Standards & Frameworks

Disclaimer: Links are provided on these pages purely for informational purposes and should not be construed as endorsement or claim of affiliation with any of the companies, websites, people or products. All names, logos and trademarks belong to their respective owners.

The ISO/IEC 27000-series (also known as the ‘ISMS Family of Standards’ or ISO27k for short) comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The series provides best practice recommendations on information security management, risks and controls within the context of an overall information security management system (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series). [Wikipedia]

ISO/IEC 27000:2018Information technology — Security techniques — Information security management systems — Overview and vocabulary

ISO/IEC 27000:2018 provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards. This document is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-for-profit organizations).

Click HERE for a free copy of this standard.

ISO/IEC 27001:2013Information technology — Security techniques — Information security management systems — Requirements

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

ISO/IEC 27002:2013Information technology — Security techniques — Code of practice for information security controls

ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s).

ISO/IEC 27003:2017Information technology — Security techniques — Information security management systems — Guidance

ISO/IEC 27003:2017 provides explanation and guidance on ISO/IEC 27001:2013. This document provides guidance on the requirements for an information security management system (ISMS) as specified in ISO/IEC 27001 and provides recommendations (‘should’), possibilities (‘can’) and permissions (‘may’) in relation to them. It is not the intention of this document to provide general guidance on all aspects of information security.

ISO/IEC 27004:2016Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation

ISO/IEC 27004:2016 provides guidelines intended to assist organizations in evaluating the information security performance and the effectiveness of an information security management system in order to fulfil the requirements of ISO/IEC 27001:2013, 9.1. It establishes:

a) the monitoring and measurement of information security performance;

b) the monitoring and measurement of the effectiveness of an information security management system (ISMS) including its processes and controls;

c) the analysis and evaluation of the results of monitoring and measurement.

ISO/IEC 27004:2016 is applicable to all types and sizes of organizations.

ISO/IEC 27005:2018Information technology — Security techniques — Information security risk management

This document provides guidelines for information security risk management.

This document supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.

Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of this document.

This document is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that can compromise the organization’s information security.

ISO/IEC 27006:2015Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems

ISO/IEC 27006:2015 specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 1 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification.

ISO/IEC 27010:2015Information technology — Security techniques — Information security management for inter-sector and inter-organizational communications

This International Standard provides controls and guidance specifically relating to initiating, implementing, maintaining, and improving information security in inter-organizational and inter-sector communications. It provides guidelines and general principles on how the specified requirements can be met using established messaging and other technical methods.

ISO/IEC 27019:2017 Information technology — Security techniques — Information security controls for the energy utility industry

ISO/IEC 27019:2017 provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes.

CSRC-NIST : Since the mid-1990s, CSRC has provided visitors with NIST resources on computer, cyber, and information security and privacy. It includes publications, projects & programs, news and events from the NIST Information Technology Laboratory’s (ITL) two security divisions: Computer Security Division (CSD) & Applied Cybersecurity Division (ACD).

NIST Cybersecurity Framework: The Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.  Download the framework in PDF / Excel.

The NIST Privacy Framework Site: The NIST Privacy Framework is a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy. A Tool for Improving Privacy through Enterprise Risk Management Version 1.0 (January 2020). Download the framework in PDF.

SP 800-207 : Zero Trust Architecture (2nd Draft) [Draft 2/13/2020]

SP 800-115: Technical Guide to Information Security Testing and Assessment [Final 9/30/2008 ]

SP 800-30 Rev. 1  Guide for Conducting Risk Assessments [Final 9/17/2012]

SP 800-100: Information Security Handbook: A Guide for Managers [Final 3/07/2007]

SP 800-12 Rev. 1  An Introduction to Information Security  [Final 6/22/2017]

SP 800-61 Rev. 2  Computer Security Incident Handling Guide  [Final 8/06/2012]

SP 800-55 Rev. 1 Performance Measurement Guide for Information Security [Final 7/16/2008]

SP 800-53 Rev. 5   Security and Privacy Controls for Information Systems and Organizations
[Draft 8/15/2017]

SP 800-50  Building an Information Technology Security Awareness and Training Program [Final 10/01/2003]

SP 800-47   Security Guide for Interconnecting Information Technology Systems [Final 9/01/2002]

