Cybersecurity Standards and Frameworks
When identifying the most useful best-practice standards and guidance for implementing effective cybersecurity, it is important to establish the role that each fulfills, its scope, and how it interacts (or will interact) with other standards and guidance.
Cybersecurity standards are generally applicable to all organizations regardless of their size or the industry and sector in which they operate. This page provides generic information on each of the common standards that are usually recognized as offering a strong basis for any cybersecurity strategy.
Want to know more about a specific standard?
For more information and advice on cybersecurity standards and which would be best for your organization, speak to one of our experts today.
The CSF is a voluntary framework primarily intended to manage and mitigate cybersecurity risk for critical infrastructure organizations, based on existing standards, guidelines, and practices. However, the CSF has proven to be flexible enough to also be implemented by non-US and non-critical-infrastructure organizations.
The CSF is a living document – it recognizes that continual improvement is necessary to adapt to changing industry needs – the latest version, v1.1, was released in 2018.
The cybersecurity requirements under the DFARS mandate that DoD contractors and subcontractors must implement controls that are specified in the NIST SP (Special Publication) 800-171. CUI requires safeguarding in accordance with applicable laws, regulations, and policies. All contractors and subcontractors processing, storing, or transmitting CUI need to meet minimum security standards specified in the DFARS. Failing to meet these standards can result in the loss of contracts with the DoD.
FISMA was put in place to strengthen information security within federal agencies, NIST, and the OMB (Office of Management and Budget). It requires each agency to implement “policies and procedures to cost-effectively reduce information technology security risks to an acceptable level”, recognizing the importance of information security to the economy and national security.
HIPAA established a national standard for the security of electronic health information, including the protection of individually identifiable health information, the rights granted to individuals, breach notification requirements, and the role of the OCR (Office for Civil Rights).
ISO/IEC 27001 is the international standard for best-practice ISMSs (information security management systems). It is a rigorous and comprehensive specification for protecting and preserving your information under the principles of confidentiality, integrity, and availability. The Standard offers a set of best-practice controls that can be applied to your organization based on the risks you face, and implemented in a structured manner in order to achieve externally assessed and certified compliance.
As part of the ISO 27000 series of guidelines, ISO/IEC 27032 can be neatly integrated with your ISMS simply by updating and expanding the policies, processes and training your organization needs.
ISO/IEC 27032 is the international standard focusing explicitly on cybersecurity. While the controls recommended are not as precise or prescriptive as those supplied in ISO/IEC 27001, this standard recognizes the vectors that cyber attacks rely upon. It also includes guidelines for protecting your information beyond the borders of your organization, such as in partnerships, collaborations, or other information-sharing arrangements with clients and suppliers.
As part of the ISO 27000 series of guidelines, ISO/IEC 27032 can be neatly integrated with your ISMS simply by updating and expanding the policies, processes, and training your organization needs.
ISO/IEC 27035 is the international standard for incident management. While cybersecurity management systems are designed to protect your organization, it is essential to be prepared to respond quickly and effectively when something does go wrong. This standard also includes guidance for updating policies and processes to strengthen existing controls following analysis of the event, and minimizing the risk of recurrence.
Additional benefits can come from implementing ISO/IEC 27035 because an incident management regime is a requirement of the PCI DSS.
ISO/IEC 27031 is the international standard for ICT (information and communication technologies) readiness for business continuity. This is a logical step to proceed to from incident management, as an uncontrolled incident can transform into a threat to ICT continuity. It is essential that your organization is prepared for a cyber attack beating your first line of defense and threatening your information systems as a whole.
This standard bridges the gap between the incident itself and general business continuity, and forms a key link in the chain of cyber resilience.
ISO 22301 is the international standard for BCMSs (business continuity management systems) and forms a crucial part of cyber resilience. This standard not only focuses on recovery from disasters but also on maintaining access to and security of information, which is crucial when attempting to return to full and secure functionality.
Speak to an expert
Please contact our team for more information on cybersecurity, and how IT Governance can help your organization.