ISO 17025 and Requirements for Security Labs and Testing
When we discuss cybersecurity, it’s most often done in the context of audits, assessments, or certifications. However, specific systems and components require more stringent testing standards, ensuring that the technology functions correctly and securely after construction or during ongoing operational use.
To support the testing and assurance of these components, the National Institutes of Standards and Technology (NIST) operates a program to align testing and laboratory standards with ISO 17025, the international framework for lab calibration and competence.
What Is ISO 17025?
International Organization for Standardization (ISO) 17025:2017, “General Requirements for the Competence of Testing and Calibration Laboratories,” was developed by the ISO/IEC to provide a framework for the confidence and integrity of testing laboratories.
What constitutes a testing laboratory is open to interpretation, and the ISO standard discusses lab standards across myriad industries and applications. However, some overarching requirements are defined in the document that all labs are expected to adhere to.
These requirements include:
- General Requirements: Labs should conduct tests with impartiality, with structured operations to guarantee that practices are conducted as such. Labs are responsible for objectivity, identifying risks to fair review and testing procedures. Furthermore, Labs must maintain the confidentiality of private information during testing.
- Structural Requirements: Labs must be a legal entity that may be held responsible under applicable ISO requirements and government regulations. This includes having a well-defined management structure with communication regarding responsibilities, system integrity, and change management.
- Resource Requirements: Labs will deploy appropriate and available personnel, resources, facilities, equipment, and systems to support and manage testing and quality assurance. This includes documenting the competence of employees, maintaining effective and required environmental conditions, and implementing equipment that meets or exceeds requirements for testing.
- Process Requirements: A lab must have administrative procedures to review contracts and testing requests. This lab must also demonstrate that it can conduct tests or QA in response to contractual requirements. Finally, the lab must document the selection, verification, and validation of the testing methods.
- Management System Requirements: Labs must have a management system to support and demonstrate lab and testing achievements. This includes written and documented proof of QA testing results, assessments of testing results’ quality, and policies related to ensuring testing and operational processes.
Impact of ISO 17025 and Cybersecurity
As part of its National Voluntary Laboratory Accreditation Program (NVLAP), NIST has integrated the standards of ISO 17025 into federal requirements and standards. This project aims to create a standardized approach to testing critical systems related to national security, infrastructure, or governmental operationality.
Many of these requirements will apply to testing and laboratory standards related to construction, building, and calibration services (including testing requirements for efficient lighting products, asbestos analysis, and carpet installation).
Several accreditation programs specifically refer to technologies integral to the functioning of cybersecurity systems. These include:
- Biometrics Testing: Under request from the Department of Homeland Security (DHS), NIST (as part of NVLAP) has established a Biometrics Laboratory Accreditation Program. This program certifies labs testing biometric hardware and software systems to ensure that tested equipment meets federal standards.
- Common Criteria Testing: Common Criteria is an established, international set of specifications used to evaluate IT security products and services for implementation in government systems. The NVLAP standard invokes ISO 17025 and NIST Handbook 150-20 to define proper testing requirements for products such as firewalls, malware detectors, and data destruction utilities.
- Cryptographic and Security Testing: Labs can and should test cryptographic modules, algorithms, and hardware to ensure that they perform their function without fault or accidental (or malicious) backdoors that could break cryptography.
- Healthcare Information Technology: IT systems securing healthcare information must follow the rules and regulations of HIPAA and HITECH. As such, labs may be responsible for testing security capabilities in IT systems that carry Electronic Health Records (EHR).
- Voting Machine Testing: The increased reliance of government agencies on electronic voting machines has necessitated laboratory requirements that can assure that votes are counted and recorded accurately, that the machines are tamper-proof, and that they have proper security measures in place to identify damaged or altered information.
Is NVLAP Accreditation the Same as ISO 10725?
In order for a lab to pursue and gain accreditation under ISO 17025, it must work with an accrediting body that can conduct assessments and provide proof of compliance. Some accreditation bodies, like the American Association for Laboratory Accreditation (A2LA) or the American Accreditation Association (AAA) provide certification for 17025 that organizations can use to demonstrate adherence.
NVLAP is much like these accreditation bodies. Rather than functioning as an independent organization, NVLAP is run by NIST to align accreditation with Federal Codes and laws related to quality assurance, security, and operational integrity.
In many ways, an NVLAP accreditation can be seen as an accreditation under ISO 17025, but aligned with certain government principles and priorities.
Cybersecurity, Lab Testing, and Continuum GRC
NVLAP, we believe, is the first step in a large and centralized approach to QA and testing integrity in the realm of national cybersecurity defense. As such, digital labs working on security software, biometric hardware, or other related systems must prepare for their ISO 17025.
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- FedRAMP
- StateRAMP
- NIST 800-53
- FARS NIST 800-171
- CMMC
- SOC 1, SOC 2
- HIPAA
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.
Related Posts