Cyber Security – Understanding EN 18031

EN 18031-1: Network and Security Assets

Part 1 addresses functionalities related to networking. This includes any feature of a product that either utilizes network resources or enables connectivity, as well as security mechanisms intended to safeguard the network from misuse or damage.

Relevant assets are not limited to the functions themselves; they also include associated parameters and configuration settings. If these elements are altered, exposed, or misused, they may negatively impact the network or enable improper use of network resources.

A practical point of interpretation should be considered: the standard does not clearly define what qualifies as a “network.” As a result, interpretations may vary. Some evaluators adopt a strict view (e.g., excluding point-to-point connections like serial interfaces), while others apply a broader definition.

To ensure consistency, it is important to define and apply a clear interpretation throughout the assessment. It is also recommended to document the reasoning behind this interpretation as part of the assessment records.

EN 18031-2: Privacy Assets

Part 2 focuses on the handling of personal information, which includes personal data, traffic data, and location data as defined in the GDPR and the ePrivacy Directive. Any product feature that collects, processes, or otherwise interacts with such information is considered a privacy-related function and is therefore treated as a privacy asset.

In addition, mechanisms designed to safeguard the privacy of users or subscribers are categorized as security functions within this context.

Assets under Part 2 also include relevant parameters and configuration settings where their exposure or alteration could jeopardize the privacy of individuals.

It is important to distinguish that the notion of a “security function” in EN 18031-2 differs from its use in EN 18031-1. Here, it specifically refers to controls that protect personal data and user or subscriber privacy, rather than measures aimed at securing network operations in general.

EN 18031-3: Financial Assets

Part 3 addresses financial data, meaning any information that represents monetary value, relates to financial transactions, or is used in the transfer of money, assets, or virtual currencies. Product capabilities that handle such data are classified as financial functions.

The primary concern within this part is the prevention of fraud. Accordingly, parameters and configuration settings are considered assets where their exposure or manipulation could facilitate fraudulent activity.

A notable complexity arises from the definition of “security function” in EN 18031-3, which refers to functionality that protects financial or security assets against fraudulent misuse. This creates a dependency, as financial assets must first be identified before security functions can be clearly determined.

In practice, a structured approach is recommended: first identify and document financial functions and assets, and then perform a second step to classify the associated security functions once the asset landscape is established.

Asset identification process (applies to all parts)

Step 1 — Identify relevant personal or financial data (EN 18031-2 and -3 only)

Compile a complete inventory of all personal data, traffic data, and location data (for EN 18031-2), or all financial data (for EN 18031-3) processed by the product. Determine which data elements are sensitive (where manipulation poses a risk) or confidential (where disclosure poses a risk). These items should be directly classified as assets at this stage.

Step 2 — Catalogue all product functions

Develop a comprehensive list of all product functionalities. This should cover every interface, communication channel, processing capability, and feature, regardless of perceived importance. Ensuring completeness is essential, as overlooked functions may lead to unidentified assets later in the process.

Step 3 — Assign functional classifications

Review each function identified in Step 2 and assess whether it qualifies as a network, privacy, financial, or security function under the applicable part of the standard. Any function that meets these criteria should be designated as an asset. Functions that do not fall into these categories can be excluded from further consideration.

Step 4 — Derive and assess dependent parameters and configurations

For each function classified as relevant, identify all associated parameters and configuration elements, such as cryptographic material, credentials, identifiers, and protocol settings. Evaluate these elements to determine whether their manipulation (sensitive) or disclosure (confidential) could introduce risk. Any such elements should also be classified as assets.

Outcome

The complete asset inventory is formed by combining:

  • the data identified in Step 1,
  • the classified functions from Step 3, and
  • the sensitive or confidential parameters from Step 4