SP 800-46 Rev. 2  Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security  [Final 7/29/2016]

SP 800-45 Version 2   Guidelines on Electronic Mail Security  [Final 2/20/2007]

SP 800-44 Version 2  Guidelines on Securing Public Web Servers [Final 10/09/2007]

SP 800-41 Rev. 1  Guidelines on Firewalls and Firewall Policy [Final 9/28/2009]

SP 800-40 Rev. 3  Guide to Enterprise Patch Management Technologies [Final 7/22/2013]

SP 800-95  Guide to Secure Web Services [Final 8/29/2007]

SP 800-94 Rev. 1   Guide to Intrusion Detection and Prevention Systems (IDPS)  [Draft 7/25/2012]

SP 800-92   Guide to Computer Security Log Management [Final 9/13/2006 ]

SP 800-82 Rev. 2  Guide to Industrial Control Systems (ICS) Security [Final 6/03/2015]

SP 800-81-2  Secure Domain Name System (DNS) Deployment Guide [Final 9/18/2013]

SP 800-77 Rev. 1   Guide to IPsec VPNs  [Draft 7/02/2019]

SP 800-37 Rev. 2  Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy [Final 12/20/2018]

SP 800-35  Guide to Information Technology Security Services [Final 10/09/2003]

SP 800-123  Guide to General Server Security  [Final 7/25/2008]

SP 800-114 Rev. 1  User’s Guide to Telework and Bring Your Own Device (BYOD) Security [Final 7/29/2016]

SP 800-113  Guide to SSL VPNs [Final 7/01/2008]

SP 800-137A   Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment  [Draft 1/13/2020]

SP 800-128  Guide for Security-Focused Configuration Management of Information Systems [Final 10/10/2019]

SP 800-125B  Secure Virtual Network Configuration for Virtual Machine (VM) Protection [Final 3/07/2016]

SP 800-125A Rev. 1   Security Recommendations for Server-based Hypervisor Platforms [Final 6/07/2018]

SP 800-125  Guide to Security for Full Virtualization Technologies [Final 1/28/2011]

SP 800-124 Rev. 1  Guidelines for Managing the Security of Mobile Devices in the Enterprise [Final 6/21/2013]

SP 800-146  Cloud Computing Synopsis and Recommendations  [Final 5/29/2012]

SP 800-145  The NIST Definition of Cloud Computing [Final 9/28/2011]

SP 800-144  Guidelines on Security and Privacy in Public Cloud Computing  [Final 12/09/2011]

SP 800-153  Guidelines for Securing Wireless Local Area Networks (WLANs) [Final 2/21/2012]

SP 800-179   Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist

SP 800-160 Vol. 1   Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems [Final 3/21/2018]

SP 800-160 Vol. 2   Developing Cyber Resilient Systems: A Systems Security Engineering Approach [Final 11/27/2019]

An enterprise architecture framework (EA framework) defines how to create and use an enterprise architecture. An architecture framework provides principles and practices for creating and using the architecture description of a system. It structures architects’ thinking by dividing the architecture description into domains, layers, or views, and offers models – typically matrices and diagrams – for documenting each view. This allows for making systemic design decisions on all the components of the system and making long-term decisions around new design requirements, sustainability, and support. [Wikipedia].

TOGAF: The TOGAF® framework is the de facto global standard for Enterprise Architecture. The Open Group Architecture Forum, comprised of more than 200 enterprises, develops and maintains the TOGAF standard and publishes successive versions at regular intervals. See TOGAF downloads.

About the TOGAF Standard, Version 9.2

The TOGAF Standard, Version 9.2, is an update to the TOGAF 9.1 standard providing improved guidance, correcting errors, improving the document structure, and removing obsolete content. Key enhancements made in this version include updates to the Business Architecture and the Content Metamodel. All of these changes make the TOGAF framework easier to use and maintain.

The Open Standard can be accessed online here.

Zachman Framework: More specifically, the Zachman Framework™ is an ontology – a theory of the existence of a structured set of essential components of an object for which explicit expressions is necessary and perhaps even mandatory for creating, operating, and changing the object (the object being an Enterprise, a department, a value chain, a “sliver,” a solution, a project, an airplane, a building, a product, a profession or whatever or whatever).

