Cybersecurity Standards and frameworks
When identifying the most useful best-practice standards and guidance for implementing effective cybersecurity, it is important to establish the role that each fulfils, its scope, and how it interacts (or will interact) with other standards and guidance.
Cybersecurity standards are generally applicable to all organizations regardless of their size or the industry and sector in which they operate. This page provides generic information on each of the standards that is usually recognized as an essential component of any cyber security strategy.
Want to know more about a specific standard?
For more information and advice on cybersecurity standards, and which would be best for your organization, speak to one of our experts today.
The CSF is a voluntary framework primarily intended for critical infrastructure organizations to manage and mitigate cybersecurity risk based on existing standards, guidelines, and practices. However, the CSF has proven to be flexible enough to also be implemented by non-US and non-critical infrastructure organizations. The CSF is a living document – it recognizes that continual improvement is necessary to adapt to changing industry needs. As such, version 1.1 was recently released.
NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations” details which controls it recommends for all US federal information systems (excluding those in national security). As NIST SP 800-53 contains a tremendous set of 272 recommended controls, NIST created SP 800-171, a simplified version with just 114 controls, serving as a more approachable framework for contractors to implement.
NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” details requirements to protect CUI (Controlled Unclassified Information) – information that necessitates protecting or dispersing controls consistent with laws, regulations, and policies.
The cybersecurity requirements in the DFARS (Defense Federal Acquisition Regulation Supplement) mandate all DoD contractors and subcontractors to be compliant with the NIST SP 800-171 security controls, with the goal of making organizations more secure. Failing to comply with SP 800-171 could result in the loss of federal contracts.
Federal Information Security Management Act (FISMA) 2002
FISMA was put in place to strengthen information security within federal agencies, the National Institute of Standards & Technology (NIST), and the Office of Management & Budget (OMB). It requires each agency to implement "policies and procedures to cost-effectively reduce information technology security risks to an acceptable level" as it recognizes the importance of information security to the economy and national security.
ISO/IEC 27001 is the international Standard for best-practice information security management systems (ISMSs). It is a rigorous and comprehensive specification for protecting and preserving your information under the principles of confidentiality, integrity, and availability. The Standard offers a set of best-practice controls that can be applied to your organization based on the risks you face, and implemented in a structured manner in order to achieve externally assessed and certified compliance.
By fulfilling the requirements of ISO/IEC 27001, you will be fulfilling the majority of the requirements of the other standards and guidance relating to cybersecurity. Any remaining gaps identified by other guidance can then be plugged with a minimum of fuss.
ISO/IEC 27032is the international Standard focusing explicitly on cybersecurity. While the controls recommended are not as precise or prescriptive as those supplied in ISO/IEC 27001, this Standard recognizes the vectors that cyber attacks rely upon, including those that originate outside cyber space itself. Further, it includes guidelines for protecting your information beyond the borders of your organization, such as in partnerships, collaborations, or other information-sharing arrangements with clients and suppliers.
As part of the ISO 27000 series of guidelines, ISO/IEC 27032 can be neatly integrated with your ISMS simply by updating and expanding the policies, processes and training your organization needs.
HIPAA established a national standard for the security of electronic health information, including the protection of individually identifiable health information, the rights granted to individuals, breach notification requirements, and the role of the OCR (Office of Civil Rights).
ISO/IEC 27035 is the international Standard for incident management. Incident management forms the crucial first stage of cyber resilience. While cybersecurity management systems are designed to protect your organization, it is essential to be prepared to respond quickly and effectively when something does go wrong. This Standard also includes guidance for updating policies and processes to strengthen existing controls following analysis of the event, and minimising the risk of recurrence.
Additional benefits can come from implementing ISO/IEC 27035 because an incident management regime is a requirement of certification for both ISO/IEC 27001 and the PCI DSS.
ISO/IEC 27031 is the international Standard for ICT readiness for business continuity. This is a logical step to proceed to from incident management, as an uncontrolled incident can transform into a threat to ICT continuity. As part of the profile of a cyber attack, it is essential that your organization is prepared for a cyber attack beating your first line of defence and threatening your information systems as a whole.
This Standard bridges the gap between the incident itself and general business continuity, and forms a key link in the chain of cyber resilience.
ISO/IEC 22301 is the international Standard for business continuity management systems (BCMSs), and forms the final part of cyber resilience. This Standard not only focuses on the recovery from disasters, but also on maintaining access to, and security of, information, which is crucial when attempting to return to full and secure functionality.
A BCMS completes the requirements of cyber resilience by closing the final stage in the profile of an overwhelming cyber attack.
Speak to an expert
Please contact our team for more information on cybersecurity, and how IT Governance can help your ogranization.