Marc Krisjanous is one of the first CCSS Auditors and assisted C4 in the development of their auditors program.
The Certification Process
In this article I will go into detail for each step in the certification process and provide any tips or recommendations I learned based on my experience conducting the first CCSS audit in the world.
The diagram below is extracted from the CCSS auditors guide and provides a high-level overview of the certification process for CCSS certification.
The following steps are covered in this post:
- Step 1: Select and contact CCSSA
- Step 2: CCSSA and Entity determine scope and negotiate agreement
- Step 3: CCSSA completes “Intent to Audit” form
- Step 4: C4 sends PROL to CCSSA
- Step 5: CCSSA contacts CCSSA-PR, negotiate and sign “Appendix 1”
- Step 6: CCSSA performs audit
- Step 7: CCSSA-PR reviews “Audit Documentation” and provides feedback to CCSSA
- Step 8: CCSSA sends SRoC, Appendix 1, and listing information to C4
- Step 9: C4 reviews documentation
- Step 10/11: C4 sends CCSSA “Listing Fee” invoice / CCSSA pays “Listing Fee”
- Step 12/13: C4 sends CoC and Badge to CCSSA, CoC listed on C4 website. Entity receives CoC badge from CCSSA
Step 1 – Entity Selects and Contacts CCSSA
The first step in the process is that the entity selects and contacts a CCSSA. The most important task in this step is to ensure the CCSSA you are considering engaging has enough skill and experience in auditing information systems.
C4 does not require any prerequisites such as relevant qualifications or auditing experience for a person to take the CCSSA exam, pass and be registered with C4 as a CCSSA. For this reason, it is vital for an entity considering certifying against CCSS that the entity conducts in-depth research on any CCSSA before contractual arrangements are undertaken with the selected CCSSA. To read more about what to look for in a CCSSA read this article here.
Step 2 – CCSSA and Entity determine scope and negotiate agreement
The next step after selecting a CCSSA is to “determine scope and negotiate agreement”. By “determine scope” C4 is referring to defining at a high-level what products and services are in-scope for the audit and from there, define at a high-level the systems that will be audited. The in-scope people, process and technology components may change as the CCSSA progresses through the audit but defining even at a high-level the scope as part of the contractual arrangements is a good idea and assists with estimates on audit effort. I wrote an article on defining the CCSS Trusted Environment (CCSS refers to the in-scope environment as the “Trusted Environment”)
Step 3 – CCSSA fills out Intent to Audit form
Before any contract between the assessed entity and the CCSSA is signed the CCSSA must complete C4’s “Intent to Audit” form. The form captures the CCSSA details, the entity undertaking a CCSS audit and the systems being audited – the systems that were identified at a high-level in the previous step of defining scope.
Step 4 – C4 sends PROL to CCSSA
C4 will then send the CCSSA a random list of other CCSSAs that are authorized by C4 to conduct peer-review of the audit documentation. The random list of CCSSAs is called a “Peer Reviewer Options List”, or PROL. Once the CCSSA selects another CCSSA to conduct the peer-review (the CCSSA conducting the peer review is now referred to as the CCSSA-PR) both the CCSSA and CCSSA-PR must declare to C4 any current or previous relationships with the assessed entity.
The CCSS auditors guide – section 2.1 CCSSA and section 2.2 CCSSA-PR states that both the CCSSA and the CCSSA-PR must avoid any potential conflicts of interest with the assessed entity. This is in regards to protecting the independence of the CCSSA and CCSSA-PR from the assessed entity. It stops the ability for a CCSSA to audit their own business, their current employers or previous employers business and any other forms of benefits the CCSSA or CCSSA-PR may receive from the assessed entity.
It’s important to note that the CCSSA-PRs fees must be negotiated with the CCSSA and the assessed entity. C4 is not involved in the negotiation process. C4 may offer some guidance in the future on how much roughly a peer review should cost but right now there has not been enough audits to identify an average fee for peer review. The CCSSA-PRs fee for peer review is added to the CCSSAs audit agreement with the assessed entity.
The CCSSA will also need to help the assessed entity work out the C4 listing fee. The CCSS auditors guide provides information regarding the three CCSS certification designations and the associated listing fee for each. I wrote an article covering in detail the three different designations for CCSS certification.