ISO 19439:2006  Enterprise integration — Framework for enterprise modelling

ISO 19439:2006 specifies a framework conforming to requirements of ISO 15704, which serves as a common basis to identify and coordinate standards development for modelling of enterprises, emphasising, but not restricted to, computer integrated manufacturing. ISO 19439:2006 also serves as the basis for further standards for the development of models that will be computer-enactable and enable business process model-based decision support leading to model-based operation, monitoring and control.

ISO/IEC/IEEE 42010:2011  Systems and software engineering — Architecture description

ISO/IEC/IEEE 42010:2011 addresses the creation, analysis and sustainment of architectures of systems through the use of architecture descriptions. A conceptual model of architecture description is established. The required contents of an architecture description are specified. Architecture viewpoints, architecture frameworks and architecture description languages are introduced for codifying conventions and common practices of architecture description. The required content of architecture viewpoints, architecture frameworks and architecture description languages is specified. Annexes provide the motivation and background for key concepts and terminology and examples of applying ISO/IEC/IEEE 42010:2011.

ISO 15704:2019 Enterprise modelling and architecture — Requirements for enterprise-referencing architectures and methodologies

This document specifies a reference base of concepts and principles for enterprise architectures that enable enterprise development, enterprise integration, enterprise interoperability, human understanding and computer processing. This document further specifies requirements for models and languages created for expressing such enterprise architectures.

This document specifies those terms, concepts and principles considered necessary to address stakeholder concerns and to carry out enterprise creation programmes as well as any incremental change projects required by the enterprise throughout the whole life of the enterprise. This document forms the basis by which enterprise architecture and modelling standards can be developed or aligned.

This document does not define standard enterprises, standard organizational structures, standard enterprise processes, or standard enterprise data. In addition, this standard does not specify enterprise modelling processes.

ITIL

ITIL: an acronym for Information Technology Infrastructure Library, is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL describes processes, procedures, tasks, and checklists which are not organization-specific, but can be applied by an organization for establishing integration with the organization’s strategy, delivering value, and maintaining a minimum level of competency. It allows the organization to establish a baseline from which it can plan, implement, and measure. It is used to demonstrate compliance and to measure improvement.

The ITIL best practices are currently detailed within five core publications:

Read: What is ITIL?

ISO 20K

ISO/IEC 20000-1:2018  Information technology — Service management — Part 1: Service management system requirements

This document specifies requirements for an organization to establish, implement, maintain and continually improve a service management system (SMS). The requirements specified in this document include the planning, design, transition, delivery and improvement of services to meet the service requirements and deliver value.

ISO/IEC 20000-2:2019  Information technology — Service management — Part 2: Guidance on the application of service management systems

This document provides guidance on the application of a service management system (SMS) based on ISO/IEC 20000-1. It provides examples and recommendations to enable organizations to interpret and apply ISO/IEC 20000-1, including references to other parts of ISO/IEC 20000 and other relevant standards.

ISO/IEC 20000-3:2019  Information technology — Service management — Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1

This document includes guidance on the scope definition and applicability to the requirements specified in ISO/IEC 20000-1. This document can assist in establishing whether ISO/IEC 20000-1 is applicable to an organization’s circumstances. It illustrates how the scope of an SMS can be defined, irrespective of whether the organization has experience of defining the scope of other management systems. The guidance in this document can assist an organization in planning and preparing for a conformity assessment against ISO/IEC 20000-1.

ISO/IEC TR 20000-4:2010  Information technology — Service management — Part 4: Process reference model

The purpose of ISO/IEC TR 20000-4:2010 is to facilitate the development of a process assessment model according to ISO/IEC 15504 process assessment principles. ISO/IEC 15504-1 describes the concepts and terminology used for process assessment. ISO/IEC 15504-2 describes the requirements for the conduct of an assessment and a measurement scale for assessing process capability.

The process reference model provided in ISO/IEC TR 20000-4:2010 is a logical representation of the elements of the processes within service management that can be performed at a basic level. Using the reference model in a practical application might require additional elements suited to the environment and circumstances.

