Standards and Good Practice Guidelines
In this Appendix, we shall cover two areas that provide detailed information. The first area is that of Standards, which are divided into two principle types:
In some cases, organizations can be independently assessed for compliance with requirement standards—for example ISO/IEC 27001, and the accreditation they then enjoy can be used as a benefit when tendering for business.
Standards are generally developed at a national or international level. For example, in the United States, the NIST is the body responsible; in the United Kingdom, it is the British Standards Institute (BSI); while international standards are developed by these and other standards bodies within the wider ISO. It is worth noting that NIST standards are downloadable at no cost, but many national standards and ISO standards must be purchased.
The second area is that of good practice guidelines. These tend to be developed by the organizations that are the main source of knowledge for the subject matter. While there are many commercial organizations developing good practice guidelines for cybersecurity, these often tend to be product-specific, and the wider-ranging advice generally appears at a governmental level, or from a noncommercial independent body such as the Information Security Forum (ISF), the Business Continuity Institute, or the Disaster Recovery Institute.
Other relevant standards include the American government’s Federal Information Processing (FIPS) standards, the Internet Engineering Task Force, Requests For Comment, and the International Telecommunications Union standards.
ISO/IEC 27000 Series Standards
There are more than 50 information security-related standards from ISO. Not all may be immediately relevant to the reader, but I have included them for completeness. You should also be beware that the ISO standards portfolio is growing rapidly, and by the time you read this book, more may have been produced. However, I have made best efforts to ensure that the list is up-to-date at the time of writing. Where appropriate, a brief description of the standard has been included.
ISO/IEC 27000:2017—Information technology—Security techniques—Information security management systems (ISMS)—Overview and vocabulary
Apart from providing definitions of commonly used terms, this standard describes how an ISMS should work, and goes on to mention some of the standards listed herewith.
ISO/IEC 27001:2017—Information technology—Security techniques—ISMS—Requirements
Although it covers areas beyond pure cybersecurity, this is the main standard, and it is against this that organizations can be accredited. Sections 4 to 10 describe the mandatory elements of the standard, and the abbreviated list of controls in its Annex A are described in much greater detail in ISO/IEC 27002:2017.
ISO/IEC 27002:2017—Information technology—Security techniques—Code of practice for information security controls
This standard provides detailed descriptions of the controls listed in Annex A of ISO/IEC 27001:2017.
ISO/IEC 27003:2017—Information technology—Security techniques—ISMS implementation guidance
This standard provides guidance on planning an ISMS aligned to ISO/IEC 27001.
ISO/IEC 27004:2016—Information technology—Security techniques—Information security management measurements
This standard covers the types of metric and measurements that can be applied to an ISO/IEC 27001 program.
ISO/IEC 27005:2011—Information technology—Security techniques—Information security risk management
This is the main standard used when conducting an information risk management program, and can form a major input to ISO/IEC 27001.
ISO/IEC 27006:2015—Information technology—Security techniques—Requirements for bodies providing audit and certification of ISMS
Although this standard is less relevant to individual organizations looking to attain ISO/IEC 27001 certification, it does illustrate the guidance for those bodies that provide the certification.
ISO/IEC 27007:2017—Information technology—Security techniques—Guidelines for ISMS auditing
As with the previous example, this standard is somewhat less relevant to organizations wishing to develop an ISMS program, but has been included for completeness.
ISO/IEC 27008:2011—Information technology—Security techniques—Guidelines for auditors on information security controls
This standard provides a slightly different aspect of the ISMS audit function—this time dealing with guidance on specific controls.
ISO/IEC 27009:2016—Information technology—Security techniques—Sector-specific application of ISO/IEC 27001—Requirements
This standard defines how to apply BS ISO/IEC 27001:2017 in a sector (field, application area, or market area) that has common security requirements, but where those requirements are unique to that sector.
ISO/IEC 27010:2015—ISMS—Information security management for intersector and interorganizational communications
This standard was developed with the express intention of exchanging information securely between organizations, especially when concerned with sharing information on security issues.
ISO/IEC 27011:2016—Information technology—Security techniques—Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
The standard is for telecommunication organizations and will enable them to meet baseline the ISMS requirements of confidentiality, integrity, availability, and any other relevant security properties of telecommunication services.
ISO/IEC 27013:2015—Information technology—Security techniques—Guidance on the implementation of ISO/IEC 27001 and ISO/IEC 20000–1
This standard provides guidance on what organizations need to do in order to build a management system that integrates ISO/IEC 27001 and also ISO/IEC 20000, which is concerned with service management.