Based on the high-level scope that was defined in the initial steps the CCSSA should be able to confirm with the entity which C4 listing fee is applicable to them. The C4 listing fee is the charge C4 applies to an entity who has successfully completed the CCSS audit process for listing and managing the entity’s details on the C4 website.
Note: CCSS certification requires an annual audit and certification review for the entity to remain CCSS certified.
The CCSSA must collect the C4 listing fee from the entity and pass the listing fee onto C4. C4 will only release the Certificate of Compliance (CoC) once they have received the listing fee (among other documentation we will cover later in this article). I highly recommend that the entity contacts C4 and asks C4 to confirm in writing what the listing fee will be – this is to avoid any confusion later down the audit process.
The tricky part is that the CCSSA must collect the C4 listing fee from the entity and pass it onto C4. So there are three parties involved in this process with the CCSSA being the “middle-man” who will need to add the C4 listing fee as well as the CCSSA-PR’s peer review fee to the audit SOW for the entity, which may lead to mistakes or misunderstandings on the C4 listing fee if there is no written confirmation from C4 the CCSSA can refer to.
C4’s preference for the listing fee payment is in cryptocurrency so it’s very important that the CCSSA and entity plan for how the funds will be transferred to C4. C4 may accept fiat – make sure to double check with C4 ASAP.
Just to recap so far – the following should be completed:
- The entity has selected the CCSSA that will conduct the audit.
- The in-scope environment has been defined at a high-level – the systems that will be audited.
- The CCSSA-PR has been selected by the CCSSA and the entity. The peer review fee has been agreed by all three parties.
- C4 has been made aware of any current or prior relationships with the entity that could impact on the independence of the CCSSA and CCSSA-PR.
- The CCSSA has identified the C4 CCSS designation of the entity and the C4 listing fee has been identified. The CCSSA and entity have received written confirmation from C4 that the identified listing fee is correct. Also, confirm payment options with C4 as C4 prefers payment in cryptocurrency but may accept fiat.
- The audit costs (CCSSA fee to conduct the audit, the C4 listing fee and the CCSSA-PR fee for peer review) have been agreed and contracts signed.
Step 5 – CCSSA contacts CCSSA-PR, parties negotiate, and sign Appendix 1
The next step is for the CCSSA, the entity who will be audited and the CCSSA-PR to all sign the Appendix 1 form. This form is a legal waiver by C4 where the CCSSA, entity who will be audited and CCSSA-PR acknowledge that C4 is in no way involved in the audit process.
Appendix 1 is not required to be sent to C4 until after the completion of a successful audit and peer review. However, I recommend this document is signed by all parties sooner rather than later or it may become an administrative hassle at the end when the assessed entity wants the CoC.
Step 6 – CCSSA performs audit
The next stage is that the CCSSA conducts the audit. I have written articles that cover every CCSS requirement focusing on what I believe to be the intent of the requirement, and what evidence I would collect to gain assurance that the requirement is in-place. The list of my articles is at the bottom of this article. The articles are not officially endorsed by C4. However, currently there is no official guidance on requirement intent, expected evidence and example scenarios, provided by C4 for the CCSSA so you can choose to review my articles or not. They are just my opinion only.
Once the audit is complete and the assessed entity has met the applicable requirements the CCSSA will inform the assessed entity of the CCSS Level reached and confirm the CCSS certification designation. If the assessed entity agrees with the findings then the CCSSA prepares a copy of the audit report for peer review.
Step 7 – CCSSA-PR reviews Audit Documentation, provides feedback to CCSSA
The copy of the audit report will need to be redacted of all personal identifiable information (PII) of the assessed entities personnel involved in the audit. Also, all sensitive information about the assessed entity must be redacted including:
- Filenames of evidence artifacts collected and reviewed during the audit.
- Any diagrams, pictures and screen captures.
- Any other information within the audit report the CCSSA believes is sensitive and could impact the security of the assessed entities environment if the copy of the audit report is accessed by unauthorized users.
The CCSSA must make the redacted copy of the audit report available to the assessed entity prior to being sent to the CCSSA-PR so the assessed entity can check if all sensitive information has been redacted.
