Cybersecurity — Understanding the Fundamentals II (Standards)
Policies, Standards, Procedures, and Guidelines
To provide a clear understanding of policies, standards, procedures, and guidelines, we prepared a table for you. It’s good to know the differences between policies, standards, procedures, guidelines to be able to understand the standards’ role in our life.
What are the Standards? Why Are They Important?
Standards form the fundamental building blocks for product development by establishing consistent protocols that can be universally understood and adopted. This helps fuel compatibility and interoperability and simplifies product development, and speeds time-to-market. Standards also make it easier to understand and compare competing products. As standards are globally adopted and applied in many markets, they also fuel international trade.
It is only through the use of standards that the requirements of interconnectivity and interoperability can be assured. It is only through the application of standards that the credibility of new products and new markets can be verified. In summary, standards fuel the development and implementation of technologies that influence and transform the way we live, work and communicate.
Cybersecurity Standards
ISO/IEC 27001 & 27002
ISO/IEC 27001 is an information security standard that is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.
ISO/IEC 27001specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
ISO/IEC 27001:2013 (Information technology — Security techniques — Information security management systems — Requirements)
ISO/IEC 27001:2013/COR 1:2014 (Information technology — Security techniques — Information security management systems — Requirements — Technical Corrigendum 1)
ISO/IEC 27001:2013/COR 2:2015 (Information technology — Security techniques — Information security management systems — Requirements — Technical Corrigendum 2)
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC).
ISO/IEC 27002 gives guidelines for organizational information security standards and information security management practices including the selection, implementation, and management of controls taking into consideration the organization’s information security risk environment(s).
It is designed to be used by organizations that intend to:
- select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;
- implement commonly accepted information security controls;
- develop their own information security management guidelines.
ISO/IEC 27002:2013 (Information technology — Security techniques — Code of practice for information security controls)
ISO/IEC 27002:2013/COR 1:2014 (Information technology — Security techniques — Code of practice for information security controls — Technical Corrigendum 1)
ISO/IEC 27002:2013/COR 2:2015 (Information technology — Security techniques — Code of practice for information security controls — Technical Corrigendum 2)
NIST Cybersecurity Framework
The NIST Cybersecurity Framework provides a policy framework of cybersecurity guidance for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cyber-attacks.
ISO/IEC 15408 (Common Criteria)
The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification.
ISO/IEC 15408 establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of ISO/IEC 15408 which in its entirety is meant to be used as the basis for evaluation of security properties of IT products.
ANSI/ISA 62443 (Formerly ISA-99)
ANSI/ISA 62443 is a series of standards, technical reports, and related information that define procedures for implementing secure Industrial Automation and Control Systems (IACS).
ISA/IEC 62443
The ISA/IEC 62443 series of standards, developed by the ISA99 committee and adopted by the International Electrotechnical Commission (IEC), provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACSs).
COBIT 5 Information Security Framework
COBIT 5 for Information Security provides guidance to help IT and security professionals understand, utilize, implement and direct important information security-related activities, and make more informed decisions while maintaining awareness about emerging technologies and the accompanying threats.
In addition, PCI DSS, HIPAA, and GDPR play an important role in how your service executes its information security governance policies.