ISO/IEC TR 20000-5:2013  Information technology — Service management — Part 5: Exemplar implementation plan for ISO/IEC 20000-1

ISO/IEC TR 20000-5:2013 is an exemplar implementation plan providing guidance on how to implement a service management system (SMS) to fulfil the requirements of ISO/IEC 20000-1:2011. The intended users of ISO/IEC TR 20000-5:2013 are service providers, but it can also be useful for those advising service providers on how to implement an SMS.

ISO/IEC TR 20000-5:2013 includes advice for service providers on a suitable order in which to plan, implement and improve an SMS using, as an example, a generic three-phased approach to manage the implementation. The service provider can choose their own sequence to implement the SMS. Also included is advice on the development of a business case, the project initiation and other activities that are recommended for the implementation to be successful.

ISO/IEC 20000-6:2017  Information technology — Service management — Part 6: Requirements for bodies providing audit and certification of service management systems

ISO/IEC 20000-6:2017 specifies requirements and provides guidance for certification bodies providing audit and certification of an SMS in accordance with ISO/IEC 20000‑1. It does not change the requirements specified in ISO/IEC 20000‑1. ISO/IEC 20000-6:2017 can also be used by accreditation bodies for accreditation of certification bodies.

A certification body providing SMS certification is expected to be able to demonstrate fulfilment of the requirements specified in ISO/IEC 20000-6:2017, in addition to the requirements in ISO/IEC 17021‑1.

ISO/IEC TR 20000-7:2019  Information technology — Service management — Part 7: Guidance on the integration and correlation of ISO/IEC 20000-1:2018 to ISO 9001:2015 and ISO/IEC 27001:2013

This document provides guidance on the integrated implementation of a service management system (SMS) as specified in ISO/IEC 20000-1 with a quality management system (QMS) as specified in ISO 9001 and an information security management system (ISMS) as specified in ISO/IEC 27001.

ISO/IEC TR 20000-9:2015  Information technology — Service management — Part 9: Guidance on the application of ISO/IEC 20000-1 to cloud services

ISO/IEC TR 20000-9:2015 provides guidance on the use of ISO/IEC 20000‑1:2011 for service providers delivering cloud services. It is applicable to different categories of cloud service, such as those defined in ISO/IEC 17788/ITU-T Y.3500 and ISO/IEC 17789/ITU-T Y.3502, including, but not limited to, the following:

a) infrastructure as a service (IaaS);

b) platform as a service (PaaS);

c) software as a service (SaaS).

ISO/IEC 20000-10:2018  Information technology — Service management — Part 10: Concepts and vocabulary

This document describes the core concepts of ISO/IEC 20000 (all parts), identifying how the different parts support ISO/IEC 20000‑1:2018 as well as the relationships between ISO/IEC 20000-1 and other International Standards and Technical Reports. This document also includes the terminology used in all parts of ISO/IEC 20000, so that organizations and individuals can interpret the concepts correctly.

The electronic version of this International Standard can be downloaded [free] from the ISO/IEC Information Technology Task Force (ITTF) website here.

ISO/IEC TR 20000-11:2015  Information technology — Service management — Part 11: Guidance on the relationship between ISO/IEC 20000-1:2011 and service management frameworks: ITIL®

ISO/IEC TR 20000-11:2015 is a Technical Report that provides guidance on the relationship between ISO/IEC 20000?1:2011 and a commonly used service management framework, ITIL. It can be used by any organization or person wishing to understand how ITIL can be used with ISO/IEC 20000?1:2011.

ISO/IEC TR 20000-12:2016  Information technology — Service management — Part 12: Guidance on the relationship between ISO/IEC 20000-1:2011 and service management frameworks: CMMI-SVC

ISO/IEC TR 20000-12:2016 provides guidance on the relationship between ISO/IEC 20000‑1:2011 and CMMI-SVC V1.3 (through Maturity Level 3). Service providers can refer to this guidance as a cross-reference between the two documents to help them to plan and implement an SMS. An organization employing the practices in the indicated CMMI-SVC process areas can conform to many of the associated ISO/IEC 20000‑1 requirements.

The electronic version of this International Standard can be downloaded from the ISO/IEC Information Technology Task Force (ITTF) website here.