Once the assessed entity has approved in writing the release of the redacted audit report for peer review, the CCSSA will make the redacted audit report available to the CCSSA-PR. It is important to note that the CCSSA-PR is not peer reviewing the audits evidence. The CCSSA-PR is reviewing the evidence gathering techniques the CCSSA applied during the audit so that the CCSSA-PR can have assurance that enough evidence gathering techniques were applied for the CCSSA to reach an opinion for each requirement. The CCSS auditors guide has a section on recommended evidence gathering techniques. I have also written in detail regarding the recommended evidence gathering techniques.
The C4 peer review process for a CCSS audit may sound different to the standard audit peer review process and it is. However, as we noted before, C4 requires that the CCSSA-PR is independent of the CCSSA. This means that the two auditors will more than likely have different audit training and audit methodologies which could clash if the CCSSA-PR has to peer review the evidence. Further, the CCSSA-PR would not have signed an NDA with the assessed entity to see the evidence collected.
C4 does offer a mediation and disputes process for the CCSSA and CCSSA-PR if issues do arise.
Once the CCSSA-PR has confirmed in writing that the CCSSA conducted sufficient evidence gathering techniques in order to form the opinions presented, the CCSSA will move to the next step in the certification process. I wrote a detailed article on the peer review process.
Note: A CCSS Audit is NOT a “Checkbox” Audit
An important note I would like to make is that the CCSS audit is not a “checkbox” audit. The CCSSA is required by C4 to conduct a rigorous audit of the people, process and technology components of the in-scope environment. If the reader is aware of how a PCI DSS audit is conducted then the CCSSA audit follows the same level of rigour. If the CCSSA does not perform the required level of audit rigor then the audit report will fail the peer review process.
Step 8 – CCSSA sends SRoC, Appendix 1, and listing info to C4
Once the peer review process has been successfully completed the CCSSA is required to provide the following listing information pack to C4:
- Summary Report on Compliance (SRoC). There is a C4 template for the SRoC which the CCSSA can download from C4.
- Appendix 1 – the CCSSA, assessed entity and CCSSA-PR must all sign this document.
- The assessed entities Certificate of Compliance (CoC) listing information. This is the listing information that appears on the CoC and the C4 certified entities online registry. The information is: entity contact details, system(s) audited, the assessed entities logo.
- The C4 listing fee cost. Remember, I recommended above that the C4 listing fee is agreed in writing by C4 so now that the C4 listing fee total cost is being sent back to C4 in this evidence pack no surprises should occur regarding the correct listing fee for the assessed entity.
The listing information pack is then sent to the C4 CCSS submission email address by the CCSSA which is documented in the CCSS auditors guide.
Step 9 – C4 Reviews SRoC and Signed Appendix 1
C4 then goes through a process where they review the evidence pack to ensure that everything is complete.
Step 10 – C4 sends the CCSSA the Listing Fee Invoice
Once C4 is happy with the listing information pack, C4 will send an invoice for the C4 listing fee to the CCSSA.
Step 11 – CCSSA pays Listing Fee
The CCSSA will then send the C4 listing fee to C4 via whatever arrangements C4 has stipulated.
Step 12 – C4 sends CoC and badge to CCSSA. CoC is listed on C4’s website
Once C4 receives the C4 listing fee funds then C4 will issue the CoC to the CCSSA who will then check that the CoC is correct.
Step 13 – Entity receives CoC badge from CCSSA
If the CoC is correct the CCSSA will then send the CoC to the certified entity. C4 will add the certified entities details to the C4 online CCSS certified entity register.
That’s it!
Need Help?
Always make sure that you do your due diligence when selecting a CCSSA for your audit. You can read our tips about selecting a CCSSA.
Or contact us if you’d like to learn more about how we can help you with CCSS.
Further Reading – CCSS Controls
- Key / Seed Generation (CCSS Aspect 1.01)
- Wallet Creation Requirements (CCSS Aspect 1.02)
- Key Usage Requirements (CCSS Aspect 1.03)
- Key Storage Requirements (CCSS Aspect 1.04)
- Key Compromise Requirements (CCSS Aspect 1.05)
- Keyholder Grant / Revoke Policies & Procedures (CCSS Aspect 1.06)
- Security Tests / Audits (CCSS Aspect 2.01)
- Data Sanitization Policy (CCSS Aspect 2.02)
- Audit Logs (CCSS Aspect 2.04)