Information
Principles Based Assurance (PBA)
Helping customers gain confidence that products are resilient to cyber attack.
Assuring technology
Technology assurance helps you decide whether a technology is secure enough for your needs.
Today, cyber security functionality cannot be considered in isolation - any product or piece of software has a role to play in cyber security. If it’s not built and maintained properly it can have vulnerabilities that offer an open door for an attacker.
NCSC’s technology assurance services aim to give you the information you require – as a vendor or as a buyer – to be confident in the cyber resilience of your product or technology.
Cyber Resilience Testing
Cyber Resilience Testing (CRT) will give you confidence in a product’s resilience against cyber attacks; assessing how well the technology has been designed and built to keep the people and systems it supports safe online.
CRT assesses the resilience of any technology connected to a public, or less trusted, interface (for example, the internet) against a commodity threat. It uses Principles Based Assurance (PBA) as both its underlying philosophy and method of assessment.
How much confidence is required in the technology determines the most appropriate form of assessment - either self-assessment, or, when needed, independent audit & verification through our Cyber Resilience Test Facilities (CRTFs).
Cyber Resilience Testing Facilities
One way to gain assurance in a product or technology is through Cyber Resilience Test Facilities (CRTF). These third-party facilities will help you validate the cyber security resilience of a wide range of internet connected products and technology.
Delivered through a network of ‘NCSC assured providers’, Cyber Resilience Test Facilities use Principles Based Assurance (PBA) to enable technology vendors to independently audit and verify the cyber resilience of their product and demonstrate this to customers.
This also allows customers to gain confidence in the cyber resilience of the technology they integrate into their systems.
Assurance Principles & Claims (APCs)
To enable evidence and assessment against principles in a consistent way, we have generated a set of standards called Assurance, Principles & Claims (APCs).
You can access a range of APC documents which will help you to understand what security outcomes you’re aiming for (given your class of technology) and then derive your own cyber security claims for your product.
Principles Based Assurance (PBA)
Principles Based Assurance (PBA) is the NCSC’s approach to Technology Assurance – the process of gaining confidence in the cyber resilience of a product or system for a particular context.
PBA doesn’t just apply to the functionality of security products, like firewalls or VPNs. Given how connected technology is now, PBA is just as relevant to a broad range of products (including software) whose primary function is not security, but a compromise of which would cause a significant impact.
PBA is also the framework for assurance that is used by our Cyber Resilience Test Facilities to provide access to trusted, independent assessment of technology at scale.
Find out more below...
Software Code of Practice
The Software Code of Practice has been designed to ensure that security is made fundamental to software vendors’ approaches to developing and distributing their products and services.
The Code of Practice has been developed as a set of principles, meaning software vendors can use Assurance, Principles and Claims (APCs) to evidence and assess against a structured format to validate the cyber resilience of their products.
Related resources
Find related resources to assuring technology from the NCSC
Guidance
Secure design principles
Guides for the design of cyber secure systems
Software Security Code of Practice
The Software Security Code of Practice is a voluntary code for technology providers, and outlines the security principles expected of all organisations that develop and / or sell software.