Frequently Asked Questions (FAQ)
Who can get a Cyber Trust Label?
The Cyber Trust Label can be requested by any organisation. Requirement for granting the label is the fulfilment of the minimum requirements of the Cyber Risk Rating scheme.
How is the information provided by the organisations verified?
For the Cyber Trust Gold Label an audit is performed by a qualified auditor, which has been accredited by the authorities according to the NIS law §18. For the Standard Label a validation takes place, which evaluates the self-declaration with regards to completeness, consistence and plausibility. Additionally, every organisation which requests a Cyber Trust Label agrees to provide evidence on demand (e.g. for a on demand control audit). Intentional or grossly negligent incorrect declarations result in withdrawal of the label.
Are there technical tests required?
An automated web risk score is evaluated. This done solely using non-intrusive methods. The security and stability of systems are not endangered at any time. There are no penetration tests performed throughout the label process. However, the regular conduction of penetration tests within the organisation is part of the requirements of the B- and A-ratings and are therefore demanded by the scheme.
How much effort should be calculated for the Cyber Trust Label?
For the Standard Label the answering of the questions usually takes not more than one or two hours. For the A-Label the effort is a little bit higher but should usually also not be much more than a day. However, these are indicative efforts only and they assume that the requirements are already fulfilled, and the necessary evidence is readily available.
How secure are organisations who have a Cyber Trust Label?
The Cyber Risk Rating scheme orientates itself by proven security standards, which have been developed and approved by leading security experts. To validate them, the validation and audit mechanisms described by the Cyber Risk Rating Scheme are used very diligently. An organisation carrying the Cyber Trust Label demonstrates, that it takes cybersecurity very seriously and has implemented essential security measures. However, no scheme or evaluation can guarantee 100% cybersecurity or rule out the possibility of cyber incidents completely.
What is the difference between the Cyber Trust Label and an ISO 27000 certification?
The Cyber Trust Label is a quality label based on a defined scheme (the Cyber Risk Rating Scheme Policy of KSÖ). It is not a certification. Besides, ISO 27000 aims for the availability of a management system for cybersecurity, whereas the Cyber Risk Rating checks the existence of defined concrete security controls.
What happens if an organisation with a Cyber Trust Label has a security incident?
Every organisation going through a KSV1870 Cyber Risk Rating agrees to an eventual surveillance audit. Such audits can become necessary e.g. after a severe security incident or if there are any indications of misuse or false information. Surveillance audits can also be conducted randomly without citing specific reasons.
When can Cyber Trust Labels be revoked?
If a surveillance audit identifies a significant deviation, the rating will be revoked. This includes invalidating the Cyber Trust Label. In such a case an organisation must remove the label within one month from all websites and marketing materials. Only after a cool off period of 6 months a new rating and label can be requested.
How long is the Cyber Trust Label valid?
The Cyber Trust Label is issued for one year and can afterwards be renewed, provided that the requirements are still fulfilled.
What happens if an organisation does not meet the qualification requirements?
If the cyber risk rating is not adequate for a qualification, the organisation must implement the necessary improvement measures and can afterwards go through a new request process. If this happens within one year from the initial request, the label issuing fee (but not the rating fee) will be credited.
Who issues the Cyber Trust Label?
The Cyber Trust Label is issued by CTS Cyber Trust Services GmbH in cooperation with Kuratorium Sicheres Österreich. The rating process itself is performed by KSV1870.
Is the Cyber Trust Label legally protected?
Yes, the Cyber Trust Label is a protected registered trademark in Austria and the European Union. Misuse will be legally prosecuted.
How are disputes regarding the Cyber Trust Label solved?
The Cyber Risk Management Board acts as escalation and reclamation instance for any kinds of unclarities and disputes with regards to the Cyber Trust Label.