ISO/IEC 27014:2013—Information technology—Security techniques—Governance of information security
This standard allows organizations to make decisions about information security issues in support of the strategic organizational objectives.
ISO/IEC 27015:2012—ISMS—Information security management guidelines for financial services
This standard is important for any organization planning to offer financial services covered by an ISMS. It may also be useful to consumers of such services.
ISO/IEC 27016:2014—Information technology—Security techniques—Information security management—Organizational economics
This standard will be useful when making information security investment decisions, as will those who have to prepare the business cases for information security investment.
ISO/IEC 27017:2015—Information technology—Security techniques—Code of practice for information security controls based on ISO/IEC 27002 for cloud services
This standard will be useful to organizations wishing to become providers or users of cloud services, both by identifying their responsibilities to ensure the certification of related security controls and as a checklist to ensure that potential providers of the cloud service have the necessary security policies, practices, and controls in place.
ISO/IEC 27018:2014—Information technology—Security techniques—Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
This standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.
ISO/IEC 27019:2017—Information technology—Security techniques—Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry
This standard is important for any organization in the energy utility sector planning to operate an ISMS. It may also be useful to related organizations such as utility plant suppliers, systems integrators, and auditors.
BS ISO/IEC 27021:2017—Information technology. Security techniques. Competence requirements for ISMS professionals
ISO/IEC 27031:2011—Information technology—Security techniques—Guidelines for information and communication technology readiness for business continuity
This standard provides guidelines for the preparation of information and communications technology systems in meeting business continuity requirements, and relates to ISO 22301.
ISO/IEC 27032:2012—Information technology—Security techniques—Guidelines for cybersecurity
This standard will be of much greater value to those organizations that are investing in protection against cybersecurity problems. It provides a detailed framework for identifying cybersecurity issues and a high-level set of controls for dealing with them.
ISO/IEC 27033–1:2015—Information technology—Security techniques—Network security—Overview and concepts
The first of five standards relating to network security, this standard deals with the main issues that organizations are likely to face.
ISO/IEC 27033–2:2012—Information technology—Security techniques—Guidelines for the design and implementation of network security
This standard takes matters to the next level and defines the network security requirements that are likely to be needed, and provides a checklist.
ISO/IEC 27033–3:2010—Information technology—Security techniques—Network security—Reference networking scenarios—Threats, design techniques, and control issues
This standard deals with security network design principles, and examines the threats and possible controls associated with them.
ISO/IEC 27033–4:2014—Information technology—Security techniques—Network security—Securing communications between networks using security gateways
This standard provides guidance on securing communications between networks using security gateways and firewalls, and introduces the concept of both intrusion detection systems (IDS) and intrusion prevention systems (IPS).
ISO/IEC 27033–5:2013—Information technology—Security techniques—Network security—Securing communications across networks using Virtual Private Networks (VPNs)
The final part of this standard deals with securing network interconnections and how to connect remote users by providing VPNs.
BS ISO/IEC 27033-6:2016—Information technology Security techniques Network security Securing wireless IP network access
ISO/IEC 27034–1:2011—Information technology—Security techniques—Application security—Overview and concepts
This standard sets the scene for the secure development of applications, and in particular, deals with the application of security management process.
ISO/IEC 27034–2:2015 – Information technology—Security techniques—Application security—Organization normative framework
This standard follows on from ISO/IEC 27034-1, and provides more detailed guidance on the implementation of application security, including a detailed description of the application security life cycle reference model.
ISO/IEC 27035:2011—Information technology—Security techniques—Information security incident management
This standard deals with the management of cybersecurity incidents.
ISO/IEC 27034-5:2017—Information technology—Security techniques—Application security—Protocols and application security controls data structure
ISO/IEC 27034-6:2016—Information technology—Security techniques—Application security—Case studies
ISO/IEC 27035-1:2016—Information technology—Security techniques—Information security incident management—Principles of incident management
ISO/IEC 27035-2:2016—Information technology—Security techniques—Information security incident management—Guidelines to plan and prepare for incident response
ISO/IEC 27036–1:2014—Information technology—Security techniques—Information security for supplier relationships—Overview and concepts
This series of three standards examines the security requirements for the relationship between organizations and their suppliers. A fourth standard is currently under development which will cover cloud supplier relationships.
ISO/IEC 27036–2:2014—Information technology—Security techniques—Information security for supplier relationships—Requirements
This standard goes into greater detail regarding the technical security requirements that must be agreed and managed between an organization and its suppliers.