IT Governance

Information and technology (IT) governance is a subset discipline of corporate governance, focused on information and technology (IT) and its performance and risk management. The primary goals for information and technology (IT) governance are to:

  1. assure that the use of information and technology generate business value
  2. oversee management’s performance and
  3. mitigate the risks associated with using information and technology. This can be done through board-level direction, implementing an organizational structure with well-defined accountability for decisions that impact on the successful achievement of strategic objectives and institutionalize good practices through organizing activities in processes with clearly defined process outcomes that can be linked to the organisation’s strategic objectives. [Wikipedia]

ISO/IEC 38500:2015Information technology — Governance of IT for the organization
ISO/IEC 38500:2015 provides guiding principles for members of governing bodies of organizations (which can comprise owners, directors, partners, executive managers, or similar) on the effective, efficient, and acceptable use of information technology (IT) within their organizations.

ISO/IEC CD 38503 Information technology — Governance of IT — Assessment of governance of IT

UNDER DEVELOPMENT. Link.

ISO/IEC TR 38504:2016 Governance of information technology — Guidance for principles-based standards in the governance of information technology

ISO/IEC TR 38504:2016 provides guidance on the information required to support principles-based standards in the area of governance and management of information technology. Guidance includes general recommendations, identification of elements and advice for their formulation. It does not describe the detail of specific principles or how they are aggregated into specific guidance to fulfil business objectives and achieve business outcomes from the use of IT.

ISO/IEC 38505-1:2017  Information technology — Governance of IT — Governance of data — Part 1: Application of ISO/IEC 38500 to the governance of data

ISO/IEC 38505-1:2017 provides guiding principles for members of governing bodies of organizations (which can comprise owners, directors, partners, executive managers, or similar) on the effective, efficient, and acceptable use of data within their organizations by

– applying the governance principles and model of ISO/IEC 38500 to the governance of data,

– assuring stakeholders that, if the principles and practices proposed by this document are followed, they can have confidence in the organization’s governance of data,

– informing and guiding governing bodies in the use and protection of data in their organization, and

– establishing a vocabulary for the governance of data.

ISO/IEC TR 38505-2:2018  Information technology — Governance of IT — Governance of data — Part 2: Implications of ISO/IEC 38505-1 for data management

This document provides guidance to the members of governing bodies of organizations and their executive managers on the implications of ISO/IEC 38505-1 for data management. It assumes understanding of the principles of ISO/IEC 38500 and familiarization with the data accountability map and associated matrix of considerations, as presented in ISO/IEC 38505-1.

This document enables an informed dialogue between the governing body and the senior/executive management team of an organization to ensure that the data use throughout the organization aligns with the strategic direction set by the governing body.

ISO/IEC AWI 38507 Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations

UNDER DEVELOPMENT. Link.

ISACA Frameworks, Standards and Models

The following standards and frameworks can be found on this page.

COBIT: The power of COBIT is in its breadth of tools, resources and guidance for the governance and management of enterprise IT. Use the online version to search uses by topic area and optimize your business.

The Risk IT Framework: Get an end-to-end, comprehensive view of all risks related to the use of IT and a thorough treatment of risk management. A complement to COBIT, this framework will help your enterprise identify, govern and manage IT risks.

Information Technology Assurance Framework (ITAF): Seek guidance, research policies and procedures, obtain audit and assurance programs, and develop effective reports. Designed as a living document, ITAF consists of compliance and good practice setting guidance for your IS audit and assurance assignments.

Capability Maturity Model Integration (CMMI): Take a risk-based approach to measuring and managing security risks in the context of your business mission and strategy. Use this unique cybersecurity risk assessment framework to simplify your security gap analysis.

Business Model for Information Security (BMIS): Address the complexity of security from a systems perspective. Challenge your conventional thinking by creating an environment where security can be managed holistically, allowing actual risks to be addressed.

COBIT Publications

  • COBIT 2019 Framework: Introduction And Methodology
  • COBIT 2019 Framework: Governance And Management Objectives
  • COBIT 2019 Design Guide: Designing An Information And Technology Governance Solution
  • COBIT 2019 Implementation Guide: Implementing And Optimizing An Information And Technology Governance Solution
  • Implementing The Nist Cybersecurity Framework Using COBIT 2019

Browse all ISACA publications on this page.

