. The CAS Authority has developed a standard Lead Assessor Conversion Course which is delivered by accredited training providers rather than CAS Companies.

Use of Technical Experts

10. When auditors do not have specialist knowledge, ISO 27006:2011 (reference [e]) includes the use of technical experts to assist auditors. CAS(T) also includes technical experts but requires CAS Companies to manage competencies for technical experts more formally than ISO 27006:2011 (reference [e]) and that technical experts meet certain prerequisites.

11. Technical experts may be necessary because CAS(T) requires that CPs manage the scoping and availability of services slices or E2E service in ways not included in ISO/IEC 27001:2013 (reference [c]) or other management systems standards. For example:

CPs are required to design and operate their service slices and E2E services using high availability network design and carry out root cause analysis of significant loss of availability

CPs are required to keep records and analyse those records to demonstrate that the availability targets of CAS(T) have been met over any audit period

CPs are required to apply correctly the scoping rules for service slices and E2E services, and the demarcation and aggregation rules when limiting and combining service slices or E2E services

12. All of these aspects are auditable under CAS(T) and can be grouped as network engineering competencies.

13. A technical expert who works in a team under the direction of a Lead Assessor does not need to have auditor competence.

Scope of ISMS

14. A CAS(T) service slice or E2E service must have a functional scope. Auditors, with assistance from technical experts as necessary, are required to verify that the scope of service slices and E2E services equals or exceeds the minimum functional scope required, and that the demarcation rules in the CESG Security Procedures, Telecommunications Systems and Services (reference [d]) have been correctly applied.

15. The required minimum functional scope ensures that all assets (assets are described in the Security Procedures (reference [d])) which could affect security are included in the scope as a minimum, and that customers of certified service slices or E2E services can compare like-for-like between Communications Providers (CPs) from a security perspective.

Audit Handbook for


Risk Management

16. Organisations must demonstrate that they understand and are managing the risks posed to their service. The risk assessment must take into account the threat profile for OFFICIAL, as described by Government Security Classifications, published as part of the Security Policy Framework (reference [f]), as well as other threats that impact assets in scope of the of the service slice or E2E services.

Statement of Applicability (SoA)

17. CPs providing telecommunications systems to be certified under CAS(T) must implement the critical and mandatory controls as documented in CESG Security Procedures, Telecommunications Systems and Services (reference [d]).

Availability of Service Slices and E2E services

18. In order to meet the higher availability performance, CPs must implement the availability requirements provided in the CESG Security Procedures, Telecommunications Systems and Services (reference [d]).

19. Although high level availability design must be demonstrated on an initial certification audit, it is not assumed at this stage that historical data demonstrating what availability has been achieved is available until subsequent audits. CAS(T) therefore handles availability audit differently in the initial certification audit and subsequent audits.

Change Management

20. Given the complexity of telecommunications networks it must be expected that changes will take place to service slices and E2E services between routine audits. Changes may include patching of software components to remove known vulnerabilities, the implementation of new sites, or major architectural changes. CPs must operate an effective change management process for certified service slices and E2E services.

21. As part of the change management process a Security Impact Analysis (SIA) is required. The SIA is used to notify the CAS Company of high and medium impact changes, so that such changes are managed from an audit perspective.

Audit Handbook for


Chapter 2 - Assessment Team and Roles

Key Principles

The role definitions in the Process for Performing CAS Assessments (reference [a]) are used with supplementary explanation in this chapter

A CAS(T) Lead Assessor working for a CAS Company must lead every CAS(T) audit team

CAS Companies are required to maintain a record of each Lead Assessor’s competencies under CAS

Technical experts may be employed to assist audits but there must be no conflict of interest between any consultancy work undertaken by the technical expert and their role in the audit

CAS Companies are required to maintain technical expert competencies records for all experts they have used for CAS audit activities

Audit Teams

22. All CAS(T) audit teams must be led by a CAS(T) Lead Assessor working for a CAS Company. A single auditor with suitable competencies may conduct the entire audit or additional team members may be included to add particular competencies or to complete the audit more effectively.

Lead Assessor

23. A CAS(T) Lead Assessor must be a qualified ISO 27001 Lead Auditor who also satisfies CAS(T) Lead Assessor requirements.

24. The ISO 27001 Lead Auditor requirement may be satisfied by current recognition by IRCA as an ISO 27001 Lead Auditor or equivalent evidence that demonstrates:

At least four years’ experience in telecommunications and / or information security

Attendance and passing the exam of an ISO/IEC 27001:2013 Lead Auditor course that is IRCA (or equivalent) approved

An initial 15 days ISMS audit experience, including one audit as Lead Auditor under the supervision of an approved Lead Auditor; and

At least 10 days spent auditing an ISMS each year

25. The additional CAS Lead Assessor requirements are satisfied by:

Attending a CAS Lead Assessor conversion course

At least 1 CAS(T) audit each year

A minimum of a current Counter Terrorist Check (CTC); and

Continuing Professional Development (CPD) with, as a minimum and as required, attending briefings, or reading updates to the Scheme

Audit Handbook for


documentation, as CESG / UKAS may provide during the operation of the Scheme

26. CAS Companies are expected to manage the competency framework, including records, for their Lead Assessors working under the Scheme. These records are auditable as part of the accreditation process for CAS Companies.

27. Lead Assessors must maintain the highest level of professionalism and independence in fulfilling their role. Any complaint concerning the conduct of a Lead Assessor will be investigated under the complaints process for CESG Test Laboratory General Operational Requirements (reference [g]) and may result in suspension or withdrawal of the individual’s recognition as a Lead Assessor.

Lead Assessor Competency Records

28. CAS Companies must maintain assessor competency records. These records are auditable as part of the accreditation process for CAS Companies. Records must include for each Lead Assessor:

The date they attended the Lead Assessor conversion course

IRCA format Audit and CPD logs or equivalent that includes:

o Date audit started and finished o Type of audit (certification, surveillance, special, recertification) o CP name o Role in the audit (lead, other) o Audit days spent by the auditor on the audit

Details of any formal complaints concerning the auditor, how they were investigated, and outcome of the investigation

Technical Experts

29. Technical expert is a CAS(T) specific role, required due to the variety of technology used in telecommunications. When determining the resources necessary for an audit activity, a CAS Company must decide whether one or more suitably qualified technical experts are required within the audit team.