ISO/IEC 27036–3:2013—Information technology—Security techniques—Information security for supplier relationships—Guidelines for information and communication technology supply chain security
Frequently, supply chains are multilayered and global, and this third standard in the series provides guidance on managing the complex risk environment.
ISO/IEC 27037:2016—Information technology—Security techniques—Guidelines for the identification, collection, acquisition, and preservation of digital evidence
When cyber incidents occur, it may be necessary to preserve evidence of the fact, and this standard provides guidelines for the forensic preservation of evidence.
ISO/IEC 27038:2016—Information technology—Security techniques—Specification for digital redaction
When organizations require to anonymize information within a document or to redact it completely, this standard provides guidelines on the process and techniques, and may be useful in information-sharing situations.
ISO/IEC 27039:2015—Information technology—Security techniques—Selection, deployment, and operations of IDPS
IDPS can provide an analysis of host and network traffic and/or audit trails for attack signatures or specific patterns that usually indicate malicious or suspicious intent. This Standard provides guidelines for effective IDPS selection, deployment, and operation, as well as fundamental knowledge about IDPS.
ISO/IEC 27040:2016—Information technology—Security techniques—Storage security
This standard applies to all data owners, ICT managers, and security officers from small enterprises to global organizations, as well as manufacturers of general and specialized data storage products, and is particularly relevant to data destruction services.
ISO/IEC 27041:2016—Information technology—Security techniques—Guidance on assuring the suitability and adequacy of incident investigative method
This standard contains an assurance model with details of how to validate the methods used for investigations and shows how internal and external resources can be used to carry out assurance.
ISO/IEC 27042:2016—Information technology—Security techniques—Guidelines for the analysis and interpretation of digital evidence
This standard provides a detailed framework for investigation, giving guidance on how to structure and prioritize investigative stages in order to produce analysis and reports that can be used to improve security in the future.
ISO/IEC 27043:2016—Information technology. Security techniques. Incident investigation principles and processes
This standard is intended to aid in digital investigations, with the aim that a suitably skilled investigator should obtain the same result as another similarly skilled investigator, working under similar conditions.
ISO/IEC 27050-3:2017—Information technology—Security techniques—Electronic discovery—Code of practice for electronic discovery
ISO/IEC 27050-3:2017—Information technology—Security techniques—Electronic discovery—Code of practice for electronic discovery
Other Relevant ISO Standards
ISO/IEC 17788:2014—Information technology—Cloud computing—Overview and vocabulary, and
ISO/IEC 17789:2014—Information technology—Cloud computing—Reference architecture
These two standards should appeal to all kinds of cloud customers—from small enterprises to global organizations—and to all kinds of cloud providers and partner organizations such as software developers and auditors.
ISO/IEC 24762:2008—Information technology—Security techniques—Guidelines for information and communications technology disaster recovery services
This standard takes us into the area of disaster recovery, and is aimed at aiding the operation of an ISMS by providing guidance on the provision of information and communications technology disaster recovery services as part of business continuity management.
ISO/IEC 29100:2011—Information technology—Security techniques—Privacy framework
This standard provides a high-level framework for the protection of PII within ICT systems.
ISO/IEC 29101:2013—Information technology—Security techniques—Privacy architecture framework
The guidance in this standard is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering, and operating ICT systems that process PII. It focuses primarily on ICT systems that are designed to interact with PII principles.
ISO/IEC 29147:2014—Information technology—Security techniques—Vulnerability disclosure
This standard provides guidelines for vendors to be included in their business processes when receiving information about potential vulnerabilities and distributing vulnerability resolution information.
ISO/IEC 29190:2015—Information technology—Security techniques—Privacy capability assessment model
This standard provides guidance for organizations in producing an overall “score” against a simple capability assessment model; a set of metrics indicating assessment against key performance indicators; and the detailed outputs from privacy process management audits and management practices.
ISO/IEC 30111:2013—Information technology—Security techniques—Vulnerability handling processes
This standard describes processes for vendors to handle reports of potential vulnerabilities in products and online services.
Business Continuity Standards
The following is a list of the most relevant standards and good practice guidelines, and includes standards relating to incident and crisis management, both of which may be required as part of a business continuity program, and especially in response to a cybersecurity incident.
ISO 22300:2014—Societal security—Terminology
ISO 22301:2014 Societal security—Business continuity management systems—Requirements. It specifies the requirements to
ISO 22313:2014—Societal security—Business continuity management systems—Guidance
ISO 22316:2017—Security and resilience—Organizational resilience—Principles and attributes. It provides terminology relating to, and the principles for, organizational resilience. It identifies attributes and activities that support an organization in enhancing its organizational resilience.
