How does Common Criteria relate to ISO 27001?  ISO 27001:2013 is a standard that covers a company’s Information Security Management System (ISMS).  The big change between the 2005 version and the 2013 version of the ISO 27001 is that all risk is now described in terms of protecting information.

  • Where is the company’s information stored?
  • How is the company’s information secured while in transit?
  • Who has access to the company’s information?

It is no longer asset based, but is information based.  The Risk Assessment starts from Information and not IT products.  In previous releases of the ISO 27001 standard all controls had to come out of Appendix A and that is no longer the case.  A rationale can be given of other controls that are in use.  For example NIST 800-53 controls can be described.  A majority of the standard is about planning.  Controls are not specifically described within the standard.  The controls are detailed in Annex A.

Identification of risks and the controls that will be implemented to mitigate these risks. For example, company A has customer data secured in a database.  Instead of focusing on the database that stores the information, now the standard focuses on the customer data and how to protect it.  The controls in Annex A must be reviewed and an explanation of what controls will be used to secure the data.  Controls outside of Annex A can also be described.  For example, all sessions to the database will be encrypted using SSHv2 or TLS1.1/1.2 according to NIST 800-53.  Privilege roles will be configured on the database so that administrators have varied access based on their specific role.

Clause 7 requires that the ISMS be established, maintained, and improved.

Documented records are required to show that the ISMS is in use and maintained.

Organizations must have a policy for external and internal auditing.

Clause 8 requires that a change control process must be in place.  This can be for any IT related changes to in production assets (ex. routers, databases, web servers, etc.)  This has to be documented.

The focus of the ISO27001:2013 is on information security and integrating the plans, processes, and controls into the company’s processes, policies, and procedures.  It is focused on Information security not IT security.  Although IT security may be implemented to secure the information.

Common Criteria relates to this in that products that have been Common Criteria certified will meet the NIST 800-53 controls and map to the ISO 27001 Annex A controls.  A direct mapping of Common Criteria requirements to NIST 800-53 is provided on the NIAP web site posted with each Protection Profile and Controls.  A link to the NDcPP Requirements document is provided below.


NDcPP mapping to NIST 800-53

ISO 27001 (Annex A) mapped to NIST 800-53

Map of NIST 800-53 and PCI