Add ISO 27001 certification

[sander]

For some use cases it is important to know whether the wallet/agent is released and kept secure in an information security management system (ISMS) with secure wallet delivery as its objective. The most common standard for this is ISO 27001.

For example, an issuer may check for an ISO 27001 certificate before agreeing to issue a high-risk credential, to mitigate the risk of a personal data breach. Such a breach may for example occur at the provider’s backend services or at an end-user app, e.g. due to a vulnerability not mitigated in time, or due to a malicious software update. While certification does not provide technical guarantees, it provides assurance and recognisable evidence of quality.

I suggest to add a field:

• ID: iso27001Certificate
• Type: URL to PDF of valid certificate of which the scope includes the wallet/agent delivery

[cre8]

ISO27001 is a certification for the publisher, not for the product. So it says nothing about the quality/security of the product.

Better approach

• Linking to possible penetration tests done by external companies (this could lead to bad quality reviews just to be reviewed)
• certification by common criteria. BSI is doing this and this is required in high regulated or critical sectors. This is very rar.

Beside the certification of a product: it is only valid for a specific release.

I would keep the iso27001 and other company related information out of scope since e.g. a wallet by the open wallet foundation is to able to get this certification.

[sander]

Hi @cre8, this depends on the type of wallet/agent solution. Several entries in the overview are for example delivered as a continuous stream of app releases through app stores, by a service organisation, potentially continuously backed by backend services. Penetration tests usually apply to a limited set of snapshots, while an ISMS is supposed to have a continuous control cycle.

I know that in at least some use cases, customers and supervisors are interested in the certification of the provider. They will indeed check whether the certification scope includes the security management of the wallet/agent solution.

To address the fact that some solutions will be delivered as source code only, without a servicing organisation, the proposed iso27001Certificate field could also have an N/A option.

I agree that links to penetration tests are also valuable. And to Common Criteria certificates – although usually only components of the wallet solution are certified, such as in the case of https://github.com/openwallet-foundation/digital-wallet-and-agent-overviews-sig/pull/30.