Standards and specifications are directives telling you what should be done, while guidelines and recommendations are informative and tell you how you should go about it.
There are also good practice guides and documents, which, rather than being issued by a standards body, may originate from an organisation that has a legitimate claim to be the main source of knowledge on matters pertaining to it. An example of this is the Information Security Forum’s Standard of Good Practice, which we shall examine briefly later in this appendix.1
Regardless of their name or definition, standards, specifications, guidelines and recommendations are costly to produce and tend to be developed and distributed by large international organisations, which usually make a charge for them, or by government departments, which may subsidise them to a greater or lesser degree.
Some standards bodies produce their output for local consumption only, whereas the larger ones tend to produce output intended for more widespread use. An example of the former category is Standards Australia, whose output is generally just used within that country and sometimes in New Zealand. An example of the second category is BSI,2 which has been at the forefront of standards development since 1901, and much of its output is utilised worldwide, often being turned into truly international standards through ISO.
There are a number of countries that produce their own standards of all kinds, but the principal ones for cyber security are the EU, the USA and the UK. However, many of these standards go on to become international standards, so we will deal primarily with those.
The standards body responsible for publishing them is ISO,3 based in Geneva. Development of new standards can take many years and involves representatives from all over the world who meet both in person and through collaborative file sharing to define and agree the detail.
The best-known series of information security standards is the ISO/IEC 27000 series (IEC4 is also based in Geneva) and many of the ISO standards are produced in consultation with them.
There are also some excellent British Standards (BSs) and guideline documents as well as many American Federal Information Processing Standards (FIPSs). Finally, and still of interest, are the Internet Engineering Task Force (IETF) Requests for Comment (RFCs) and the International Telecommunication Union (ITU) standards.
At the time of writing, there are more than 40 published ISO standards in the information security area, with several more in the development pipeline. If you would like to see the details of any of them, the best place to look is either the ISO website or the BSI website, as the index of ISO standards is shown there. If you wish to purchase them, you will probably find that the BSI online route is less costly, especially if you become a member of BSI, in which case many of the standards are available at a discounted price.
The security standard considered to be the primary one is ISO/IEC 27001:2022, and it is to this standard that organisations can be accredited.
One thing to beware of is that the ISO standards portfolio is growing rapidly, and by the time you read this book many more will have been produced. However, we have made best efforts to ensure that the list is up to date at the time of writing. Where appropriate, a brief description of the standard has been included.
CYBER SECURITY STANDARDS
There are more standards in this area than you could shake a stick at, so below are some of the most relevant ones.
BS 10012:2017+A1:2018 – Specification for a personal information management system
The title of this standard is slightly confusing – it would appear to refer to management of information for individual people, whereas it actually refers to organisational management of people’s personal information.
Its main theme is to highlight the organisation’s responsibilities with regard to data protection and it is a useful introduction to the European Union General Data Protection Regulation 679/2016 (GDPR). The structure has also been updated to follow the ISO management system structure.
PAS 555:2013 – Cyber security risk – Governance and management – Specification
For organisations wishing to achieve a reasonable standard of cyber security without the need for full ISO/IEC 27001 certification, PAS 555 is an excellent beginning. It does, however, only provide high-level statements as opposed to the level of detail that one would find in the full ISO standard. This might appeal to many SMEs.
ISO/IEC 27000 SERIES STANDARDS
ISO/IEC 27000:2020 – Information technology – Security techniques – Information security management systems – Overview and vocabulary
Apart from providing definitions of commonly used terms, this standard describes how an information security management system (ISMS) should work and goes on to mention some of the standards listed below.
ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection – Information security management systems - Requirements
Although it covers areas beyond pure cyber security, this is the main standard, and it is against this that organisations can be accredited. Sections 4 to 10 describe the mandatory elements of the standard, and the abbreviated list of controls in its Annex A are described in much greater detail in ISO/IEC 27002:2022.
