TAAF

Q: Who are the approved Systems Auditors for TAAF?

You may find the list of Systems Auditors here .

The Technology Assurance Assessment (TAAF) Framework by the MDIA is a tiered framework designed to provide varying degrees of technological assurances for a wide range of technologies, from emerging to traditional, aligning with international standards and industry best practices.

TAAF is scalable, allowing seamless integration of new technologies. It is targeted towards owners or operators of technology solutions, who want to assess and obtain recognition for their technology-related controls.

TAAF’s Official Recognition aims to provide varying degrees of confidence for stakeholders like Lead Authorities, investors, developers, suppliers, end-users, and the public. The framework is flexible, allowing applicants to choose what they want to be assessed against, with different assessment levels building on each other for higher trust levels.

TAAF’s 4 Assessment Levels

Level 0
Self-Assessment (sector specific).

Level 1
Technology Control Design Review.

Level 2
Technology Control Effectiveness Review.

Level 3
Technology Audit.

Technology Domains

While TAAF can be applied to any software-based technological solution, it is also able to focus on specific technology domains:

Cloud Computing;
Internet of Things (IoT);
Artificial Intelligence (AI);
Distributed Ledger Technologies (DLT).

Aligned with International Standards

TAAF looks at controls to keep in line with international information security frameworks, including:

Accountability;
Availability;
Confidentiality;
Integrity;
Privacy.

Official Recognition by the MDIA

The MDIA provides official recognition depending on the Assessment Levels undertaken:

Acknowledgment
Denotes participation at TAAF Level 0 (Self-Assessment).

Recognition
Verifies undergoing of Technology Review at TAAF Level 1 or 2.

Certification
Provided for technology solutions that successfully undergo a TAAF Level 3 assessment.

The Components & Requirements of TAAF

	Level 0	Level 1	Level 2	Level 3
Assessor	Applicant	Technical Expert		Systems Auditor
Methodology	Self-Assessment	Technology Review		Assurance Assessment (ISAE3000)
Technology Domains	Sector Specific	General/Traditional Technology Cloud Computing Internet of Things Artificial Intelligence Blockchain
Control Types	Specific to each Initiative	Accountability Availability Confidentiality Integrity Privacy
Due Diligence	Monitoring	Prior to Onboarding
IDPS Blueprint	Not required	Required
Risk Level	Low	Medium		High
Nature of Assessment	Questionnaire	Technology Review Report		ISAE 3000
Assessment Scope	Maturity Assessment	Control Design	Control Design & Operational Effectiveness	Type 1: Control Design Type 2: Control Design & Operational Effectiveness

Level 0

	Level 0
Assessor	Applicant
Methodology	Self-Assessment
Technology Domains	Sector Specific
Control Types	Specific to each Initiative
Due Diligence	Monitoring
IDPS Blueprint	Not required
Risk Level	Low
Nature of Assessment	Questionnaire
Assessment Scope	Maturity Assessment

Level 1

	Level 1
Assessor	Technical Expert
Methodology	Technology Review
Technology Domains	General/Traditional Technology Cloud Computing Internet of Things Artificial Intelligence Blockchain
Control Types	Accountability Availability Confidentiality Integrity Privacy
Due Diligence	Prior to Onboarding
IDPS Blueprint	Required
Risk Level	Medium
Nature of Assessment	Technology Review Report
Assessment Scope	Control Design

Level 2

	Level 2
Assessor	Technical Expert
Methodology	Technology Review
Technology Domains	General/Traditional Technology Cloud Computing Internet of Things Artificial Intelligence Blockchain
Control Types	Accountability Availability Confidentiality Integrity Privacy
Due Diligence	Prior to Onboarding
IDPS Blueprint	Required
Risk Level	Medium
Nature of Assessment	Technology Review Report
Assessment Scope	Control Design & Operational Effectiveness

Level 3

	Level 3
Assessor	Systems Auditor
Methodology	Assurance Assessment (ISAE3000)
Technology Domains	General/Traditional Technology Cloud Computing Internet of Things Artificial Intelligence Blockchain
Control Types	Accountability Availability Confidentiality Integrity Privacy
Due Diligence	Prior to Onboarding
IDPS Blueprint	Required
Risk Level	High
Nature of Assessment	ISAE 3000
Assessment Scope	Type 1: Control Design Type 2: Control Design & Operational Effectiveness

TAAF FAQ’s

Where can I find out more about TAAF (Technology Assurance Assessment Framework)?

For more information, please review the TAAF guidelines by clicking this link.

Who is TAAF targeted towards?

TAAF is targeted towards owners and operators of technological solutions, who want to undergo a review of their technology controls and obtain official recognition by a National Authority.

How can I choose the Assessment Level?

Finding the right Assessment Level depends on your objectives as a technology solutions owner or operator.

Level 0 is aimed at providing insight on the current maturity levels;
Levels 1 and 2 take on a more detailed technology review by an independent technical expert;
Level 3 on the other hand, is more in line with a traditional audit approach and while being the most onerous, offers the highest levels of trust.

Does TAAF replace other MDIA frameworks?

Technology review programmes offered by the MDIA are largely compatible with TAAF at different assessment levels:

ITA Systems Audit for DLT solutions is aligned with TAAF Level 3 in the DLT Technology Domain
Technology Assurance Sandbox is aligned with TAAF Level 1
Mind the Gap is an initiative that falls under TAAF Level 0.

Who are the approved Systems Auditors for TAAF?

You may find the list of Systems Auditors here.

Who are the approved Technical Experts for TAAF?

You may find the list of Technical Experts here.

Public Consultation

The MDIA is inviting stakeholders from the industry to submit their feedback on the proposed TAAF Framework.

As part of this public consultation, three (3) documents are being released:

The TAAF Guidelines provide a detailed description of the TAAF Framework;
The TAAF Control Objectives outlines the different control statements for each applicable Assessment Level and Technology domain; and
The TAAF Fee Schedule presents the proposed fees in relation to obtaining recognition from the MDIA.

Feedback is to be submitted on taaf@mdia.gov.mt between the 19th of May 2023 and the 30th of June 2023.