When identifying the most useful best-practice standards and guidance for implementing effective cybersecurity, it is important to establish the role that each fulfills, its scope, and how it interacts (or will interact) with other standards and guidance.
Cybersecurity standards are generally applicable to all organizations regardless of their size or the industry and sector in which they operate. This page provides generic information on each of the common standards that are usually recognized as offering a strong basis for any cybersecurity strategy.
Want to know more about a specific Standard or framework?
If you would like more information or advice on any of the Standards or frameworks coverd below, speak to one of our experts today to discover how we can support your organization.
NIST CSF (Cybersecurity Framework)
The CSF is a voluntary framework primarily intended to manage and mitigate cybersecurity risk for critical infrastructure organizations, based on existing standards, guidelines, and practices. However, the CSF has proven to be flexible enough to also be implemented by non-US and non-critical-infrastructure organizations.
The CSF is a living document – it recognizes that continual improvement is necessary to adapt to changing industry needs – the latest version, v1.1, was released in 2018.
Learn more about the NIST CSF >>
Gain a clear understanding of the NIST CSF (Cybersecurity Framework) with our essential pocket guide >>
NIST SPs (Special Publications) 800-53 and 800-171
NIST SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations”, recommends controls for all US federal information systems (excluding those in national security).
As NIST SP 800-53 contains a tremendous set of 272 recommended controls, NIST created SP 800-171, a simplified version with just 110 controls across 14 families, serving as a more approachable framework for contractors to implement.
Learn more about NIST >>
DFARS (Defense Federal Acquisition Regulation Supplement)
The cybersecurity requirements under the DFARS mandate that DoD contractors and subcontractors must implement controls that are specified in the NIST SP (Special Publication) 800-171.
Controlled Unclassified Information (CUI) requires safeguarding in accordance with applicable laws, regulations, and policies. All contractors and subcontractors processing, storing, or transmitting CUI need to meet minimum security standards specified in the DFARS. Failing to meet these standards can result in the loss of contracts with the DoD.
Learn more about DFARs >>
Federal Information Security Management Act (FISMA) 2002
FISMA was put in place to strengthen information security within federal agencies, NIST, and the OMB (Office of Management and Budget). It requires each agency to implement “policies and procedures to cost-effectively reduce information technology security risks to an acceptable level”, recognizing the importance of information security to the economy and national security.
Learn more about FISMA >>
HIPAA: Health Insurance Portability and Accountability Act
HIPAA established a national standard for the security of electronic health information, including the protection of individually identifiable health information, the rights granted to individuals, breach notification requirements, and the role of the OCR (Office for Civil Rights).
Learn more about HIPAA >>
ISO/IEC 27001 is the international standard for best-practice ISMSs (information security management systems).
It is a rigorous and comprehensive specification for protecting and preserving your information under the principles of confidentiality, integrity, and availability. The Standard offers a set of best-practice controls that can be applied to your organization based on the risks you face, and implemented in a structured manner in order to achieve externally assessed and certified compliance.
As part of the ISO 27000 series of guidelines, ISO/IEC 27032 can be neatly integrated with your ISMS simply by updating and expanding the policies, processes and training your organization needs.
Purchase the latest ISO/IEC 27001 Standard >>
Learn more about ISO 27001 >>
ISO/IEC 27002 is the international Standard which supports the implementation of an Information Security Management System (ISMS) based on the requirements of ISO 27001. This standard covers the controls that are an important part of information security management for all organizations. Any organization that stores and manages information should have controls in place to address information security risks.
Although an organization cannot certify to ISO 27002, the standard serves as a guidance document, aiding ISO 27001 implementation by providing best practice guidance on applying the controls listed in Annex A of ISO 27001.
Purchase the latest ISO/IEC 27002 Standard >>
Learn more about ISO 27002 >>
ISO/IEC 27701 is the international standard that serves as an extension to an ISO 27001/ ISO 27002 ISMS (information security management system). It provides guidelines for implementing, maintaining, and continually improving a PIMS (privacy information management system).
Organizations that have implemented ISO 27001 will be able to use ISO 27701 to extend their security efforts to cover privacy management – including their processing of personal data/PII (personally identifiable information) – which will help them demonstrate compliance with data protection laws such as the CCPA, and GDPR.
Purchase the latest ISO/IEC 27701 Standard >>
Learn more about ISO 27701 >>
ISO/IEC 27032 is the international standard focusing explicitly on cybersecurity.
While the controls recommended are not as precise or prescriptive as those supplied in ISO/IEC 27001, this standard recognizes the vectors that cyber attacks rely upon. It also includes guidelines for protecting your information beyond the borders of your organization, such as in partnerships, collaborations, or other information-sharing arrangements with clients and suppliers.
As part of the ISO 27000 series of guidelines, ISO/IEC 27032 can be neatly integrated with your ISMS simply by updating and expanding the policies, processes, and training your organization needs.
Purchase the latest ISO/IEC 27032 Standard >>
ISO/IEC 27035 is the international standard for incident management.
While cybersecurity management systems are designed to protect your organization, it is essential to be prepared to respond quickly and effectively when something does go wrong. This standard also includes guidance for updating policies and processes to strengthen existing controls following analysis of the event, and minimizing the risk of recurrence.
Additional benefits can come from implementing ISO/IEC 27035 because an incident management regime is a requirement of the PCI DSS.
Learn more about the PCI DSS >>
Purchase the latest ISO/IEC 27035 Standard >>
ISO/IEC 27031 is the international standard for ICT (information and communication technologies) readiness for business continuity.
This is a logical step to proceed to from incident management, as an uncontrolled incident can transform into a threat to ICT continuity. It is essential that your organization is prepared for a cyber attack beating your first line of defense and threatening your information systems as a whole.
This standard bridges the gap between the incident itself and general business continuity, and forms a key link in the chain of cyber resilience.
Learn more about cyber resilience >>
Purchase the latest ISO/IEC 27031 Standard >>
ISO 22301 is the international standard for BCMS (Business Continuity Management Systems) and forms a crucial part of cyber resilience.
This standard not only focuses on recovery from disasters but also on maintaining access to and security of information, which is crucial when attempting to return to full and secure functionality.
Learn more about Business Continuity >>
Purchase the lastet ISO 22301 Standard >>