ISO/IEC 27002:2022 – Information security, cybersecurity and privacy protection — Information security controls
This standard provides detailed descriptions of the controls listed in Annex A of ISO/IEC 27001:2022. The number of controls in the 2022 version of ISO/IEC 27002 has decreased from 114 to just 93. These are organised into four control themes – Organisational, People, Physical and Technological controls. While a number of controls have been merged to avoid duplication and some have been removed altogether, there are 11 new controls:
- Threat intelligence;
- Information security for the use of cloud services;
- ICT readiness for business continuity;
- Physical security monitoring;
- Configuration management;
- Information deletion;
- Data masking;
- Data leakage prevention;
- Monitoring activities;
- Web filtering;
- Secure coding.
ISO/IEC 27003:2017 – Information technology – Security techniques – Information security management systems implementation guidance
This standard provides guidance on planning and information security management systems aligned to ISO/IEC 27001.
ISO/IEC 27004:2016 – Information technology – Security techniques – Information security management measurements
This standard covers the types of metrics and measurements that can be applied to an ISO/IEC 27001 programme.
ISO/IEC 27005:2022 – Information security, cybersecurity and privacy protection – Guidance on managing information security risks
This is the main standard used when conducting an information risk management programme and can form a major input to an ISO/IEC 27001 programme. A somewhat older standard, ISO 31000:2018, Risk management – Principles and guidelines, provides principles and generic guidelines on risk management.
ISO/IEC 27006:2020 – Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems
Although this standard is less relevant to individual organisations looking to attain ISO/IEC 27001 certification, it does illustrate the guidance for those bodies that provide the certification.
ISO/IEC 27007:2022 – Information technology – Security techniques – Guidelines for information security management systems auditing
As with the previous example, this standard is somewhat less relevant to organisations wishing to develop an ISMS programme but has been included for completeness.
ISO/IEC 27008:2019 – Information technology – Security techniques – Guidelines for auditors on information security controls
This standard provides a slightly different aspect of the ISMS audit function – this time dealing with guidance on specific controls.
ISO/IEC 27010:2015 – Information security management systems – Information security management for inter-sector and inter-organizational communications
This standard was developed with the express intention of exchanging information securely between organisations, especially when concerned with sharing information on security issues, as discussed in Chapter 11.
ISO/IEC 27011:2016 – Information technology – Security techniques – Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
The standard is for telecommunications organisations and will enable them to meet baseline ISMS requirements of confidentiality, integrity, availability and any other relevant security properties of telecommunications services.
ISO/IEC 27013:2021 – Information technology – Security techniques – Guidance on the implementation of ISO/IEC 27001 and ISO/IEC 20000-1
This standard provides guidance on what organisations need to do in order to build a management system that integrates ISO/IEC 27001 and also ISO/IEC 20000, which is concerned with service management.
ISO/IEC 27014:2020 – Information technology – Security techniques – Governance of information security
This standard allows organisations to make decisions about information security issues in support of the strategic organisational objectives.
ISO/IEC 27015:2012 – BS ISO/IEC TR 27015:2012 ED1 – Information security management systems – Information security management guidelines for financial services
This standard is important for any organisation planning to offer financial services covered by an ISMS. It may also be useful to consumers of such services.
ISO/IEC 27016:2014 – Information technology – Security techniques – Information security management – Organizational economics
This standard will be useful when making information security investment decisions, as well as for those who have to prepare the business cases for information security investment.
ISO/IEC 27017:2021 – Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services
This standard will be useful to organisations wishing to become providers or users of cloud services, both by identifying their responsibilities to ensure certification of related security controls, and as a checklist to ensure that potential providers of the cloud service have the necessary security policies, practices and controls in place.
ISO/IEC 27018:2020 – Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
This standard is applicable to all types and sizes of organisations, including public and private companies, government entities and not-for-profit organisations, which provide information processing services as PII processors via cloud computing under contract to other organisations.
ISO/IEC 27019:2020 – Information technology – Security techniques – Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry
This standard is important for any organisation in the energy utility sector planning to operate an ISMS. It may also be useful to related organisations such as utility plant suppliers, systems integrators and auditors.
ISO/IEC 27023:2015 – Information technology – Security techniques – Mapping the revised editions of ISO/IEC 27001 and ISO/IEC 27002
This standard simply does what it says in the title. The earlier (2005) versions of ISO/IEC 27001 and 27002 differed in many ways from the 2013 versions, and this standard provides clarification.