30. An auditor within the audit team who also meets the prerequisites to be a technical expert can be recorded as such by the CAS Company and may fulfil both roles.

31. The decision whether to include technical experts will be based on the scope of the ISMS to be audited and the scope of the audit activity. It will generally be necessary to include one or more technical experts for initial certification and recertification audits. Depending upon the scope and objectives, technical experts may be required for surveillance and special audits.

32. Technical experts must satisfy the following general prerequisites:

At least four years work experience either in a technical role for a major CP or in alternative roles giving similar experience

Audit Handbook for


Awareness of the ISO/IEC 27001:2013 (reference [c]) standard

Knowledge of CESG Security Procedures, Telecommunications Systems and Services (reference [d]). In particular, those sections where expert advice to auditors is critical:

o High availability network design o Root cause analysis of loss of availability o Analysis and reporting of availability statistics o Scoping of service slices and E2E services o Application of demarcation and aggregation rules when limiting and

combining service slices

33. Technical experts may provide management systems consultancy or assist with internal audits for clients, both of which are outside CAS(T). There is a risk of lack of impartiality and of conflict of interest if the same experts have worked, or are likely to work, for the same clients in a consulting and auditing role. Technical experts must declare any potential conflict of interest. They must notify the CAS Company of any existing or prior association with any organisation they have been assigned to audit during the previous two years before commencing such work.

34. CAS(T) places no formal restriction on technical experts carrying out both types of assignment but Lead Assessors must be aware of the potential conflict of interest in such cases. This risk reduces with elapsed time between any consultancy work and certification audits. Auditors must satisfy themselves that no such conflict arises when selecting team members and during the conduct of audit activities.

35. External technical experts must have a written agreement with any CAS Company for which they act, in which they commit to comply with all policies concerning confidentiality and conflicts of interest.

Technical Domain Requirements for Technical Experts

36. Technical experts must satisfy the technical domain requirements for each technical domain in which they wish to act as an expert.

37. They are required to meet the following general prerequisites:

At least two years’ work experience in the technical domain or domains for which they will operate as an expert. This experience may be directly in network or service engineering, or in other applications of the technology, for example in a consulting role to CPs, in a vendor organisation or providing technical services to CPs

Technical Expert Domains

38. The set of technical expert domains is kept under review by the CAS Authority. CAS(T) currently defines the following technical domains (the main bullet points below) in which technical experts may be qualified. It is important to note that the examples of the areas of knowledge within each domain are not intended as

Audit Handbook for


either a required or an exhaustive list; technical experts are expected to have experience in several of these technologies to be considered qualified for the relevant domain.

Packet Switching and Routing

o Internet Protocol (IP) v4 and IPv6 o Multi Protocol Label Switching (MPLS) o MPLS Traffic Engineering (MPLS-TE) o Carrier Ethernet o Resilient Packet Ring

Transmission Systems

o Plesiochronous Digital Hierarchy (PDH) o Synchronous Digital Hierarchy (SDH) o Terrestrial microwave o Optical Networks o Wavelength Division Multiplexing (WDM) o Satellite Ground Stations o Very Small Aperture Terminal (VSAT) systems

Voice and Voice over IP (VoIP)

o Common Channel Signalling (fixed and mobile) o Integrated Services Digital Network (ISDN) Access Signalling o Public Switched Telephone Networks (PSTN)s o Softswitch Networks o Session Initiation Protocol (SIP) o Signalling Transport (SIGTRAN)

Wireless Access Networks

o Wireless Local Loop (WLL) o Global System for Mobile Communications (GSM) o Generalised Packet Radio System (GPRS) o Enhanced Data Rates for GSM Evolution (EDGE) o GSM EDGE Radio Access Network (GERAN) o High Speed Packet Access (HSPA) o Universal Mobile Telecommunications System (UMTS) o Terrestrial Radio Access Network (UTRAN) o Institute of Electrical & Electronic Engineers (IEEE) 802.16

Fixed Line Access Networks

o Digital Subscriber Line (DSL) o Multiservice Access Nodes (MSAN) o Local Loop Unbundling (LLU) (Technical)

Telecommunications Platforms and Middleware

o Major Operating Systems o Database Technologies o Telecoms Applications Frameworks o Simple Object Access Protocol (SOAP)

Audit Handbook for


o Web services Integration o Operational Support System (OSS) through Java (OSS/J)

Infrastructure

o Power Systems o Backup Power Systems o Air conditioning o Business Continuity (technical)

Technical Expert Competency Records

39. CAS Companies must maintain records for technical expert competencies under CAS(T) for all technical experts they have used for audit activities since their last scheduled audit.

40. These records are auditable as part of the accreditation process for CAS Companies.

41. Classifications, Non-Disclosure Agreements (NDA) and other confidentiality agreements must be respected when managing technical expert competencies records.

42. Technical expert competencies records must include the following information for each technical expert:

Evidence that they meet the general requirements for technical experts and the specific requirements for each technical domain in which they are recognised as a technical expert by the CAS Company

Information on audits at which the expert assisted under CAS(T), including:

o Date audit started and finished o Type of audit (certification, surveillance, special, recertification) o CP name o Role in the audit (scoping, availability, demarcation, aggregation) o Audit days used by this technical expert on this audit

Overall Audit Process

43. The overall audit process of CAS(T) is intended to follow the principles of ISO 19011:2011 (reference [h]) with modifications as described in the Process for Performing CAS Assessments (reference [a]) and as necessary to fit CAS(T) requirements.

44. The audit process begins with the acceptance of a service for assessment by the CAS Authority, after which assessment planning and assessment activities take place.

45. The audit process ends when an audit report, containing audit findings and audit conclusions, has been passed to the CAS Authority.

