CSA /ANSI T200:22

Preface 

This is the first edition of CSA/ANSI T200, Evaluation of software development and cybersecurity programs . This Standard was prepared by the Subcommittee on Cybersecurity Verification, under the jurisdiction of the Technical Committee on Operational Security and the Strategic Steering Committee on Information and Communication Technology, and has been formally approved by the Technical Committee. This Standard has been developed in compliance with Standards Council of Canada requirements for National Standards of Canada. It has been published as a National Standard of Canada by CSA Group. This Standard has been approved by the American National Standards Institute (ANSI) as an American National Standard. 

Scope 

1.1 This Standard describes a methodology for assessing the product software and cybersecurity control maturity of an organization. This Standard provides the evaluators and vendors a method to determine the control maturity of the organization and products/solutions being developed regardless of solution vertical. It covers the entire product system life cycle from conception to full commissioning and until the end of life. It supports effective executive business decisions that establish a comprehensive maturity model approach to cybersecurity. 

1.2 This Standard is applicable to all IoT and related products/solutions. 

1.3 In this Standard, "shall" is used to express a requirement, i.e., a provision that the user is obliged to satisfy in order to comply with the Standard; "should" is used to express a recommendation or that which is advised but not required; and "may" is used to express an option or that which is permissible within the limits of the Standard. Notes accompanying clauses do not include requirements or alternative requirements; the purpose of a note accompanying a clause is to separate from the text explanatory or informative material. Notes to tables and figures are considered part of the table or figure and may be written as requirements. Annexes are designated normative (mandatory) or informative (non-mandatory) to define their intended application.