PCI Document Library: The Document Library includes a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step. Scroll down on this page to download the latest PCI standards. Direct link is not possible as you have to review and accept the agreement.

CIS Controls: IT security leaders use CIS Controls to quickly establish the protections providing the highest payoff in their organizations. They guide you through a series of 20 foundational and advanced cybersecurity actions, where the most common attacks can be eliminated.

Download CIS Controls 7.1

CIS Benchmarks: With a global community of cybersecurity experts, CIS has developed CIS Benchmarks: more than 100 configuration guidelines across 25+ vendor product families to safeguard systems against today’s evolving cyber threats.

CIS Tools: CIS offers a variety of tools, memberships, and services to help organizations around the world start secure and stay secure. Use the guide below to explore our offerings and find the best options for your cybersecurity needs.

———————–

Archived and unsupported CIS benchmarks

 

Cloud Security Alliance

The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control direction for service organization control reports attestations provided by cloud providers.

CSA – Cloud Controls Matrix v3.0.1   [Release Date: 08/03/2019]

Description: The CCM, the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing. CCM is currently considered a de-facto standard for cloud security assurance and compliance.

———————-

Cloud Controls Matrix v3.0.1 Info Sheet [Release Date: 07/29/2014]

CSA – Cloud Security Guidance V4 (PDF)

STAR Certification Guidance Document: Auditing the Cloud Controls Matrix (CCM) [Release Date: 05/16/2014]

here are a number of control areas on the CCM that will each be awarded a management capability score on a scale of 1-15. This 2nd version release includes alignment with the CCM v1.4 and v3.X.

NIST

SP 800-145 The NIST Definition of Cloud Computing  [Final 9/28/2011]

SP 500-299 NIST Cloud Computing Security Reference Architecture  [Draft 5/05/2013]

SP 800-146 Cloud Computing Synopsis and Recommendations  [Final 5/29/2012]

SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing  [Final 12/09/2011]

Cloud Related ISO Standards

ISO/IEC 17788:2014  Information technology — Cloud computing — Overview and vocabulary

ISO/IEC 17788:2014 provides an overview of cloud computing along with a set of terms and definitions. It is a terminology foundation for cloud computing standards. ISO/IEC 17788:2014 is applicable to all types of organizations (e.g., commercial enterprises, government agencies, not-for-profit organizations).


The electronic version of this International Standard can be downloaded from the ISO/IEC Information Technology Task Force (ITTF) website.

DIRECT link.

ISO/IEC 17789:2014 Information technology — Cloud computing — Reference architecture

ISO/IEC 17789:2014 specifies the cloud computing reference architecture (CCRA). The reference architecture includes the cloud computing roles, cloud computing activities, and the cloud computing functional components and their relationships.


The electronic version of this International Standard can be downloaded from the ISO/IEC Information Technology Task Force (ITTF) website.

DIRECT Link.

ISO/IEC AWI 23751  Information technology — Cloud computing and distributed platforms — Data sharing agreement (DSA) framework

UNDER DEVELOPMENT: Link.

ISO/IEC 19086-1:2016  Information technology — Cloud computing — Service level agreement (SLA) framework — Part 1: Overview and concepts

ISO/IEC 19086-1:2016 seeks to establish a set of common cloud SLA building blocks (concepts, terms, definitions, contexts) that can be used to create cloud Service Level Agreements (SLAs). This document specifies

a) an overview of cloud SLAs,

b) identification of the relationship between the cloud service agreement and the cloud SLA,

c) concepts that can be used to build cloud SLAs, and

d) terms commonly used in cloud SLAs.

ISO/IEC 19086-1:2016 is for the benefit and use of both cloud service providers and cloud service customers. The aim is to avoid confusion and facilitate a common understanding between cloud service providers and cloud service customers. Cloud service agreements and their associated cloud SLAs vary between cloud service providers, and in some cases different cloud service customers can negotiate different contract terms with the same cloud service provider for the same cloud service. This document aims to assist cloud service customers when they compare cloud services from different cloud service providers.


The electronic version of this International Standard can be downloaded from the ISO/IEC Information Technology Task Force (ITTF) website.

DIRECT Link.

