ISO/IEC 21827:2008 Certification
ISO/IEC 21827:2008, also known as Systems Security Engineering - Capability Maturity Model (SSE-CMM), provides a framework for assessing and improving the maturity of security engineering processes within an organization. Certification provides independent verification that the management system conforms to applicable requirements.
What is ISO/IEC 21827:2008?
ISO/IEC 21827:2008 describes the essential characteristics of an organization's security engineering processes. It does not prescribe a specific process or sequence but provides a structured model for evaluating capability and maturity across security engineering activities.
The model applies to activities such as development, operation, maintenance, and decommissioning, and addresses interactions across organizational, technical, and management functions.
Key Aspects of ISO/IEC 21827:2008
- Framework for assessing maturity of security engineering processes
- Coverage of lifecycle activities including development, operation, maintenance, and decommissioning
- Integration with organizational, engineering, and management functions
- Interaction with related disciplines such as software, hardware, and system engineering
- Applicability across organizational and inter-organizational activities
Objective
The objective of ISO/IEC 21827:2008 is to enhance the capability and maturity of security engineering processes within an organization. The model can be used alongside other capability maturity models related to different engineering disciplines.
Structure of ISO/IEC 21827:2008
1. Introduction and Scope
2. Normative References
3. Terms and Definitions
4. Background
5. Structure of the Document
6. Model Architecture
7. Security Base Practices
Annexes
Annex A - Generic Practices
Annex B - Project and Organizational Base Practices
Annex C - Capability Maturity Model Concepts
Annex D - Generic Practices
Importance of ISO/IEC 21827 Certification
- Provides a structured approach for evaluating security engineering process maturity
- Supports consistency in security engineering activities
- Enhances control over security-related processes
- Strengthens confidence of interested parties
- Facilitates alignment with internationally recognized practices
ISO Certification Process
The certification process is conducted in accordance with applicable standards and established audit principles, ensuring impartiality, consistency, and transparency.
Step 1 - Inquiry and Application Submission
The process is initiated upon receipt of an inquiry and a completed application form, providing details of the organization activities, scope, and relevant information.
Step 2 - Application Review and Confirmation
The application is reviewed to determine the scope of certification, audit requirements, and necessary arrangements for the certification process.
Step 3 - Stage 1 Audit Planning
An audit plan for Stage 1 is prepared and communicated, defining the scope, objectives, and schedule of the audit.
Step 4 - Stage 1 Audit Conduct
A Stage 1 audit is conducted to evaluate management system documentation, assess site-specific conditions, and determine readiness for Stage 2.
Step 5 - Stage 2 Audit Planning
Following Stage 1, a detailed audit plan for Stage 2 is established for the evaluation of effectiveness.
Step 6 - Stage 2 Audit Conduct
A Stage 2 audit is conducted to assess conformity of the management system with the applicable standard requirements.
Step 7 - Certification Decision and Issue of Certificate
An independent review of audit findings is carried out prior to the certification decision. Upon a positive certification decision, the certificate is issued.