ISO/IEC 27031:2011 – Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity
This standard provides guidelines for preparation of information and communications technology systems in meeting business continuity requirements. It relates to ISO 22301, which falls largely outside the scope of this book, since that standard covers all aspects of business continuity.
ISO/IEC 27032:2012 – Information technology – Security techniques – Guidelines for cybersecurity
This standard will be of much greater value to those organisations who are investing in protection against cyber security problems. It provides a detailed framework for identifying cyber security issues, and a high-level set of controls for dealing with them.
ISO/IEC 27033-1:2015 – Information technology – Security techniques – Network security – Overview and concepts
The first of six standards relating to network security, this standard deals with the main issues that organisations are likely to face.
ISO/IEC 27033-2:2012 – Information technology – Security techniques – Guidelines for the design and implementation of network security
This standard takes matters to the next level and defines the network security requirements that are likely to be needed and provides a checklist.
ISO/IEC 27033-3:2010 – Information technology – Security techniques – Network security – Reference networking scenarios – Threats, design techniques and control issues
This standard deals with security network design principles and examines the threats and possible controls associated with them.
ISO/IEC 27033-4:2014 – Information technology – Security techniques – Network security – Securing communications between networks using security gateways
This standard provides guidance on securing communications between networks using security gateways and firewalls and introduces the concept of intrusion detection systems.
ISO/IEC 27033-5:2013 – Information technology – Security techniques – Network security – Securing communications across networks using Virtual Private Networks (VPNs)
ISO/IEC 27033-6:2016 – Information technology – Security techniques – Network security – Securing wireless IP network access
This final part of this standard deals with securing network interconnections and how to connect remote users by providing VPNs.
This group of seven standards sets the scene for the secure development of applications, and in particular deals with the application security management process:
ISO/IEC 27034-1:2011 – Information technology – Security techniques – Application security – Overview and concepts
ISO/IEC 27034-2:2015 – Information technology – Security techniques – Application security – Organization normative framework
ISO/IEC 27034-3:2018 – Information technology – Application security – Application security management process
ISO/IEC 27034-5:2017 – Information technology – Security techniques – Application security – Protocols and application security controls data structure
ISO/IEC 27034-6:2016 – Information technology – Security techniques – Application security – Case studies
ISO/IEC 27034-7:2018 – Information technology – Application security – Assurance prediction framework
This group of three standards deals with the management of cyber security incidents:
ISO/IEC 27035-1:2016 – Information technology – Security techniques – Information security incident management
ISO/IEC 27035-2:2016 – Information technology – Security techniques – Information security incident management – Part 2: Guidelines to plan and prepare for incident response
ISO/IEC 27035-3:2020 – Information technology – Information security incident management – Guidelines for ICT incident response operations
This series of four standards examines the security requirements for the relationship between organisations and their suppliers:
ISO/IEC 27036-1:2021 – Information technology – Security techniques – Information security for supplier relationships – Overview and concepts
ISO/IEC 27036-2:2022 – Information technology – Security techniques – Information security for supplier relationships – Requirements
This standard goes into greater detail regarding the technical security requirements that must be agreed and managed between an organisation and its suppliers.
ISO/IEC 27036-3:2013 – Information technology – Security techniques – Information security for supplier relationships – Guidelines for information and communication technology supply chain security
Frequently, supply chains are multi-layered and global, and this standard provides guidance on managing the complex risk environment.
ISO/IEC 27036-4:2016 – Information technology – Security techniques – Information security for supplier relationships – Guidelines for security of cloud services
This standard provides cloud service customers and cloud service providers with guidance on:
(a) gaining visibility into the information security risks associated with the use of cloud services and managing those risks effectively; and
(b) responding to risks specific to the acquisition or provision of cloud services that can have an information security impact on organisations using these services.
ISO/IEC 27037:2016 – Information technology – Security techniques – Guidelines for identification, collection, acquisition and preservation of digital evidence
When cyber incidents occur, it may be necessary to preserve evidence of the fact, and this standard provides guidelines for the forensic preservation of evidence.
ISO/IEC 27038:2016 – Information technology – Security techniques – Specification for digital redaction
When organisations are required to anonymise information within a document or to redact it completely, this standard provides guidelines on the process and techniques, and may be useful in information sharing situations.