ISO/IEC 19086-2:2018  Cloud computing — Service level agreement (SLA) framework — Part 2: Metric model

This document establishes common terminology, defines a model for specifying metrics for cloud SLAs, and includes applications of the model with examples. This document establishes a common terminology and approach for specifying metrics. This document is for the benefit of and use for both cloud service providers (CSPs) and cloud service customers (CSCs). This document is intended to complement ISO/IEC 19086-1, ISO/IEC 19086-3 and ISO/IEC 19086-4. This document does not mandate the use of a specific set of metrics for cloud SLAs.


The electronic version of this International Standard can be downloaded from the ISO/IEC Information Technology Task Force (ITTF) website.

DIRECT Link.

ISO/IEC 19086-3:2017  Information technology — Cloud computing — Service level agreement (SLA) framework — Part 3: Core conformance requirements

ISO/IEC 19086-3:2017 specifies the core conformance requirements for service level agreements (SLAs) for cloud services based on ISO/IEC 19086‑1 and guidance on the core conformance requirements. This document is for the benefit of and use by both cloud service providers and cloud service customers. ISO/IEC 19086-3:2017 does not provide a standard structure that would be used for cloud SLAs.

ISO/IEC 19086-4:2019  Cloud computing — Service level agreement (SLA) framework — Part 4: Components of security and of protection of PII

This document specifies security and protection of personally identifiable information components, SLOs and SQOs for cloud service level agreements (cloud SLA) including requirements and guidance. This document is for the benefit and use of both CSPs and CSCs.

ISO/IEC 19831:2015  Cloud Infrastructure Management Interface (CIMI) Model and RESTful HTTP-based Protocol — An Interface for Managing Cloud Infrastructure

ISO/IEC 19831:2015 describes the model and protocol for management interactions between a cloud Infrastructure as a Service (IaaS) Provider and the Consumers of an IaaS service. The basic resources of IaaS (machines, storage, and networks) are modeled with the goal of providing Consumer management access to an implementation of IaaS and facilitating portability between cloud implementations that support the specification. This document specifies a Representational State Transfer (REST)-style protocol using HTTP. However, the underlying model is not specific to HTTP, and it is possible to map it to other protocols as well.

CIMI addresses the management of the lifecycle of infrastructure provided by a Provider. CIMI does not extend beyond infrastructure management to the control of the applications and services that the Consumer chooses to run on the infrastructure provided as a service by the Provider. Although CIMI may be to some extent applicable to other cloud service models, such as Platform as a Service (“PaaS”) or Storage as a Service (“SaaS”), these uses are outside the design goals of CIMI.

ISO/IEC DIS 19944-1  Cloud computing – Cloud services and devices: data flow, data categories and data use — Part 1: Fundamentals

UNDER DEVELOPMENT: Link.

ISO/IEC 22624:2020  Information technology — Cloud computing — Taxonomy based data handling for cloud services

This document:

— describes a framework for the structured expression of data-related policies and practices in the cloud computing environment, based on the data taxonomy in ISO/IEC 19944;

— provides guidelines on application of the taxonomy for handling of data based on data subcategory and classification;

— covers expression of data-related policies and practices including, but not limited to data geolocation, cross border flow of data, data access and data portability, data use, data management, and data governance;

— describes how the framework can be used in codes of conduct for practices regarding data at rest and in transit, including cross border data transfer, as well as remote access to data;

— provides use cases for data handling challenges, i.e. control, access and location of data according to ISO/IEC 19944 data categories.

This document is applicable primarily to cloud service providers, cloud service customers (CSCs) and cloud service users, but also to any person or organization involved in legal, policy, technical or other implications of taxonomy-based data management in cloud services.

ISO/IEC TR 20000-9:2015  Information technology — Service management — Part 9: Guidance on the application of ISO/IEC 20000-1 to cloud services

ISO/IEC TR 20000-9:2015 provides guidance on the use of ISO/IEC 20000‑1:2011 for service providers delivering cloud services. It is applicable to different categories of cloud service, such as those defined in ISO/IEC 17788/ITU-T Y.3500 and ISO/IEC 17789/ITU-T Y.3502, including, but not limited to, the following:

a) infrastructure as a service (IaaS);

b) platform as a service (PaaS);

c) software as a service (SaaS).