ISO Standards for Cyber Security

Posted in management by Christopher R. Wirz on Wed Oct 05 2022

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have created several standards that apply to cybersecurity. If you are a multi-national organization or have users operating outside the US, it is important to consider these standards in your hardware, software and service architecture. These standards build off each other - and this discussion hopes to show these relationships.

ISOs related to Information Security

ISO/IEC 15408 - Common Criteria that describes a certification program for technology products and service
common criteria outlines an approach for certifying that a technology solution meets security requirements, assigning it an assurance level, and approving it for operations
The Common Criteria are generally only used for hardware and software, not services
ISO/IEC 17789 - cloud reference architecture
A common terminology framework that assists cloud service providers, cloud service customers, and cloud service partners in communicating about roles and responsibilities
ISO/IEC 20000 - Information technology Service management (multiple parts)
defines a set of operational controls and standards that organizations can use to manage IT services
defines a service management system designed to support the practice of IT service management (ITSM)
can be used to manage ITSM using a variety of approaches, including Information Technology Infrastructure Library (ITIL) and the Information Systems Audit and Control Association (ISACA) Control Objectives for Information Technologies (COBIT) framework
The goal of ITSM is to identify user needs, design an IT service that meets those needs, successfully deploy it, then enter a cycle of continuous improvements
ISO/IEC 27001:2022 - information security management system (ISMS)
Guidance for establishing, implementing, maintaining and continually improving an information security management system (ISMS from ISO/IEC 20000-1)
ISO 27001 is a voluntary standard that is not required by the U.S. federal government
ISO/IEC 27002:2022 - Information security, cybersecurity and privacy protection / Information security controls
Establish, implement, and improve an Information Security Management System (ISMS) focused on cybersecurity
While ISO/IEC 27001 outlines the requirements for an ISMS, ISO/IEC 27002 offers best practices and control objectives related to key cybersecurity aspects including access control, cryptography, human resource security, and incident response
Serves as a practical blueprint to effectively safeguard information assets against cyber threats
27001 and 27002 are tightly linked to the National Institute of Standards and Technology's Cybersecurity Framework (CSF), allowing organizations to cleanly map controls between standards and frameworks for both privacy and security
ISO/IEC 27017:2015 - Code of practice for information security controls based on ISO/IEC 27002 for cloud services
Code of practice for information security controls based on ISO/IEC 27002 for cloud services
Guidelines for information security controls regarding the provision and use of cloud services and cloud service customers
ISO/IEC 27018:2019 - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
Based on ISO/IEC 27002, considers the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services
Provides a code of practice for the protection of personally identifiable information in a public cloud environment
ISO/IEC 27701:2019 - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines
covers best practices for implementing privacy controls
ISO 27001 and ISO 27002 relate to an organization's information security program

Other important ISOs

ISO/IEC 27034:2011 - Security techniques Application security
provides guidance to assist organizations in integrating security into the processes used for managing their applications
a framework for application security within an organization. According to the standard, each organization should have an Organizational Normative Framework (ONF), and each application within the organization should have its own Application Normative Framework (ANF)
ISO/IEC 27036:2016 - Information security for supplier relationships
security requirements for defining, implementing, operating, monitoring, reviewing, maintaining and improving supplier and acquirer relationships
ISO/IEC 27037:2012 - Guide for collecting, identifying, and preserving electronic evidence
guidelines for specific activities in the handling of digital evidence, which are identification, collection, acquisition and preservation of potential digital evidence that can be of evidential value
ISO/IEC 27041:2015 - Guide for incident investigations
guidance on the capture and analysis of functional and non-functional requirements relating to an Information Security (IS) incident investigation
ISO/IEC 27042:2015 - Guide for digital evidence analysis
guidance on the analysis and interpretation of digital evidence in a manner which addresses issues of continuity, validity, reproducibility, and repeatability
ISO/IEC 27043:2015 - Incident investigation principles and processes
guidelines based on idealized models for common incident investigation processes across various incident investigation scenarios involving digital evidence
ISO/IEC 27050:2016 - Overview and principles for eDiscovery
Electronic discovery is the process of discovering pertinent Electronically Stored Information (ESI) or data by one or more parties involved in an investigation or litigation, or similar proceeding
ISO/IEC 31000:2018 - Risk management Guidelines
focuses on designing, implementing, and reviewing risk management processes and practices
explains that proper implementation of a risk management process can be used to create and protect value, integrate organizational procedures, be part of the decision-making process