ISO/IEC 27039:2015 – Information technology – Security techniques – Selection, deployment and operations of intrusion detection and prevention systems (IDPS)
Intrusion detection and prevention systems can provide an analysis of host and network traffic and/or audit trails for attack signatures or specific patterns that usually indicate malicious or suspicious intent. This standard provides guidelines for effective IDPS selection, deployment and operation, as well as fundamental knowledge about IDPS.
ISO/IEC 27040:2016 – Information technology – Security techniques – Storage security
This standard applies to all data owners, IT managers and security officers from small enterprises to global organisations, as well as manufacturers of general and specialised data storage products, and is particularly relevant to data destruction services.
ISO/IEC 27041:2016 – Information technology – Security techniques – Guidance on assuring suitability and adequacy of incident investigative method
This standard contains an assurance model with details of how to validate the methods used for investigations and shows how internal and external resources can be used to carry out assurance.
ISO/IEC 27042:2016 – Information technology – Security techniques – Guidelines for the analysis and interpretation of digital evidence
This standard provides a detailed framework for investigation, giving guidance on how to structure and prioritise investigative stages in order to produce analysis and reports that can be used to improve security in the future.
ISO/IEC 27043:2016 – Information technology – Security techniques – Incident investigation principles and processes
This standard is intended to aid in digital investigations, with the aim that a suitably skilled investigator should obtain the same result as another similarly skilled investigator working under similar conditions.
OTHER RELEVANT ISO STANDARDS
ISO/IEC 17788:2014 – Information technology – Cloud computing – Overview and vocabulary
ISO/IEC 17789:2014 – Information technology – Cloud computing – Reference architecture
These two standards should appeal to all kinds of cloud customers – from small enterprises to global organisations – and all kinds of cloud providers and partner organisations such as software developers and auditors.
ISO/IEC 24762:2008 – Information technology – Security techniques – Guidelines for information and communications technology disaster recovery services
This standard takes us into the area of disaster recovery and is aimed at aiding the operation of an ISMS by providing guidance on the provision of information and communications technology disaster recovery services as part of business continuity management.
ISO/IEC 29100:2020 – Information technology – Security techniques – Privacy framework
This standard provides a high-level framework for the protection of personally identifiable information within IT systems.
ISO/IEC 29101:2021 – Information technology – Security techniques – Privacy architecture framework
The guidance in this standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating IT systems that process PII. It focuses primarily on IT systems that are designed to interact with PII principals.
ISO/IEC 29147:2020 – Information technology – Security techniques – Vulnerability disclosure
This standard provides guidelines for vendors to be included in their business processes when receiving information about potential vulnerabilities and distributing vulnerability resolution information.
ISO/IEC 29190:2015 – Information technology – Security techniques – Privacy capability assessment model
This standard provides guidance for organisations in producing an overall ‘score’ against a simple capability assessment model; a set of metrics indicating assessment against key performance indicators; and the detailed outputs from privacy process management audits and management practices.
ISO/IEC 30111:2020 – Information technology – Security techniques – Vulnerability handling processes
This standard describes processes for vendors to handle reports of potential vulnerabilities in products and online services.
BUSINESS CONTINUITY STANDARDS
Since cyber security forms an integral part of business continuity, the following standards have been included for completeness.
The first real attempt at producing a business continuity standard in the UK was the introduction of the BSI’s PAS 56 in 2003. Intended as an interim standard it was eventually replaced by BS 25999 Part 1 – Business continuity management – Code of practice in 2006 and BS 25999 Part 2 – Business continuity management – Specification in 2007. Both of these have now been superseded by the international standard ISO 22301.
As with many BSI and ISO standards areas, there are a number of standards and good practice guides for business continuity. The following is a list of the most relevant, and includes standards relating to incident and crisis management, both of which may be required as part of a business continuity programme.
ISO 22301:2014 – Societal security – Business continuity management systems – Requirements
This is now the definitive business continuity standard, replacing BS 25999 Parts 1 and 2 in 2014.