46. The CAS Authority has 3 options:

Audit Handbook for


Accept the audit conclusion and issue a certificate to the CP if appropriate

Reject the audit conclusion and agree with the CAS Company suitable measures to complete the assessment, typically additional evidence (that may require additional assessment activity); or

Reject the audit conclusion and close the assessment

Joint Audits

47. It is possible that audits under CAS(T) will be conducted jointly with ISO/IEC 27001:2013 (reference [c]) audits because of the many common features between the two schemes.

48. Provided such a joint audit fully meets the requirements of CAS(T), this can be a cost effective approach for CAS Companies and CPs. If the CP takes care to ensure that the requirements of both schemes are satisfied, then a single set of ISMS documentation can be submitted.

The Audit Cycle

49. The different types of certification related audit under CAS(T) follow the Process for Performing CESG Assured Service (CAS) assessments (reference [a]). An audit cycle begins with an initial certification audit, followed by surveillance audits at least every twelve months after initial certification, and a recertification audit every three years. Additional audits may be required by the CAS Company as a result of notifications from the CP of high impact changes to the network, or for other reasons.

Audit Handbook for


Chapter 3 - Assessment Planning

Key Principles

Three mitigations for CAS(T) are defined in the CAS Service Requirement Telecommunications (reference [b])

MIT001 – Conform to scoping requirements and have an ISMS as defined

within Chapter 2 of the Specification

MIT002 – Conform to availability requirements in Chapter 5 and the controls

specified in the appendix of the specification

MIT003 – Continuous Audit and Improvement

Implementing the audit plan - Defining the objectives, scope and criteria

50. A draft Assessment Plan should be provided to the CP so they may complete the CP Claims in an appropriate structure.

51. The CAS Company will appoint a suitably qualified Lead Assessor.

52. The Lead Assessor or their delegates will review the CP claims and determine a suitable audit plan.

53. If there is a need to sample implementation, the rationale and approach should be documented in the plan. The subsequent audit schedule may identify the sample to be taken (for POPs for example).

54. Audit objectives should clearly and concisely state the context for the audit that will determine whether a complete ISMS or part thereof conforms to the CESG Security Procedures, Telecommunications Systems and Services (reference [d]). The context is important for surveillance and special audits, since they typically have limited objectives (such as checking a change to a service slice or E2E service), which should be clear and agreed from the outset.

55. Audit objectives also include identification of areas for potential investigation, and audit of the effectiveness of the management system in meeting the requirements of the CESG Security Procedures, Telecommunications Systems and Services (reference [d]).

56. The Assessment Plan defines the audit scope (extent and boundaries of the audit), the time period over which it will be conducted and the estimated number of audit days required. When conducting a joint audit, it should be clear which days are for CAS(T) alone and which are common to CAS(T) and ISO standards. The audit scope will typically vary according to whether it is an initial, surveillance, special or recertification audit.

57. An Assessment Plan must be agreed by the CAS Authority for:

An initial audit

A surveillance audit that will lead to a change to the CAS certificate

A special audit that will lead to a change to the CAS certificate; and

Audit Handbook for


A recertification audit

58. Once the Assessment Plan has been agreed a detailed audit plan should be developed and agreed with the CP.

Implementing the audit plan – Selecting the Audit Team

59. The Lead Assessor or other CAS Company staff not on the audit team must have sufficient knowledge of the networks and services at this stage to understand the ISMS scope, the audit scope and the competencies required.

60. The CAS Company / Lead Assessor will appoint additional team members, including technical experts if required. Other members of the team need not be qualified Lead Assessors.

61. A suitably qualified technical expert will typically be needed:

To review service slice or E2E service design documentation. This is likely to be the case for initial certification audits and for audits where significant changes have occurred to the service slice or E2E service implementation since the last audit.

For audits where availability, demarcation issues or scoping issues require review. This is likely to be the case for initial certification audits, recertification audits, surveillance audits and special audits where availability aspects are within the audit scope

Preparing audit activities – Performing document review

62. A number of documents will need to be reviewed before the on-site assessment of the Mitigations to avoid wasted time auditing noncompliant controls. The document review should include:

All of the CP’s ISMS documentation as required by CAS(T)

Availability design information

Network design documents

Any previous audit reports

63. The set of required documents in the document review depends upon the type and scope of audit being carried out. The review is restricted to aspects of the ISMS relevant to the scope of the audit.

64. The document review should verify the completeness of the set of ISMS documentation, and the adequacy of the information provided for the specified audit scope.

Audit Handbook for


Chapter 4 - Assessment Activities

Key Principles

Assessment activities will follow the agreed Assessment Plan and Audit Plan

Any deviations will be recorded including reasons

Conducting the audit activities – Preparing Audit Conclusions

65. The Lead Assessor will discuss the nature and severity of the audit findings with the relevant members of the team. They will also discuss what additional audit effort will be needed to conclude the assessment before holding a closing meeting with the CP.

66. The audit team will complete the CAS Report using the standard CAS template. Where multiple sites have been visited to sample a particular control or set of controls, they may be documented in a single table for the control or multiple tables as determined by the Lead Assessor.

67. Based on the individual findings, audit conclusions should be prepared, to include:

Any change to scope, since preparation of the audit plan

Extent of conformity with CESG Security Procedures, Telecommunications Systems and Services (reference [d])

Agreement of nonconformity severities according to guidelines below

Conclusions and recommendations of Lead Assessor for submission to the CAS Authority

Requirements for Specific Audit Types

Initial Certification Audit

68. The initial certification audit is the first formal third-party audit of the ISMS. It must have as its audit scope the full ISMS being certified and assess all Mitigations in the CAS(T) Service Requirement (reference [b]). Specifically the audit scope must include:

All of the mandatory sections of ISO/IEC 27001:2013 (reference [c]) (sections 4-10)

The additional mandatory elements of CESG Security Procedures, Telecommunications Systems and Services, Chapter 2, amplified in Appendix A (reference [d]). All controls that are designated as critical in Appendix A must be audited. Auditing of controls that are designated as mandatory in Appendix A may be deferred to a surveillance audit

The additional mandatory elements of CESG Security Procedures, Telecommunications Systems and Services, Chapter 5 (reference [d]). Note that the additional mandatory requirements on historical availability may be excluded from the initial certification audit at the discretion of the

Audit Handbook for


CP. This exclusion is permitted because new services going through certification will typically not have this historical data available

Consideration of all information assets within the mandatory scope of the ISMS

Initial Certification Audit - Audit Objectives

69. Audit objectives in the context of this Guide are concerned with determining whether an ISMS conforms to CESG Security Procedures, Telecommunications Systems and Services (reference [d]).

