Standards and Frameworks

NIST

NIST publishes standards, guidelines, recommendations and research on computer/cyber/information security and privacy using the following NIST technical series. NIST publications on cyber security can be found here.

Federal Information Processing Standards

Special Publications.

Given below are some well-known and oft-referenced standards:

SP 800-115 (September 2008): Technical Guide to Information Security Testing and Assessment

SP 800-114 Rev.1 (July 2016): User’s Guide to Telework and Bring Your Own Device (BYOD) Security

SP 800-113 (July 2008): Guide to SSL VPNs

SP 800-30 Rev.1 (September 2012): Guide for Conducting Risk Assessments

SP 800-34 Rev.1 (May 2010 /Updated Nov 2010): Contingency Planning Guide for Federal Information Systems

SP 800-35 (October 2003): Guide to Information Technology Security Services

SP 800-37 Rev.1 (February 2010 / Updated June 2014): Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach

SP 800-39 (March 2011): Managing Information Security Risk: Organization, Mission, and Information System View

SP 800-50 (October 2003): Building an Information Technology Security Awareness and Training Program

SP 800-53A Rev.4 (December 2014): Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

SP 800-153 (February 2012): Guidelines for Securing Wireless Local Area Networks (WLANs)

SP 800-146 (May 2012): Cloud Computing Synopsis and Recommendations

SP 800-145 (September 2011): The NIST Definition of Cloud Computing

SP 800-144 (December 2011): Guidelines on Security and Privacy in Public Cloud Computing

SP 800-125B (March 2016): Secure Virtual Network Configuration for Virtual Machine (VM) Protection

SP 800-123 (July 2008): Guide to General Server Security

 

 

 

 

The ISO/IEC 27000-series (also known as the ‘ISMS Family of Standards’ or ‘ISO27k’ for short) comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The series provides best practice recommendations on information security management, risks and controls within the context of an overall information security management system (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series). [Wikipedia]

ISO/IEC 27000:2016Information technology — Security techniques — Information security management systems — Overview and vocabulary
ISO/IEC 27000:2016 the overview of information security management systems, and terms and definitions commonly used in the ISMS family of standards. This International Standard is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-for-profit organizations).

ISO/IEC 27001:2013 –  Information technology — Security techniques — Information security management systems — Requirements
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls
ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s).

ISO/IEC 27003:2010Information technology — Security techniques — Information security management system implementation guidance
ISO/IEC 27003:2010 focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes the process of ISMS specification and design from inception to the production of implementation plans. It describes the process of obtaining management approval to implement an ISMS, defines a project to implement an ISMS (referred to in ISO/IEC 27003:2010 as the ISMS project), and provides guidance on how to plan the ISMS project, resulting in a final ISMS project implementation plan.

ISO/IEC 27004:2009Information technology — Security techniques — Information security management — Measurement
ISO/IEC 27004:2009 provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001.

ISO/IEC 27005:2011Information technology — Security techniques — Information security risk management
ISO/IEC 27005:2011 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2011.

ISO/IEC 27006:2015Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems
ISO/IEC 27006:2015 specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021‑1 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification.

ISO/IEC 27010:2015Information technology — Security techniques — Information security management for inter-sector and inter-organizational communications
This International Standard provides controls and guidance specifically relating to initiating, implementing, maintaining, and improving information security in inter-organizational and inter-sector communications. It provides guidelines and general principles on how the specified requirements can be met using established messaging and other technical methods.

ISO/IEC TR 27019:2013Information technology — Security techniques — Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry
ISO/IEC TR 27019:2013 provides guiding principles based on ISO/IEC 27002 for information security management applied to process control systems as used in the energy utility industry. The aim of ISO/IEC TR 27019:2013 is to extend the ISO/IEC 27000 set of standards to the domain of process control systems and automation technology, thus allowing the energy utility industry to implement a standardized information security management system (ISMS) in accordance with ISO/IEC 27001 that extends from the business to the process control level.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.

PCI Document Library

These standards are free of charge and can be downloaded after accepting the PCI DSS agreement and providing personal information (you can opt-out and directly access the document by clicking “No Thanks”).

PCI DSS 3.2 is the latest version and is dated April 2016. Rest of the documents provide more information and guidance on implementing the standards.

 

 

InfoSec Standards in the UAE

ADSIC Information Security Standards 2.0: Click here for the PDF (378 Pages). The ADSIC website is here.

