Accreditation: Putting cyber security to the test
With over 2,000 members of staff working in 17 offices across the UK, Europe, North America, Asia Pacific and United Arab Emirates, NCC Group is one of the world’s leading cyber security companies. Headquartered in Manchester UK, the company provides a range of cyber security and managed services, as well as software escrow and verification, to over 15,000 customers worldwide. These services include CREST-certified Security Operation Centre service, NCSC-recognised Level 2 Computer Incident Response Team capabilities as well as security testing across a range of cyber and physical systems and cyber consultancy services, often in conjunction with market-leading technology partners.
Since 2013, NCC Group’s security testing services have been UKAS accredited against ISO/IEC 17025, the international standard for testing laboratories. In addition to work conducted at its Manchester and Cheltenham labs, the scope of accreditation covers testing performed onsite at customers’ premises. Explaining the motivations behind seeking UKAS accreditation, Shabrez Raja the company’s CLEF Technical and Quality Manager said:
“As experts in information security and risk mitigation, we understand the responsibility to demonstrate and promote best practice within our own business. Achieving UKAS accreditation is a recognition of both our deep technical capability and commitment to exceed best practice. An equally important factor is the commercial advantage that accreditation can provide, whether by opening up new markets entirely or by making it easier for customers to differentiate our services from competitors.”
Enhancing customer assurance
Procurement of a cyber assurance partner is a hugely important step for any organisation. Outlining the effect accreditation has on attracting customers Shabrez said: “Cyber assurance is a business critical function for many of our customers and holding UKAS accreditation is essential for getting through the door. This is fairly standard practice for customers working in heavily regulated industries, such as defence, finance, technology and critical national infrastructure. Equally, there are a number of major customers that use us not because they have to, but because the accreditations that we hold provide the assurance that critical security capabilities are being placed in safe hands.”
The increasing awareness of the importance of managing cyber risk across all industry sectors has provided NCC Group with interest from customers of all shapes, sizes and industries. Whether new or long-standing, all of NCC Group’s customers want to ensure their suppliers and bodies they work with take both security and quality seriously, as well as follow industry recognised standards and best practices. Highlighting how accreditation helps customers with their supplier management processes, Shabrez said: “We are regularly audited by customers to provide assurance and to support their own supply chain due diligence and vendor management programmes. Being UKAS accredited often speeds up and significantly mitigates this auditing process, making NCC Group a more attractive proposition than non-accredited companies.”
Delving further into the role that accreditation has in generating customer confidence in the quality and technical competence of NCC Group’s services, Shabrez said:
“Accreditation is important to customers as it ensures the work we do is objective and accurate. Customers appreciate that under accreditation we are able to demonstrate technical competence, prove impartiality, safeguard repeatability and verify the accuracy of results. Accreditation provides a level of assurance to our customers that our processes and procedures have been independently assessed by an external and respected entity, creating a robust chain of trust.”
Embedding quality
In addition to opening up new markets and helping to maintain customer confidence, being UKAS accredited has become a crucial part of NCC Group’s service proposition, governance and quality management processes. Shabrez said: “As a high-profile cyber security provider, our networks and people have been targets for attack from some of the most sophisticated exponents of cybercrime for decades, even before a former CEO challenged the hackers of the world to ‘bring it on’! Likewise, the services we provide are delivered on behalf of the biggest firms in the world that are faced by the same issues. The discipline of internal governance is a fundamental part of our ability to keep on top of the threats to our business. Ensuring the integrity of our systems and the quality of our services through accreditation is therefore vital to maintaining our internal operations and hard-earned reputation.”
Adhering to ISO/IEC standards forms the basis of NCC Group’s approach to quality management. Going through the accreditation process against these standards has helped the company refine internal processes, as Shabrez explains: “The accreditation cycle supports the concept of continual development and improvement, with an eye to forming a risk-based approach on our internal auditing. Naturally, having the quality management system audited by external parties helps bring in valuable experience and practices from other domains. Added to that, there is a lot of interoperability between accredited standards and other industry standards we follow, such as the NIST Cybersecurity Framework. This synergy helps ensure that quality, impartiality and consistent working practices are maintained across the board.”
Extending the scope and influence of accreditation
Gaining accreditation to ISO/IEC 17025 has proved to be a great grounding for NCC Group, in terms of embedding and demonstrating quality as well as opening up new markets with increased client recognition and confidence. Shabrez said: “Having seen the benefits of gaining UKAS accreditation to ISO/IEC 17025 for our testing services, we are now exploring the possibility of working towards accreditation to ISO/IEC 17020 and ISO/IEC 17065 standards. If successful, this would enable us to deliver and derive the same benefits for our systems inspection and product certification services respectively.”
NCC Group also believes that assurance schemes are an integral part of raising the security level for the whole cyber security industry. Shabrez concludes: “Without a requirement for accreditation, customers will often choose the cheapest provider without taking into consideration the wider implications and assurances that come with accreditation schemes. It is therefore essential that credible organisations lead the way in promulgating those standards and schemes that truly represent industry best practice. With the threat landscape (and required level of assurance/protection) constantly evolving in cyber security, this further enhances the need for accreditation to ensure a certain level of assurance is applied to the underlying security and quality principles.”