CWA 17260:2018

Guidelines on evaluation systems and schemes for physical security products CWA 17260:2018

Scope

This CEN Workshop Agreement provides guidelines on how to design certification systems and schemes for physical security products and presents a framework in which these systems and schemes can be upheld. Physical security products include products which provide protection of people, property and infrastructure from acts of malicious intent, such as physical attacks.
It does not cover IT or cyber security and does not include products for safety, for instance protection from natural disasters. This CWA focuses on schemes for standalone security products and system components rather than systems and services based on these products and components.
Whilst there are several types of performance indicator for physical security products, this CWA focuses on their functional performance, not on aspects such as interoperability and environmental factors. Functional performance encompasses the security performance features of these products where sophisticated testing is often required. Schemes may also include other types of requirement such as interoperability, reliability, usability and resistance to unauthorised tampering.
The framework is based on the ISO/IEC 17000 standards series, supplemented with features that take account for the particular nature of security products:
— Realistic and adversarial testing;
— Continually evolving threat;
— Security sensitivity;
— Diverse range of products and applications.
The wide range of types of product and application, the need to operate in both regulated and unregulated environments as well as physical security products with very different maturity and market sizes, means that a range of different types of certification scheme are needed. Hence, the framework comprises a top-level structure with certification systems for performance measurement as well as systems for assessment of conformity with threshold performance requirements. .
This CWA targets stakeholders in the physical security product area such as user organisations and manufacturers; standards and certification bodies; governments and regulators who are involved in policy, setting up, operating and maintaining schemes.
Before new or additional standards and certification schemes are developed, a full impact assessment should be conducted to justify the need for standards and the potential costs incurred. Any certification schemes and standards for physical security products must:
— be operationally practical and proportionate to the threat that they seek to address, and be targeted to and tested in the real environment in which they are to be implemented in a manner relevant to the security threats in the applications where they will be implemented.
— not add unnecessary costs or delays for equipment manufacturers, or risk impairing Europe’s capacity to swiftly develop, adapt or deploy equipment that can combat emerging security threats.