Initial Certification Audit - Required Documentation

70. The following documents must be provided by the CP to the CAS Company to enable the stage 1 audit (document review) to take place:

Documentation required under ISO/IEC 27001:2013 (reference [c])

o The ISMS policy o The scope of the ISMS o Procedures and controls in support of the ISMS o A description of the risk assessment methodology o The risk assessment report o The risk treatment plan o Documented procedures followed by the CP to ensure effective

planning, operation and control of its information security processes, and to describe how to measure the effectiveness of controls

o Records required by the International Standard o The Statement of Applicability

Additional documentation required under CAS(T) (see CESG Security Procedures, Telecommunications Systems and Services (reference [d]) for more detailed descriptions)

o Architecture / HLD Documentation o Availability Test Plan and Report (if requested by audit team) o Availability Performance Documentation o SIA

Surveillance Audit

71. A surveillance audit must take place at least every 12 months for a system that has a current certification. CAS Companies and CPs may agree to have more frequent surveillance audits, particularly in the first 12–18 months of certification.

72. Full requirements for surveillance audits appear in Chapter 6.

Audit Handbook for


Special Audit

73. A special audit is an audit outside the normal cycle of scheduled activities. It may be triggered by:

Assessing the effectiveness of measures implemented to resolve nonconformities that were identified in an earlier audit

Changes of high potential impact in a certified system that are reported by the CP in a SIA, and which the CAS Company feels require audit

A request by a CP to change the scope of certification, or for other reasons

A complaint by a third party concerning the effectiveness of the ISMS which must be investigated

74. Full requirements for special audits appear in Chapter 6.

Recertification Audit

75. A recertification audit is carried out within three years of initial certification, and repeated on a three year cycle. For this audit the CP must submit a full, updated set of documentation as required for initial certification audit.

Auditing Availability

76. As historical data on availability may not be available at the initial certification audit, the following principles should be applied.

Availability Requirements for Initial Certification Audit

77. ISMS documentation for initial certification must include high availability design documentation for the service slice or E2E service being audited.

Availability Requirements for 12 Month ssurveillance audit for E2E Services (not Service Slices)

78. No later than 12 months after initial certification, historical availability data covering the period since initial certification and any root cause analysis must be presented as part of the audit documentation.

Availability Requirements for Subsequent Audits for E2E Services (not Service Slices)

79. All audits 12 months or more after initial certification must include availability data and root cause analysis of any loss of availability over the previous 12 months.

Handling Nonconformities

General

80. Nonconformities may be handled differently depending on whether they are found at initial audit, surveillance audit, special audit, or recertification audit.

81. Remedial action to correct nonconformities may be demonstrated to follow-up auditors in various ways:

Audit Handbook for


By document re-submission (for example in the case of inadequate or missing ISMS documentation during audit planning)

By special audit (i.e. in addition to the scheduled surveillance audits)

By a scheduled surveillance or recertification audit

82. The appropriate approach depends upon the nature of the nonconformity and the point in the audit cycle when the issue is recognised.

Nonconformities at Initial Certification Audit

83. Missing or inadequate documentation can be corrected by resubmission at the discretion of the CAS Company.

84. When a major nonconformity is found during an initial certification audit, the audit should proceed to completion according to the plan, or any revised plan, agreed between the CP and CAS Company, so that all nonconformities may be recorded in the audit report.

85. A certificate cannot be issued until all major nonconformities have been rectified. For multiple minor nonconformities, a certificate may be issued if a plan and timeframe for remedial action has been agreed.

86. The time period for correcting nonconformance and confirmation that the correction is satisfactory should be no more than three months.

Nonconformities at Surveillance, Special and Recertification Audits

87. Audits after the initial certification audit which find nonconformities should proceed to completion if possible.

88. All nonconformities must be rectified within a time period agreed between the CAS Company and the CP, plus the CAS Authority for major nonconformities. The time period for correcting nonconformance and confirmation that the correction is satisfactory should be no more than three months.

89. Provided such a plan is agreed and the CAS Authority does not consider that an appropriate response to the nonconformities is suspension or withdrawal of the certificate, certification may remain in force.

Suspension of Certification

90. Once a certificate has been issued, the CAS Authority can decide to suspend, withdraw or reduce the scope of certification.

91. A certificate will be suspended immediately in cases where:

There has been repeated failure to rectify a major nonconformity (failure at the second attempt typically)

There is a serious failure of the ISMS (two or more major nonconformities found at any audit)

Audit Handbook for


There is refusal by the CP to co-operate with surveillance or special audits, or to conduct necessary remedial work

92. Suspension of a certificate must be formally notified to the CP in writing.

93. During suspension:

The service slices affected cannot be presented as certified to customers or other third parties until the suspension is lifted

E2E services cannot be presented as certified until the suspension is lifted

Services using a suspended service slice cannot be presented as certified until the suspension is lifted

Customers of the CP who are using the services for which certification has been suspended must be notified of the suspension by the CP, and kept informed of the certification status of their services

Withdrawal of Certification

94. A certificate cannot be suspended for more than six months. Failure to rectify a nonconformity that led to suspension of a certificate within an agreed timescale will result in withdrawal of the relevant certificate. The CP must be formally notified of withdrawal of a certificate:

The service slices or E2E services affected must not be presented as certified to customers or other third parties once certification is withdrawn

Services using the service slice or E2E service must not be presented as certified once certification is withdrawn

Any related marketing literature, website content or other material likely to be seen by customers must be promptly amended to represent the current status of the affected service slice and services

95. If a certification is withdrawn, a CP must promptly notify all customers who are using affected services. The customers may also be notified by the CAS Authority.