Abu Dhabi Government Information Security Policy 2.0

Abu Dhabi Government Data Management Standards.

Dubai ISR:  Information Security Regulation (ISR) standards from Dubai Smart Government mandates government entities in Dubai to implement requirements and controls stated in the standard to ensure appropriate level of confidentiality, integrity, and availability of information assets. Click for more information.

NESA: National Electronic Security Authority (NESA) UAE information assurance standards provide requirements to implement information security controls to ensure protection of information assets and supporting systems across all entities in the UAE. The new standard was announced some time ago and it is expected to be available to the public very soon.

IT Governance

ISO/IEC 38500:2015Information technology — Governance of IT for the organization
ISO/IEC 38500:2015 provides guiding principles for members of governing bodies of organizations (which can comprise owners, directors, partners, executive managers, or similar) on the effective, efficient, and acceptable use of information technology (IT) within their organizations.

COBIT 5 – The COBIT 5 framework for the governance and management of enterprise IT is a leading-edge business optimization and growth roadmap that leverages proven practices, global thought leadership and ground-breaking tools to inspire IT innovation and fuel business success. Download a free copy from ISACA website here.

ISO 22301:2012: Societal security — Business continuity management systems — Requirements
ISO 22301:2012 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.

 

 

IT Service Management

ITIL v3: an acronym for Information Technology Infrastructure Library, is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL describes processes, procedures, tasks, and checklists which are not organization-specific, but can be applied by an organization for establishing integration with the organization’s strategy, delivering value, and maintaining a minimum level of competency. It allows the organization to establish a baseline from which it can plan, implement, and measure. It is used to demonstrate compliance and to measure improvement.

The ITIL best practices are currently detailed within five core publications:

Read: What is ITIL?

ISO/IEC 20000-1:2011 Information technology — Service management — Part 1: Service management system requirements
ISO/IEC 20000-1:2011 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfil agreed service requirements.

ISO/IEC 20000-2:2012Information technology — Service management — Part 2: Guidance on the application of service management systems
ISO/IEC 20000-2:2012 provides guidance on the application of service management systems (SMS) based on the requirements in ISO/IEC 20000-1. ISO/IEC 20000-2:2012 enables organizations and individuals to interpret ISO/IEC 20000-1 more accurately, and therefore to use it more effectively. The guidance includes examples and suggestions to enable organizations to interpret and apply ISO/IEC 20000-1, including references to other parts of ISO/IEC 20000 and other relevant standards.

ISO/IEC 20000-3:2012Information technology — Service management — Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1
ISO/IEC 20000-3:2012 is useful for service providers, consultants and assessors. It includes practical guidance on scope definition, applicability and demonstration of conformity to the requirements in ISO/IEC 20000-1. Guidance on the different types of conformity assessment and assessment standards is included.

ISO/IEC TR 20000-4:2010: Information technology — Service management — Part 4: Process reference model
The purpose of ISO/IEC TR 20000-4:2010 is to facilitate the development of a process assessment model according to ISO/IEC 15504 process assessment principles. ISO/IEC 15504-1 describes the concepts and terminology used for process assessment. ISO/IEC 15504-2 describes the requirements for the conduct of an assessment and a measurement scale for assessing process capability.

ISO/IEC TR 20000-5:2013: Information technology — Service management — Part 5: Exemplar implementation plan for ISO/IEC 20000-1
ISO/IEC TR 20000-5:2013 is an exemplar implementation plan providing guidance on how to implement a service management system (SMS) to fulfil the requirements of ISO/IEC 20000-1:2011. The intended users of ISO/IEC TR 20000-5:2013 are service providers, but it can also be useful for those advising service providers on how to implement an SMS.

ISO/IEC TR 20000-10:2015: Information technology — Service management — Part 10: Concepts and terminology
ISO/IEC TR 20000-10:2015 describes the core concepts of ISO/IEC 20000, identifying how the different parts support ISO/IEC 20000‑1:2011 as well as the relationships between ISO/IEC 20000 and other International Standards and Technical Reports. This part of ISO/IEC 20000 also explains the terminology used in ISO/IEC 20000, so that organisations and individuals can interpret the concepts correctly.

