This website uses cookies. View our cookie policy
USA
Select regional store:

Cybersecurity Standards

Standards are an essential backbone to implementing your cybersecurity strategy. They provide best-practice guidance and establish roles and processes to help put your cybersecurity plan in place and structure your workload.

The standards are generally applicable to all organizations, regardless of their size or the industry and sector they operate in. This page provides generic information on each of the standards that are usually recognized as essential components of any cybersecurity strategy.

On this page:

Federal Information Security Management Act (FISMA) 2002
Health Insurance Portability & Accountability Act (HIPAA) 1996
ISO/IEC 27001
ISO/IEC 27032
ISO/IEC 27035
ISO/IEC 27031
ISO/IEC 22301
PAS 555
CCM

Federal Information Security Management Act (FISMA) 2002

FISMA was put in place to strengthen information security within federal agencies, the National Institute of Standards & Technology (NIST), and the Office of Management & Budget (OMB). It requires each agency to implement "policies and procedures to cost-effectively reduce information technology security risks to an acceptable level" as it recognizes the importance of information security to the economy and national security.

Health Insurance Portability & Accountability Act (HIPAA) 1996

HIPAA established a national standard for the security of electronic health information, including the protection of individually identifiable health information, the rights granted to individuals, breach notification requirements, and the role of the OCR (Office of Civil Rights).

ISO/IEC 27001

ISO/IEC 27001 is the international standard for best-practice information security management systems (ISMS). It is a rigorous and comprehensive specification for protecting and preserving your information under the principles of confidentiality, integrity, and availability. The standard offers a set of best practice controls that can be applied to your organization based on the risks you face and implemented in a structured manner in order to achieve externally assessed and certified compliance.

By fulfilling the requirements of ISO27001, you will be fulfilling the majority of the requirements of other standards and guidance relating to cybersecurity. Any remaining gaps identified by other guidance can then be plugged with minimum fuss.

ISO/IEC 27032

ISO/IEC 27032 is the international standard that focuses explicitly on cybersecurity. The standard provides guidance for improving the state of cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains.

While the controls recommended are not as precise or prescriptive as those supplied in ISO27001, this standard recognizes the vectors that cyber attacks rely on, including those that originate outside of cyber space itself. Further, it includes guidelines for protecting your information beyond the borders of your organization, such as in partnerships, collaborations, or other information sharing arrangements with clients and suppliers.

As part of the ISO/IEC 27000 series of guidelines, ISO27032 can be neatly integrated with your ISMS simply by updating and expanding the policies, processes, and training that your organization needs.

ISO/IEC 27035

ISO/IEC 27035 is the international standard for incident management. Incident management forms the crucial first stage of cyber resilience. While cybersecurity management systems are designed to protect your organization, it is essential to be prepared to respond quickly and effectively when something does go wrong. This standard also includes guidance for updating policies and processes to strengthen existing controls following analysis of the event and minimizing the risk that it recurs.

An incident management regime, such as that described in ISO27035, is a requirement of certification for both ISO27001 and PCI DSS.

ISO/IEC 27031

ISO/IEC 27031 is the international standard for ICT readiness for business continuity. An ICT Readiness for Business Continuity program (IRBC) is a program that requires an organization’s ICT services/infrastructures to be ready to support business operations in the event of emerging events and incidents, and related disruptions, that could affect continuity (including security) of critical business functions. It also allows an organization to assess whether performance parameters correlate to its IRBC in a consistent and recognized manner.

As part of the profile of a cyber attack, it is essential that your organization is prepared in the event that a cyber attack beats your first line of defense and threatens your information systems as a whole. This standard bridges the gap between the incident itself and general business continuity, and forms a key link in the chain of cyber resilience.

ISO/IEC 22301

ISO/IEC 22301 is the international standard for business continuity management systems (BCMS) and forms the final part of cyber resilience. This standard does not focus solely on the recovery from disasters but also on maintaining access to and security of information, which is crucial when attempting to return to full, secure functionality.

A BCMS completes the requirements of cyber resilience by closing the final stage in the profile of an overwhelming cyber attack.

PAS 555

PAS 555 was released by the British Standards Institution (BSI) in 2013. The many other standards and sources of best practice on cybersecurity tend to focus on the delivery of effective cybersecurity, but PAS 555:2013 doesn't specify such practices or actions: it specifically targets the organization’s top management and is deliberately broad in its scope, detailing what effective cybersecurity looks like.

PAS 555 allows executives and senior management to compare the organization’s cybersecurity measures against the established descriptions at a high level. When implemented, this provides an "umbrella" under which other standards and guidance can fit to flesh out the results described.

CCM

The Cloud Security Alliance’s Cloud Controls Matrix (CCM) is a set of controls designed to maximize the information security of organizations using Cloud technologies. The benefits of Cloud technologies are well known, but there has been some resistance to their uptake from a number of organizations due to the perceived risks of storing and processing data beyond their own physical and logical perimeters. The CSA developed the CCM in order to offer organizations a set of guidelines that would enable them to maximize the security of their information without relying solely on the Cloud provider’s assurances.

At IT Governance we can help you implement effective cyber security through our coherent set of product and services. Find out more >>