Availability Audit

Design Review

96. When considering predicted performance to meet CAS(T) an auditor should expect to determine that:

A high availability design without single points of failure, and with appropriate resilience mechanisms is applied to components other than the access interfaces. This includes links between access, distribution and core routers, and the devices themselves

All potential failure modes have been properly identified in the availability design document

Audit Handbook for


The aggregate predicted availability for the service slice or E2E service is correctly calculated, with the method open to audit, and provided in the CP documentation

Historical Data Review for E2E Services (not Service Slices)

97. In examining historical availability records for compliance, an auditor should look for evidence that:

Availability records have been kept in line with the requirements outlined in CESG Security Procedures, Telecommunications Systems and Services (reference [d])

The E2E service being certified has met at least the minimum availability performance, when downtime over the audit period is averaged per service instance, and in line with the approach outlined in CESG Security Procedures, Telecommunications Systems and Services (reference [d])

98. Auditors are encouraged to use their judgement to validate availability information in other ways, e.g. by examining whether customer complaints are consistent with the availability records, or by looking for evidence of outages which fall below the threshold for reporting under CAS(T), but which in aggregate are significant.

Audit Handbook for


Chapter 5 - Review and Rework

Key Principles

Auditors look for audit evidence that indicates conformance or nonconformance with the requirements of CESG Security Procedures, Telecommunications Systems and Services (reference [d])

Nonconformities can be minor or major. Multiple minor nonconformities may constitute a major nonconformity. Major nonconformities prevent successful completion of the audit

All nonconformities must be rectified

Nonconformities

99. Nonconformities can be minor or major. Nonconformities will not normally prevent an audit from proceeding. They may prevent successful completion of the audit and prevent either initial grant of a CAS(T) certificate or approval for the certificate to continue.

100. One or more minor nonconformities will not normally prevent a certificate being issued or retained, but remedial action must take place to rectify these within a timescale agreed between the CP and the CAS Company.

101. One or more major nonconformities will prevent successful completion of an audit until remedial action has been carried out. This must take place within a timescale agreed between the CP, the CAS Company and the CAS Authority.

102. A subsequent special audit focussing on the nonconformities will typically conclude an audit where major nonconformities are found, either downgrading or closing them.

103. Auditors may consider multiple, related, minor nonconformities in aggregate a major nonconformity.

104. Nonconformance may be evident when documents submitted by the CP are reviewed, or may be found during on-site audit activities.

105. Missing or inadequate documentation is a nonconformity. Examples include a missing SIA or missing necessary detail in service slice or E2E service design documents. These types of nonconformity are typically major; when detected at the audit planning stage they normally prevent further progress with the audit. The CP must rectify the nonconformity before planning can proceed

106. Missing records or other documentation may also be discovered during on-site audits; the significance and quantity of missing or inadequate records or documentation determines whether the nonconformity is major or minor.

107. A nonconformity may be an absence of a required feature or control, or ineffective implementation or operation of a feature or control.

Audit Handbook for


108. Any single absence of a security feature or control, or single failure by a CP or their ISMS to operate a security feature or control with the audit scope is a nonconformity.

General Criteria

109. CESG Security Procedures, Telecommunications Systems and Services (reference [d]) is based upon ISO/IEC 27001:2013 (reference Error! Reference source not found.). All of the mandatory requirements of ISO/IEC 27001:2013 (reference Error! Reference source not found.), sections 4–10, are also mandatory under CAS(T). Failure to comply with any of these requirements is a major nonconformity.

110. CESG Security Procedures, Telecommunications Systems and Services, (reference [d]) includes additional mandatory requirements concerning plan-do-check-act activities, and which modify or add to the requirements above. Failure to comply with any of these requirements is a major nonconformity.

111. CESG Security Procedures, Telecommunications Systems and Services, (reference [d]) includes additional mandatory requirements concerning the availability of service slices or E2E services, and how this must be measured, calculated and reported. Failure to comply with any of these requirements is a major nonconformity, with the exception of provision of historical data for initial certification audits.

Criteria for Controls

112. CESG Security Procedures, Telecommunications Systems and Services, (reference [d]) designates whether each control is critical, mandatory or non-mandatory under CAS(T).

113. Critical and mandatory and controls cannot be excluded. Failure to implement a critical or mandatory control effectively is a major nonconformity.

114. Auditors should use their judgement about what amounts to nonconformity concerning a control.

115. The following principles should be applied in deciding if a nonconformity with a critical or mandatory control is major or minor.

Major nonconformities include those where:

o A control is excluded from the SoA, but the scoping document does not support this

o A control is not implemented at all, or substantially not implemented

o A control is implemented, but for whatever reason has very poor effectiveness

o Substantial assets which should have the control applied to them (according to the scoping requirements) do not have it applied to them

Minor nonconformities include those where:

Audit Handbook for


o A control is implemented, but a part of the guidance given under a control within CESG Security Procedures, Telecommunications Systems and Services (reference [d]) is not followed

o A control is substantially implemented, but has reduced effectiveness

o An asset, or class of assets, which should have the control applied to it (according to the scoping requirements and/or the ISMS documentation) does not have it applied

Audit Handbook for


Chapter 6 - Assurance Maintenance

Key Principles

A tailored plan is developed and agreed with the CAS Authority to ensure that the certification of the service or service slice remains valid for the full three-year certification period

The ISMS will be reviewed at least annually to ensure the CP continues to manage the set of controls effectively

All mandatory controls will be audited over the three-year cycle

Surveillance Audits

116. A surveillance audit must take place at least every 12 months from the end of the initial certification audit. There may be more frequent surveillance audits if the CAS Company and CP agree to hold them or if they are required to manage the nonconformities found during an assessment.

117. Planning, conduct and reporting of a surveillance audit will not involve the CAS Authority unless:

The scope of the audit will lead to a change to the CAS certificate

The audit will review progress in resolving a major nonconformity; or

The audit identifies a new major nonconformity

118. Surveillance audits should concentrate on areas thought most at risk of nonconformity, based upon previous audit reports and subsequent information received from the CP (e.g. the SIA).

