CESG Assured Service (Telecoms) supports the pan-government Public Sector Network (PSN) programme which requires that all telecoms services procured by public sector bodies must be accredited. The CAS(T) requirements for Service Providers (i.e. the Telecoms companies) are described in the “CESG Assured Service Requirement Telecoms” document, which can be found on the CESG website.
In order to achieve certification, the Service Provider must demonstrate compliance with the “Security Procedures Telecommunications Systems and Services” standard, which is based on the ISO/IEC 27001:2013 standard.
The process flow below shows the steps to accreditation and how the Service Provider, CAS Company and CESG work together during the initial certification.
Once the initial certification has been completed, surveillance audits will be scheduled at least annually. We would generally advise that a third of controls are assessed during the initial audit and each of the two surveillance audits.
Timescales to complete the initial assessment will depend on several factors, but for a small to medium size organisation we would expect the following:
- Initial Questionnaire: 1-2 days (Approval by CESG: 4-6 weeks)
- Assessment Plan: 1 week (Approval by CESG: 4-6 weeks)
- Assessment Activities: 2-3 weeks
- Reporting & production of Assurance Maintenance Plan: 1 week (Approval by CESG: 4-6 weeks)
- Issue certificate: 1-2 weeks after approval of report
- Certification expiry: 3 years after issue date
It is important that if you already have a CAS(T) certification under the old scheme you start these activities with plenty of time to gain certification. Info-Assure recommend engaging with a CAS company around 6 months before your certificate expires.
For access to additional resources, you may wish to join the CAS(T) industry group. You can request membership via the following link: