Global software standard gets seal of approval

An international benchmark for evaluating software security will be rubber-stamped this week by the ISO (International Organisation for Standardisation). The Common Criteria (CC) will enable users to compare the quality of software across international markets.

ISO's technical management is finalising a draft of the standard this week. It will then be released for a two month period of feedback, prior to final publication in May or June 1999.

Nigel Hickson, who represents the Department of Trade and Industry's Information Security Policy Group, told Silicon.com: "This is good news for everyone that matters. It will give users greater choice in choosing software and it will mean one single accreditation for software manufacturers."

Hickson said only the evaluation industry would lose out, as CC would introduce global competition. "But this is all to the good of the user," he added. There are currently five software evaluators in the UK, including IBM, Logica and Admiral.

The governments of the UK, US, Canada, France, Germany and the Netherlands devised CC as an alternative to the US testing scheme Tcsec, Canada's Ctcpec and Europe's Itsec. The schemes enable users to find products with the right level of security for their needs.

Some software evaluators already use CC, but the ISO standard is expected to boost its usage. Krystyna Passia, who represents ISO sub-committee 27, said that she was already having enquiries from Israel, Singapore and Indonesia. Hickson estimated it would take CC five years to replace Itsec altogether.

Passia said a draft of the ISO standard would be published any day now. The industry will have until March 1999 to give its comments.

Copies of the draft standard will be available from the British Standards Institution for a small charge (www.bsi.org.uk), and from ISO's other members worldwide.