119. The CAS Company must review high and medium potential impact changes as part of its overall review of the SIA during scheduled audits, and aspects affected by the changes must be included in the scope of the next scheduled surveillance audit.

120. The audit scope for surveillance audits must include:

Appropriate oversight of the mandatory sections of ISO/IEC 27001:2013 (reference [c]), (sections 4-10). This must, as a minimum, cover risk assessment, management review, internal audit, corrective action and improvement, and should provide confidence that they remain in place and effective

Appropriate oversight of additional mandatory elements of CESG Security Procedures, Telecommunications Systems and Services, Chapter 2, amplified in Appendix A (reference [d]). Selection of controls for audit must ensure that all mandatory controls are fully audited within the lifetime of a certification. The audit should provide confidence that critical and mandatory controls that were audited earlier in the certificate cycle remain in place and effective

Audit Handbook for


The additional mandatory elements of CESG Security Procedures, Telecommunications Systems and Services, Chapter 5 (reference [d]) in their entirety. Note that the additional mandatory requirements on historical availability must not be excluded from surveillance audits 12 months or later from the date of initial certification

Availability measurements, records and calculations for an E2E service (not a service slice). Historical availability data covering the period since initial certification and any root cause analysis must be presented as part of the audit documentation

Appropriate oversight of all information assets within the mandatory scope of the ISMS. This need not audit every type of asset in these sections, but should provide confidence that they remain secure at the level required by CAS(T). Normally every asset type should be audited at least once during the complete audit cycle

Special Audits

121. A Special audit is an audit outside the normal cycle of scheduled activities. It may be triggered by:

Changes of high potential impact in a certified system that are reported by the CP in a SIA, and which the CAS Company feels require audit

A request by a CP to change the scope of certification, or for other reasons

A complaint by a third party concerning the effectiveness of the ISMS which must be investigated

122. The scope of a special audit and the audit plan must be driven by the reasons for conducting it. For example, where an extension to scope is the reason, then the audit plan must ensure that all assets being brought into scope are properly secured in line with the policies, practices and controls of the existing ISMS. When a special audit is conducted because of a complaint, the audit must fully examine the factors likely to have contributed to any problem.

123. Planning, conduct and reporting of a special audit will not involve the CAS Authority unless:

The scope of the audit will lead to a change to the CAS certificate

The audit will review progress in resolving a major nonconformity; or

The audit identifies a new major nonconformity

124. CPs must provide all necessary documentation and access to permit review, planning, evidence collection and analysis for special audits in a timely manner.

Audit Handbook for


Audit and Change Management

Roles and Responsibilities

125. The CAS Company must review the SIA when notified by the CP that changes in the high potential impact category have been added, substantially modified, or removed from the SIA, to determine whether any further audit action is required.

126. The CAS Company must review the SIA with other ISMS documentation as part of their routine scheduled audit activity.

127. The CAS Company should consider, in reviewing the SIA, whether in aggregate the set of medium potential impact changes should be considered a high potential impact. If this is the case, the appropriate response, including an additional on-site special audit, should be undertaken.

128. The CAS Company must conduct either a document review or a document review followed by a special audit in response to such changes. This decision will be based, in part, on the confidence gained by the CAS Company in its initial certification audit or previous surveillance audit, and the confidence in the certification CP’s change management process. A review of the submitted documentation may be sufficient to give confidence that the change will not compromise the security of the system. In this case the assets affected by the change must be included in the scope of the next scheduled surveillance audit. It is anticipated that, where a number of high potential impact changes have been made, a special audit will be initiated such that there is no more than six months between either special audits or special audits and surveillance audits.

Non-Compliance due to changes

129. The policy on non-compliance of certified systems, as set out elsewhere in this document, applies if it is found that the change management process is not being operated correctly.

Changes that affect the certificate

130. The CAS Authority will update a certificate after a CAS Company

Submits a satisfactory certification audit report; or

Confirms that it has reviewed a SIA and decided that a special audit will not be needed to assess changes

Recertification Audits

131. A recertification audit is carried out within three-years of initial certification, and repeated on a three year cycle. CPs must submit the full, updated set of documentation as required for initial certification audit at the time of their recertification audit.

Audit Handbook for


Appendix: High Availability Criteria

Key Principles

A high availability design approach must be used for any infrastructure to be certified. Availability targets are defined and used for assessment

Availability calculations, with documentation covering the method used, must be available to auditors

Availability records must be collected and analysed

Principles

132. CESG Security Procedures, Telecommunications Systems and Services (reference [d]) requires that a high availability design approach is used for any infrastructure to be certified, and sets an availability target which service slices or E2E service should be designed to meet.

133. Planned outages are typically not included in availability calculations, provided all Service Level Agreements (SLA) concerning notification have been complied with. Outages due to Matters Beyond Our Reasonable Control are also excluded from the calculations.

Management Approaches

134. Many “non-technical” factors, such as effective routine maintenance and administrative controls, deployment of critical patches, use of security appliances, and good physical and personnel security, can have a strong effect on availability. These are dealt with by control objectives and guidance elsewhere in CESG Security Procedures, Telecommunications Systems and Services (reference [d]). The availability documentation discussed here is concerned with “technical” measures to achieve the availability target in CESG Security Procedures, Telecommunications Systems and Services (reference [d]).

Technology Approaches

135. Various technical approaches can be used to increase predicted availability. The appropriate techniques depend upon the type of equipment or service to be protected.

