Cybersecurity — Understanding the Fundamentals II (Standards)

Policies, Standards, Procedures, and Guidelines

Document Types

To provide a clear understanding of policies, standards, procedures, and guidelines, we prepared a table for you. It’s good to know the differences between policies, standards, procedures, guidelines to be able to understand the standards’ role in our life.

Document Types

What are the Standards? Why Are They Important?

It is only through the use of standards that the requirements of interconnectivity and interoperability can be assured. It is only through the application of standards that the credibility of new products and new markets can be verified. In summary, standards fuel the development and implementation of technologies that influence and transform the way we live, work and communicate.

Cybersecurity Standards

ISO/IEC 27001 & 27002

ISO/IEC 27001specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.

ISO/IEC 27001:2013 (Information technology — Security techniques — Information security management systems — Requirements)

ISO/IEC 27001:2013/COR 1:2014 (Information technology — Security techniques — Information security management systems — Requirements — Technical Corrigendum 1)

ISO/IEC 27001:2013/COR 2:2015 (Information technology — Security techniques — Information security management systems — Requirements — Technical Corrigendum 2)

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC).

ISO/IEC 27002 gives guidelines for organizational information security standards and information security management practices including the selection, implementation, and management of controls taking into consideration the organization’s information security risk environment(s).

It is designed to be used by organizations that intend to:

  • select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;
  • implement commonly accepted information security controls;
  • develop their own information security management guidelines.

ISO/IEC 27002:2013 (Information technology — Security techniques — Code of practice for information security controls)

ISO/IEC 27002:2013/COR 1:2014 (Information technology — Security techniques — Code of practice for information security controls — Technical Corrigendum 1)

ISO/IEC 27002:2013/COR 2:2015 (Information technology — Security techniques — Code of practice for information security controls — Technical Corrigendum 2)

NIST Cybersecurity Framework

NIST Cybersecurity Framework

ISO/IEC 15408 (Common Criteria)

ISO/IEC 15408 establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of ISO/IEC 15408 which in its entirety is meant to be used as the basis for evaluation of security properties of IT products.

ANSI/ISA 62443 (Formerly ISA-99)

ISA-62443 Standard Series

ISA/IEC 62443

COBIT 5 Information Security Framework

COBIT 5 Information Security Policy Set

In addition, PCI DSS, HIPAA, and GDPR play an important role in how your service executes its information security governance policies.