ISO/IEC TR 20000-11:2015Information technology — Service management — Part 11: Guidance on the relationship between ISO/IEC 20000-1:2011 and service management frameworks: ITIL®
ISO/IEC TR 20000-11:2015 is a Technical Report that provides guidance on the relationship between ISO/IEC 20000-1:2011 and a commonly used service management framework, ITIL. It can be used by any organization or person wishing to understand how ITIL can be used with ISO/IEC 20000-1:2011

ISO/IEC TR 20000-12:2016: Information technology — Service management — Part 12: Guidance on the relationship between ISO/IEC 20000-1:2011 and service management frameworks: CMMI-SVC
ISO/IEC TR 20000-12:2016 provides guidance on the relationship between ISO/IEC 20000‑1:2011 and CMMI-SVC V1.3 (through Maturity Level 3). Service providers can refer to this guidance as a cross-reference between the two documents to help them to plan and implement an SMS. An organization employing the practices in the indicated CMMI-SVC process areas can conform to many of the associated ISO/IEC 20000‑1 requirements.

Enterprise Architecture

TOGAF: The TOGAF® framework is the de facto global standard for Enterprise Architecture. The Open Group Architecture Forum, comprised of more than 200 enterprises, develops and maintains the TOGAF standard and publishes successive versions at regular intervals. See TOGAF Downloads.

http://www.opengroup.org/subjectareas/enterprise/togaf

The Open Standard can be accessed online here: http://pubs.opengroup.org/architecture/togaf9-doc/arch/

Zachman Framework: More specifically, the Zachman Framework™ is an ontology – a theory of the existence of a structured set of essential components of an object for which explicit expressions is necessary and perhaps even mandatory for creating, operating, and changing the object (the object being an Enterprise, a department, a value chain, a “sliver,” a solution, a project, an airplane, a building, a product, a profession or whatever or whatever).

https://www.zachman.com/about-the-zachman-framework

ISO/IEC 17788:2014: Information technology — Cloud computing — Overview and vocabulary
ISO/IEC 17788:2014 provides an overview of cloud computing along with a set of terms and definitions. It is a terminology foundation for cloud computing standards. ISO/IEC 17788:2014 is applicable to all types of organizations (e.g., commercial enterprises, government agencies, not-for-profit organizations).

ISO/IEC 17789:2014: Information technology — Cloud computing — Reference architecture
ISO/IEC 17789:2014 specifies the cloud computing reference architecture (CCRA). The reference architecture includes the cloud computing roles, cloud computing activities, and the cloud computing functional components and their relationships.

ISO/IEC 19086-1:2016: Information technology — Cloud computing — Service level agreement (SLA) framework — Part 1: Overview and concepts
ISO/IEC 19086-1:2016 seeks to establish a set of common cloud SLA building blocks (concepts, terms, definitions, contexts) that can be used to create cloud Service Level Agreements (SLAs). This document specifies:

a) an overview of cloud SLAs,

b) identification of the relationship between the cloud service agreement and the cloud SLA,

c) concepts that can be used to build cloud SLAs, and

d) terms commonly used in cloud SLAs.

ISO/IEC 19086-1:2016 is for the benefit and use of both cloud service providers and cloud service customers.

ISO/IEC TR 20000-9:2015: Information technology — Service management — Part 9: Guidance on the application of ISO/IEC 20000-1 to cloud services
ISO/IEC TR 20000-9:2015 provides guidance on the use of ISO/IEC 20000‑1:2011 for service providers delivering cloud services. It is applicable to different categories of cloud service, such as those defined in ISO/IEC 17788/ITU-T Y.3500 and ISO/IEC 17789/ITU-T Y.3502, including, but not limited to, the following:

a) infrastructure as a service (IaaS);

b) platform as a service (PaaS);

c) software as a service (SaaS).

It is also applicable to public, private, community, and hybrid cloud deployment models.

ISO/IEC 27017:2015Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:

– additional implementation guidance for relevant controls specified in ISO/IEC 27002;

– additional controls with implementation guidance that specifically relate to cloud services.

This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.

ISO/IEC 27018:2014: Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

NIST Standards

NIST Cloud Computing Program at NIST.gov

SP 500-291 (July 2011): NIST Cloud Computing Standards Roadmap (PDF. 1.52 MB)

SP 800-145 (September 2011): The NIST Definition of Cloud Computing

SP 800-144 (December 2011): Guidelines on Security and Privacy in Public Cloud Computing

Information about organisations or blogs is mostly taken from the sites themselves or from news sites or Wikipedia. Please contact the webmaster, if you have any comments or wish to report broken links.