136. The following list gives some examples of techniques for providing resilience. The list is not intended to be complete or prescriptive, but rather to illustrate the wide scope of the approaches available:

Backup of critical data and system information off-site

Backup of critical data and system information on-site

Database application clustering

Redundant server hardware

Audit Handbook for


Storage Area Networks (SANs) with centralised mirroring using Redundant Array of Independent Disks (RAID) or similar

Redundant data paths and controllers to SANs

Individual disk or volume mirroring using RAID or similar

Hot-pluggable disks

Dual power supplies

Redundant host network cards, Local Area Network (LAN) switching and cabling

Failover control protocols to support LAN redundancy such as Virtual Router Redundancy Protocol (VRRP) and Rapid Spanning Tree Protocol (RSTP)

Failover controls in firewalls and servers

Failover between primary and secondary access links

Routing protocols with rapid convergence, such as Enhanced Interior Gateway Routing Protocol (EIGRP), OSPF

Routing and addressing designed for stability and problem isolation

Virtual IP and Media Access Control (MAC) addresses

Replicated network services, such as Dynamic Host Configuration Protocol (DHCP), Domain Name Service (DNS), Network Information Services (NIS), etc

Packet filtering to prevent Denial of Service (DoS)

Network load balancers and network redirectors

Spares management

Desktop dual-homing to critical applications

Effective capacity planning

Adequate air and power conditioning

Backup power and redundant air conditioning

Service Availability Calculations Example

137. In a network with 1,000 ports in total, and which experiences two outages in a 12-month period affecting 100 and 200 ports, and for durations of 5 minutes and 120 minutes respectively, the annual platform availability might be derived by calculating the total unavailable minutes, and calculating the equivalent downtime if this affected all ports equally. In the example below, a 12-month period (525,600 minutes) is used in the calculation. Note: this period (in this case 525,600 minutes) is denoted as T1 in reference [d].

Total downtime (minutes) = (100*5) + (200*120) = 24,500

Audit Handbook for


Average downtime/port (Note: denoted as T0 in reference [d]) = 24,500/1,000 = 24.5 minutes

Percentage availability = [(525,600 – 24.5) / 525,600] * 100 = 99.995%

138. To adapt this approach to service slices for CESG Security Procedures, Telecommunications Systems and Services (reference [d]), some modifications were required:

A service slice can be any set of infrastructure. It might be, for example, an MPLS core network providing packet transport, or the set of voice servers, application servers, media servers and gateways providing voice service functionality, or a data centre housing local LAN components, database applications and data repositories

All calculations of an E2E service availability must be carried out over a 12 month period, and for audit purposes this should be the 12-months immediately preceding the audit process

Audit Handbook for


References

Unless stated otherwise, these documents are available from the CESG website. Users who do not have access should contact CESG Enquiries to enquire about obtaining documents. [a] Process for performing CESG Assured Service (CAS) assessments, version 1.2,

October 2013. Available at www.cesg.gov.uk/servicecatalogue/service_assurance/CAS/page/scheme-lib http://process/

[b] CESG Assured Service CAS Service Requirement Telecommunications, Issue 1.1, October 2015. Available at www.cesg.gov.uk/servicecatalogue/service_assurance/CAS/pages/service-requirements

[c] ISO/IEC 27001:2013 Information technology – Security techniques - Information Security Management Systems - Requirements

[d] CESG Security Procedures, Telecommunications Systems and Services - latest issue available from the CESG website.

[e] ISO/IEC 27006:2011 Information Technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems

[f] Security Policy Framework

[g] CESG Test Laboratory General Operational Requirements, version1.6, August 2013. Available at www.cesg.gov.uk/servicecatalogue/service_assurance/CAS/pages/Scheme-Library

[h] ISO 19011:2011 Guidelines for quality and/or environmental management systems

http://process/

http://www.cesg.gov.uk/servicecatalogue/service_assurance/CAS/

http://process/

http://www.cesg.gov.uk/servicecatalogue/service_assurance/CAS/pages/service-requirements

http://www.cesg.gov.uk/servicecatalogue/service_assurance/CAS/pages/service-requirements

http://www.cesg.gov.uk/servicecatalogue/service_assurance/CAS/pages/Scheme-Library

http://www.cesg.gov.uk/servicecatalogue/service_assurance/CAS/pages/Scheme-Library

Audit Handbook for


Abbreviations

BSS Business Support System

CAS CESG Assured Service

CAS(T) CESG Assured Service (Telecoms)

CP (Tele)communications Provider

CPD Continuing Professional Development

DHCP Dynamic Host Configuration Protocol

DNS Domain Name Service

DoS Denial of Service

DSL Digital Subscriber Line

E2E End - End

EDGE Enhanced Data Rates for GSM Evolution

EIGRP Enhanced Interior Gateway Routing Protocol

GERAN GSM EDGE Radio Access Network

GPG Good Practice Guide

GPRS Generalised Packet Radio System

GSM Global System for Mobile Communications

HLD High Level Design

HMG Her Majesty’s Government

HSPA High Speed Packet Access

IA Information Assurance

IEEE Institute of Electrical & Electronic Engineers (USA)

IP Internet Protocol

IRCA International Register of Certificated Auditors

ISDN Integrated Services Digital Network

ISMS Information Security Management System(s)

ISO International Standards Organisation

LAN Local Area Network

LLU Local Loop Unbundling

MAC Media Access Control

MPLS Multi Protocol Label Switching

MPLS-TE MPLS Traffic Engineering

MSAN Multiservice Access Nodes

NDA Non-Disclosure Agreement

NIS Network Information Services

OSPF Open Shortest Path First (routing protocol for IP)

OSS Operational Support System

OSS/J OSS through Java

PDH Plesiochronous Digital Hierarchy

PE Provider Edge

POP Point Of Presence

PSTN Public Switched Telephone Network

RAID Redundant Array of Independent Disks

RSTP Rapid Spanning Tree Protocol

SAN Storage Area Networks

Audit Handbook for


SDH Synchronous Digital Hierarchy

SIA Security Impact Analysis

SIGTRAN Signalling Transport

SIP Session Initiation Protocol

SLA Service Level Agreement

SoA Statement of Applicability

SOAP Simple Object Access Protocol

STP Spanning Tree Protocol

UKAS United Kingdom Accreditation Service

UMTS Universal Mobile Telecommunications System

UTRAN UMTS Terrestrial Radio Access Network

VoIP Voice over IP

VPN Virtual Private Network

VRRP Virtual Router Redundancy Protocol

VSAT Very Small Aperture Terminal

WDM Wavelength Division Multiplexing

WLL Wireless Local Loop

Audit Handbook for


Glossary

Where common terminology with other ISO standards is used such as ISO/IEC 27001:2013, then terms normally have the meaning set out in that document.

