- at IL3, product assurance to CC 2/3, service assurance under the Future
Assurance Model and use of Low Tailored Assurance for system assurance
should be used; a CHECK audit of the service may be required
in some cases and Confidentiality IL3 services should be subject to formal
accreditation (and an ISO 27001 audit where relevant). [Table 2 deleted]
38 Routine activities such as antivirus updates or security and bug patches are not expected to fall into this
category, and should be documented within the supporting documentation for accreditation. However, a
decision to reaccredit might be required fol owing a major patch (Windows XP SP2 is a good example of
such a patch). 39 Calculated at the high-water mark of the impact levels attracted to confidentiality, integrity
and availability. For example, a service attracting Confidentiality IL0, Integrity IL0 and Availability IL1 should
consider the best-practice process at IL1.
Email this to a friend.
Previous item —