Copyright © 2010 IsecT Ltd.

As well as the ISO27k standards, there are many other ISO/IEC and non-ISO/IEC standards and methods relating to information security, risk management and similar fields.  Here is a selection of the most widely known and relevant standards and methods, drawing in part on an excellent summary of security standards in the draft APEC-TEL Information Systems Security Standards Handbook.  THIS IS NOT A COMPLETE, COMPREHENSIVE OR DEFINITIVE LIST! [If you know of other security standards, or if we have incorrectly described any here, do please let us know.  Thank you to those who have taken the trouble to provide up-to-date information and commentary.]

Quick links

• ISO standards in numerical sequence
• Non-ISO standards in alphabetical order
• NIST Special Publications in numerical sequence

Security-related ISO standards

ISO 9000, ISO/IEC 12207 and ISO/IEC 15288 SDLC/QA standards

The ISO 9000  family of quality management standards define quality as the features of a product or service which are required by the  customer.  Quality management is what an organization does to ensure that its products or  services satisfy the customers’ quality requirements and comply with applicable regulations. 

The following standards cover the application of quality management principles specifically to the Software Development Life Cycle:

• ISO 9003:2004 Software engineering  - Guidelines for the application of ISO 9001:2000 to computer software,  covers all aspects from development to supply, acquisition, operation  and maintenance of computer software. It is appropriate to software that is:
• part of a commercial contract with another organization;
• a product available for a market sector;
• used to support the processes of an organization;
• embedded in a hardware product; or
• related to software services.
• ISO/IEC 12207:2008 Systems and software engineering -- Software life cycle processes covers software life cycle processes.  The ISO/IEC 12207 page on the ISO website states that “ISO/IEC 12207:2008 establishes a common framework for software life cycle processes, with well-defined terminology, that can be referenced by the software industry. It contains processes, activities, and tasks that are to be applied during the acquisition of a software product or service and during the supply, development, operation, maintenance and disposal of software products. Software includes the software portion of firmware. [The standard] applies to the acquisition of systems and software products and services, to the supply, development, operation, maintenance, and disposal of software products and the software portion of a system, whether performed internally or externally to an organization. Those aspects of system definition needed to provide the context for software products and services are included. [It] also provides a process that can be employed for defining, controlling, and improving software life cycle processes.  The processes, activities and tasks of ISO/IEC 12207:2008 - either alone or in conjunction with ISO/IEC 15288 - may also be applied during the acquisition of a system that contains software”.
• ISO/IEC 15288:2008 Systems and software engineering -- System life cycle processes covers systems engineering by defining a set of processes and terminology.  The ISO/IEC 15288 page on the ISO website states that “ISO/IEC 15288:2008 establishes a common framework for describing the life cycle of systems created by humans. It defines a set of processes and associated terminology. These processes can be applied at any level in the hierarchy of a system's structure. Selected sets of these processes can be applied throughout the life cycle for managing and performing the stages of a system's life cycle. This is accomplished through the involvement of all interested parties, with the ultimate goal of achieving customer satisfaction.  [The standard] also provides processes that support the definition, control and improvement of the life cycle processes used within an organization or a project. Organizations and projects can use these life cycle processes when acquiring and supplying systems.  [It] concerns those systems that are man-made and may be configured with one or more of the following: hardware, software, data, humans, processes (e.g., processes for providing service to users), procedures (e.g., operator instructions), facilities, materials and naturally occurring entities. When a system element is software, the software life cycle processes documented in ISO/IEC 12207:2008 may be used to implement that system element.  ISO/IEC 15288:2008 and ISO/IEC 12207:2008 are harmonized for concurrent use on a single project or in a single organization.”

ISO/IEC 7498 Open Systems Interconnect (OSI) security model

This multi-partite standard defines the OSI reference model, describing an architecture to secure network communications through security services (access control, authentication, data integrity, data confidentiality and non-repudiation) and security mechanisms (encipherment, digital signature, access control, data integrity, authentication exchange, traffic padding, routing control and notarization).

ISO/IEC 10181  Security frameworks

This eight-part standard addresses the application of security services in an OSI environment with ODP, databases and distributed applications.  The eight parts cover:

1. Overview;
2. Authentication;
3. Access control;
4. Non-repudiation;
5. Integrity;
6. Confidentiality;
7. Audit; and
8. Key Management.

Through core concepts such as security domains, security authorities, security policies, trust and trusted third parties, the standard describes the basic concepts of the specific security service, identifies mechanisms to support the service, defines the management and supporting services and identifies functional requirement for protocols (but without actually specifying the protocols).