Accredited Training Provider

An Accredited Training Provider is a training provider which has been approved by the CAS Authority to deliver the Lead Assessor Conversion Course.

Audit An Audit is a systematic, independent and documented process for obtaining Audit Evidence and evaluating it objectively to determine the extent to which the Audit Criteria are fulfilled.

Audit Conclusion The Audit Conclusion is the outcome of an Audit, provided by the Audit Team after consideration of the audit objectives and all Audit Findings.

Audit Criteria The Audit Criteria are the set of policies, procedures or requirements used as a reference against which Audit Evidence is evaluated.

Audit Evidence Audit Evidence consists of records, statements of fact or other information which are relevant to the Audit Criteria and verifiable. They may be qualitative or quantitative.

Audit Findings Audit Findings are the results of the evaluation of the collected Audit Evidence against Audit Criteria. When Certification is an objective of the Audit, these recommendations are made to the Certification Body.

Audit Period The Audit Period is the period between routine initial and surveillance certification audits, normally 12 months.

Audit Plan An Audit Plan is used to define proposed on-site audit activities and to agree these between CP and CAS Company ahead of visits to CP sites.

Audit Team An Audit Team is a set of one or more Auditors conducting an audit under CAS(T), and supported as necessary by Technical Experts.

CAS Authority The CAS Authority in CESG manages the CAS(T) scheme and acts as the Certification Body for CAS(T)

CAS(T) CAS(T) is the complete set of governance, policies, procedures, standards and guidance that enable assessment of compliance to CESG Assured Service CAS Service Requirement Telecommunications (Reference [b])

Certificate A Certificate is issued by a Certification Body, and bearing an accreditation symbol or statement. It may also be a letter of accreditation or other evidence of certification, as determined by the CAS Authority.

Audit Handbook for


Certificate Scope A Certificate Scope is a concise statement of the Services and Service Slices that have been certified.

Certification Audit A Certification Audit is any third party audit which contributes directly to the granting, renewal or revocation of a Certificate by a Certification Body. This includes initial audits, surveillance audits, special audits and recertification audits.

Certification Body A Certification Body is a third party that awards certificates confirming that an organisation meets the requirements of a standard. The CAS Authority in CESG is the Certification Body for CAS(T).

Certified Service A Certified Service is a service delivered entirely over infrastructure certified to CAS(T), and asserted as such by a CP.

Change Management Change Management is the process by which changes to Services and Service Slices that have been certified, or are undergoing certification, are managed by a CP.

Communications Provider

A Communications Provider is an organisation requesting external audit under CAS(T) from a CAS Company and certification under CAS(T) from the CAS Authority.

Critical Applications Critical Applications are OSS/Business Support System (BSS) applications that can directly affect continued operation of the certified service.

Critical Equipment Critical Equipment is equipment which delivers the certified service directly, normally all network elements and any in-line OSS/BSS components such as pre-paid billing and Authentication, Authorisation and Accounting (AAA) applications.

Critical Equipment Area

Critical Equipment Area is any area housing critical equipment. This may be operated by the CP, operated by another CP (for example sites providing access to wholesale services), or operated by a third party (for example where a co-location or hosting service is being used by the CP).

Customer A Customer is an individual or organisational user of certified services.

Customer Data Customer Data is data sent or stored by or on behalf of customers using the certified service. Customer related data such as billing addresses and payment details held by CPs to enable their business functions is not customer data under this definition.

Environmental and other Services

Environmental and Other Services are utilities such as power, back-up power, and air-conditioning.

Imin Imin is the minimum number of service instances for which an outage must be recorded. The value of Imin is 30.

Audit Handbook for


Lead Assessor A Lead Assessor is a qualified ISO27001 Lead Auditor who also satisfies CAS(T) Lead Assessor requirements.

Lead Assessor Conversion Course

The Lead Assessor Conversion Course is a one-day course intended primarily for existing ISO/IEC 27001:2013 Lead Auditors; it provides the additional skills necessary to lead audits under CAS(T).

Privileged Access Privileged Access means access beyond that of an unprivileged user; it includes system administration rights, and rights to carry out software or hardware support.

SIA An SIA is produced and maintained by the CP as part of their Change Management process to document planned changes to certified service slices, and how any associated risks will be managed.

Service A Service is a combination of one or more Service Slices which produces an end-to-end service available to customers.

Service Slice A Service Slice may be any individual component or combination of components that can form a modular service to be used within the scope of a certified end-to-end service. In theory, if an end-to-end service is small enough, it may be completely addressed by a single Service Slice. More commonly, end-to-end services will be made up of multiple Service Slices.

Target Availability The Target Availability is the availability which must be met or exceeded by service slices and services certified to CAS(T). The target availability is 99.95%, as measured using the methods defined in this standard.

Technical Expert A Technical Expert provides specific knowledge or expertise to the Audit Team. Technical Experts need not be Auditors, but must fulfil the Technical Expert Pre-requisites (defined elsewhere in this document) required for any Audit in which they act as a Technical Expert.

Technical Expert Competencies

Technical Expert Competencies are used to demonstrate that a Technical Expert is competent and qualified to assist on a specific Audit. CAS Companies must maintain records of their Technical Experts and which pre-requisites they meet, so that suitable experts can be selected to assist each audit team as necessary.

Tmin Tmin is the minimum recordable outage period as defined in this standard. The value of Tmin is 30 seconds.

Audit Handbook for


User Access User Access means normal access as an unprivileged user to applications which are intended to add, delete or modify service instances.

Utilities Utilities are services which support the delivery of the live certified service, including power supply, backup power supply, air conditioning, and fire / flood detection and protection systems. Services not directly supporting the live service, such as warehousing and building maintenance are not considered utilities for the purpose of this standard.

CESG provides advice and assistance on information security in support of UK Government. Unless otherwise stated, all material published on this website has been produced by CESG and is considered general guidance only. It is not intended to cover all scenarios or to be tailored to particular organisations or individuals. It is not a substitute for seeking appropriate tailored advice.

gpg 32 audit handbook for cesg assured service - issue 2.0 dec

Documents