ISO 22313:2014 – Societal security – Business continuity management systems – Guidance
This standard is the guidance document that supports the requirements of ISO 22301. It describes good practice guidelines and recommendations that organisations may adopt to ensure their business continuity management (BCM) programme aligns with internationally recognised best practices.
ISO 22318:2021 – Societal security – Business continuity management systems – Guidelines for supply chain continuity
As the title suggests, this standard examines strategies and methods for managing supply chain disruptions.
ISO 22322:2015 – Societal security – Emergency management – Guidelines for public warning
This standard describes the processes for monitoring threats and hazards that might cause harm to the public at large, and how to communicate these.
PD 25111:2010 – Business continuity management – Guidance on human aspects of business continuity
This standard provides guidelines for the planning of strategies for human resource management both during and following a business-disruptive incident, considering not only staff, but also their families.
PD 25666:2010 – Business continuity management – Guidance on exercising and testing for continuity and contingency programmes
Exercising and testing is a key aspect of business continuity programmes, and PD 25666 delivers practical advice on how best to accomplish this, the aims and objectives of exercises, how to present a business case and developing staff competence through training.
BS 11200:2014 – Crisis management – Guidance and good practice
Crisis management requires a forward-looking, systematic approach that creates structures, trains people to work within them and is evaluated and developed in a continuous, purposeful and rigorous way.
BS BIP 2142:2012 – The route map to business continuity management. Meeting the requirements of ISO 22301
John Sharp, the author of this document, has taken ISO 22301 as a starting point, examined every aspect of its requirements, and explained in BIP 2142 how best these can be achieved. However, he has taken this document much further by adding sections that are not specifically covered by ISO 22301, and also by providing useful templates for the BC practitioner.
BS BIP 2143:2012 – Business continuity exercises and tests. Delivering successful exercise programmes with ISO 22301
This document covers business continuity exercises and tests, expanding on the requirements of PD 25666 and explaining how best these can be achieved.
BS BIP 2151:2012 – Auditing business continuity management plans. Assess and improve your performance against ISO 22301
This document is probably better suited to larger enterprises, where internal audit is widely used, and a strict compliance regime is in operation.
BS BIP 2185:2012 – Business continuity communications. Successful incident communication planning with ISO 22301
The business continuity plan itself is only part of the story. Communication with all stakeholders during a business-disruptive incident is essential both in making the plan work and in preserving the organisation’s credibility with the media.
BS BIP 2214:2011 – A practical approach to business impact analysis. Understanding the organisation through business continuity management
BIP 2214 is one of the most useful documents in the whole of the BSI collection and will guide the reader step by step through the entire business impact analysis (BIA) process.
BS BIP 2217:2011 – Business continuity management for small and medium sized enterprises. How to survive a major disaster or failure
This document takes the BCM approach from the perspective of the SME as opposed to that of the larger corporate organisation, at which many other standards and guides are directed.
PAS 77:2006 – IT Service Continuity Management – Code of Practice.
By investigating, developing and implementing preventative and recovery options beforehand, an organisation can minimise and manage interruptions to services that threaten the continuity of the business.
British standards can be obtained in PDF or hard copy formats from the BSI online shop: www.bsigroup.com/Shop or by contacting BSI Customer Services for hard copies only: tel: +44 (0) 20 8996 9001, email: [email protected]
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) STANDARDS
There are many NIST standards and FIPSs relating to information security, but these are probably of greatest interest:
NIST SP 800-53A – Guide for Assessing the Security Controls in Federal Information Systems and Organizations
NIST SP 800-83 – Guide to Malware Incident Prevention and Handling
NIST SP 800-100 – Information Security Handbook: A Guide for Managers
NIST SP 800-153 – Guidelines for Securing Wireless Local Area Networks (WLANs)
These can all be downloaded free of charge from http://csrc.nist.gov/publications/
NIST Cyber Security Framework (2014) Framework for Improving Critical Infrastructure Cybersecurity.5
1. See https://www.securityforum.org/blog/standard-of-good-practice-for-information-security-2020-now-available-to-members/
2. See www.bsigroup.com/en-GB/standards/
3. See https://www.iso.org/standards.html
4. See https://iec.ch/about-us
5. NIST regularly publishes updates to the original framework, and these can be viewed at https://www.nist.gov/cyberframework