Thank you Richard. This is very helpful. I will pass it along to the IT staff and ask them to implement it. This description may be more informative for what they need to understand.

Yes I have already spoken with UKAS to understand how we might get certified to do 27001 certifications. When they schedule our 17065 accreditation, as I understand it, we can ask to expand it to include 27001. We are making plans to do that. Once that is done, we should be able to move over to the US. Now that UKAS has come back to DSIT basically requesting some minor tweaks to the DIATF, it's my understanding that they will accredit the scheme and then finally accredit us. We have paid our fees, including a pre-assessment. We've just been waiting to get on their schedule. I can't believe how long it is taking!!

I am likely bringing on a part-time UK person soon who will have enough technical knowledge to work with me so that we can add 27001 to our certifications. Are you certified as an auditor to do 27001 audits? I know one of our auditors has been but I don't know if any others have.

At any rate, first to get approved ourselves. I think in the UK in particular that will be very useful to be able to offer our clients. I don't have a good sense of the market need in the US of 27001 certification. Do you think we would find a demand?

Thanks for forwarding the information.

Best regards,

Kay

Kay Chopard | Executive Director

Twitter: @KantaraNews

LinkedIn: @KantaraInitiative

On Thu, Oct 5, 2023 at 1:02 PM Richard G. WILSHER (@Zygma Inc.) <RGW@zygma.biz> wrote:

In response to your comments in this vein Kay (IAWG mtg 2023-10-05), the two first thoughts into my head are:

1) Secure the TSL. This document is fundamental to KI’s being and a lot of parties (Approved CSPs, Accredited Assessors and those seeking the services of those listed on it) rely upon its integrity and availability. Our TSL follows the principles of the Trust List defined in the attached ETSI standard. However, it is not hosted as an electronic list in the manner described in that standard and therefore it is not cryptographically signed nor machine searchable. The standard goes into some depth to describe the purpose and structure of each element plus it allows for list-owner specific extensions where required. I daresay there are apps which can support the populating and provisioning of such lists, though I’ve not recently explored this.
The key point however is that we would have a secure digitally-signed list in a manner which adopts a defined standard, which is what we’re all about.
2) Getting certified against IS27001 wouldn’t be a bad idea. Lead from the front!

Happy to contribute further in exploring these points.

Richard G. WILSHER
CEO & Founder, Zygma Inc.
www.Zygma.biz
+1 714 797 9942