PD ISO/TS 22317:2015—Societal security—Business continuity management systems—Guidelines for business impact analysis
ISO 22318:2015—Societal security—Business continuity management systems—Guidelines for supply chain continuity
ISO 22320:2011 Ed 1—Societal security—Emergency management—Requirements for incident response
ISO 22322:2015—Societal security—Emergency management—Guidelines for public warning
ISO 22325:2016—Security and resilience—Emergency management—Guidelines for capability assessment
ISO/IEC 24762:2008—Information technology. Security techniques. Guidelines for information and communications technology disaster recovery services
ISO/IEC 27031:2011 Guidelines for information and communication technology readiness for business continuity
ISO 22324:2015—Societal security—Emergency management—Guidelines for color-coded alerts
PD 25111:2010—Business continuity management—Guidance on the human aspects of business continuity
PD 25666:2010—Business continuity management. Guidance on exercising and testing for continuity and contingency programs
BS 11200:2014—Crisis management. Guidance and good practice
PAS 77:2006 IT Service Continuity Management—Code of Practice.
All the aforementioned BS and ISO standards can be purchased in either hard copy or electronic form (pdf) from the ANSI Webstore at https://webstore.ansi.org (payment in US Dollars), from the ISO Store https://www.iso.org/store.html (payment in Swiss Francs), and from the BSI Online Shop at: http://shop.bsigroup.com (payment in Sterling).
NIST Standards
At the time of writing, there are around 185 NIST SP 800 series standards relating to information security—there are rather too many to list individually here and the list is being added to all the time, and can be found at: https://csrc.nist.gov/publications/sp800
Also at the time of writing, there are 11 NIST Draft Cyber Security guides in the SP-1800 series at: https://csrc.nist.gov/publications/sp1800. Some of these are still in draft form.
| SP 1800-1 | Securing Electronic Health Records on Mobile Devices |
| SP 1800-2 | Identity and Access Management for Electric Utilities |
| SP 1800-3 | Attribute Based Access Control (2nd Draft) |
| SP 1800-4 | Mobile Device Security: Cloud and Hybrid Builds |
| SP 1800-5 | IT Asset Management: Financial Services |
| SP 1800-6 | Domain Name System-Based Electronic Mail Security |
| SP 1800-7 | Situational Awareness for Electric Utilities |
| SP 1800-8 | Securing Wireless Infusion Pumps in Healthcare Delivery Organizations |
| SP 1800-9 | Access Rights Management for the Financial Services Sector |
| SP 1800-11 | Data Integrity: Recovering from Ransomware and Other Destructive Events |
| SP 1800-12 | Derived Personal Identity Verification (PIV) Credentials |
The Federal Information Processing (FIPS) Standards
These are nine relevant FIPS Standards, available at https://csrc.nist.gov/publications/fips
| FIPS 140-2 | Security Requirements for Cryptographic Modules |
| FIPS 180-4 | Secure Hash Standard |
| FIPS 186-4 | Digital Signature Standard |
| FIPS 197 | Advanced Encryption Standard |
| FIPS 198-1 | The Keyed-Hash Message Authentication Code |
| FIPS 199 | Standards for Security Categorization of Federal Information and Information |
| FIPS 200 | Minimum Security Requirements for Federal Information and Information |
| FIPS 201-2 | PIV of Federal Employees and Contractors |
Good Practice Guidelines
There are many examples of good practice guidelines on the Internet, making it an impossible task to list them all. However, the following are of particular note, and will direct the reader to those guidelines of interest and will provide the level of detail required.
NIST
Details of the NIST Framework for Improving Critical Infrastructure Cybersecurity can be found at https://www.nist.gov/cyberframework
NIST has also published a document entitles Small Business Information Security: The Fundamentals, which can be downloaded from: https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf
US-CERT (United States Computer Emergency Readiness Team)
US-CERT is tasked with responding to major incidents, analyzing threats, and exchanging critical cybersecurity information with trusted partners around the world in addition to providing its users with alerts, current activity, bulletins, and tips. https://www.us-cert.gov/ncas
Information Security Forum (ISF)
Organizations that are members of the ISF have access to the Forum Standard of Good Practice, the most recent version being from 2013. See https://www.securityforum.org/tool/the-isf-standardrmation-security/
CESG
CESG (National Technical Authority for Information Assurance, formerly Communications-Electronics Security Group), the Information Security Arm of the UK’s GCHQ has produced a document entitled “10 Steps to Cyber Security.”