Nixu’s Role in EMERALD: Auditors Perspective and Stage-Gate Process

Nixu’s Role in EMERALD: Auditors Perspective and Stage-Gate Process

by Antti Kantero (NIXU) at 30 November, 2024

Nixu Certification Oy is an independent subsidiary of DNV Cyber, acting as an official Information Security Inspection Body approved by the Finnish Communications Regulatory Authority. Information security auditors are essential in helping organizations protect sensitive data, maintain regulatory compliance, and mitigate risks associated with cyber threats.
Nixu’s role in the EMERALD project is to bring the auditor’s perspective to the project. The Stage-Gate Process is a simple but effective way to ensure that the auditing process is taken into account in EMERALD.

Stage-Gate Process
The progress of the pilots in the EMERALD project is driven by a Stage-Gate Process. This process divides the project lifecycle into distinct phases, or stages, each ending with a “gate.” At these gates, the project’s progress is reviewed by Nixu (auditor), and decisions are made to ensure successful completion. Nixu will be a gatekeeper for each of the gates and will provide the necessary support for the pilots to pass the gates (Figure 1).

nixu2
Figure 1. Stage-Gate Process in EMERALD

 

Stage 1: Planning
In this stage, the auditor and the Cloud Service Provider / Pilot owner agree on the audit’s scope, framework, controls, and schedule. The Compliance Manager is nominated, and a compliance framework is defined.

Stage 2: EMERALD Setup
This stage ensures that EMERALD is set up and ready for the audit. The cloud service runs in a test environment, and the necessary metrics and tools are operational.

Stage 3: Preparation for Audit
Both the CSP / Pilot owner and the auditor prepare for the audit. The CSP / Pilot owner reviews and communicates the audit scope, completes a self-assessment, and shares documentation. The auditor nominates a technical auditor and validates the EMERALD framework.

Stage 4: Audit
The organizational and technical audits are conducted. The CSP / Pilot owner provides access to monitoring tools, and the auditors review the evidence.

Stage 5: Certification
The audit concludes with certification. Auditors identify non-compliances, communicate findings, and deliver an audit report to the Compliance Manager.

The use of the Stage-Gate-Process not only will demonstrate the validity of the developed tools and methodologies but also will provide valuable feedback to component owners. Nixu wants to be involved in developing the latest technology in the field of information security audits and be among the first to use EMERALD’s tools in real audits.

[ NETWORKING ]