ISO/IEC 13335 IT security management

ISO/IEC 13335 (which started life as a Technical Report TR before becoming a full ISO/IEC standard) comprises a set of guidelines for the management of IT security, focusing primarily on technical security control measures:

• ISO/IEC 13335-1:2004 Information technology – Security techniques – Management of information and communications technology security – Part 1: Concepts and models for information and communications technology security management explains the concepts and models for information and communications technology security management.  (ISO/IEC TR 13335 parts 1 and 2 were combined into the revised ISO/IEC 13335-1:2004)
• ISO/IEC 13335-2 - withdrawn and replaced by an updated part 1.
• ISO/IEC TR 13335-3:1998 Information technology – Guidelines for the Management of IT Security – Part 3: Techniques for the management of IT Security covers techniques for the management of IT security.  This part of the standard has been withdrawn and replaced by ISO/IEC 27005.
• ISO/IEC TR 13335-4:2000 covers the selection of safeguards (meaning technical security controls).  This part of the standard has also been withdrawn and replaced by ISO/IEC 27005.
• ISO/IEC TR 13335-5:2001 provides management guidance on network security.  This part of the standard has been withdrawn and replaced by ISO/IEC 18028-1 which will presumably become part of ISO/IEC 27033 in due course.

ISO TR 13569 Financial services - information security guidelines

ISO TR 13569:2005 guides financial services organizations on the development of an information security programme with advice on policies, organization and structure, plus legal and regulatory compliance. The selection and implementation of security controls necessary to manage information security risks are discussed in the context  of the business environment, practices and procedures.

ISO/IEC 13888 Non-repudiation

This tripartite standard describes non-repudiation mechanisms based on digital certificates generated using symmetric or asymmetric encryption, used to generate evidence and resolve disputes.

• ISO/IEC 13888-1: General model
• ISO/IEC 13888-2: Mechanisms using symmetric techniques
• ISO/IEC 13888-3: Mechanisms using asymmetric techniques

ISO 15292 Protection profile registration procedures

A Protection Profile is an implementation-independent set of security requirements for a category of IT products or systems, which meet specific consumer needs.  ISO 15292 defines the procedures to be applied by a Registration Authority in operating a Register of Protection Profiles and ‘packages’ (reusable sets of functional or assurance components combined together to satisfy a set of identified security objectives) for the purposes of IT security evaluation.

ISO 15408 Common Criteria

ISO 15408:1999 is a multipartite standard describing the Common Criteria for Information Technology Security Evaluation. Products that are evaluated against the Common Criteria (CC) have a defined level of assurance as to their information security capabilities that is recognized in most of the world. Unfortunately, the evaluation process is extremely costly and slow, and is therefore not widely used outside of the government and defense markets.  It also impedes product development since patching can invalidate the certified assurance.

1. ISO/IEC 15408-1: Introduction and general model defines general concepts and principles of IT security evaluation and presents a general model of evaluation. Part 1 also presents constructs for expressing IT security objectives, for selecting and defining IT security requirements, and for writing high-level specifications for products and systems. In addition, the usefulness of each part of the CC is described in terms of each of the target audiences.
2. ISO/IEC 15408-2: Security functional requirements establishes a set of security functional components as a standard way of expressing the security functional requirements for Targets of Evaluation (TOEs). It catalogues the functional components, families and classes.
3. ISO/IEC 15408-3: Security assurance requirements establishes a set of assurance components as a standard way of expressing the assurance requirements for TOEs. It catalogues the set of assurance components, families and classes, defines evaluation criteria for Protection Profiles (PPs) and Security Targets (STs), and presents Evaluation Assurance Levels (EALs), the CC’s scale for rating assurance for TOEs.  [Sorry about the alphabet soup, it’s an occupational hazard in this field.]

ISO 15408 also provides two useful threat-related definitions:

• Threats are the potential for abuse of protected assets;
• Threat agents may place a value on assets and seek to abuse or damage assets in a manner contradictory to the interests of the asset owner.

ISO 15489 Records management

ISO 15489:2001 is a records management standard in two parts:

• Part 1 describes a “high level framework for recordkeeping and specifically addresses the benefits of records management, regulatory considerations affecting its operation and the importance of assigning of responsibilities for recordkeeping. It also discusses high level records management requirements, the design of recordkeeping systems and actual processes involved in records management, such as record capture, retention, storage, access etc. It concludes with a discussion of records management audit operations and training requirements for all staff of an organisation.”
• Part 2  provides “practical and more detailed guidance about how to implement the framework outlined in Part 1. For example it provides specific detail about the development of records management policy and responsibility statements and outlines the DIRKS process for developing recordkeeping systems.  Part 2 also provides practical guidance about the development of records processes and controls and specifically addresses the development of key recordkeeping instruments such as thesauri, disposal authorities and security and access classification schemes. It then discusses the use of these tools to capture, register, classify, store, provide access to and otherwise manage records. Part 2 also provides specific guidance about the establishment of monitoring, auditing and training programs to promote and effectively implement records management within an organisation.”

ISO/IEC 17021 Conformity assessment -- requirements for bodies providing audit and certification of management systems

ISO/IEC 17021:2006 is referenced by ISO/IEC 27006.  It defines generic requirements for audit and certification bodies in relation to assessing and certifying management systems.

ISO/IEC 18028 IT network security

ISO/IEC 18028 is a 5-part standard that expands on the details of ISO/IEC 27002 sections 10.6 and 11.4 and extends the IT security management guidelines provided in ISO/IEC 13335 by detailing the specific operations and mechanisms needed to implement network security safeguards and controls in a wider range of network environments, providing a bridge between general IT security management issues and network security technical implementations:

1. ISO/IEC 18028-1:2006 Information technology. Security techniques. IT network security. Network security management.  Provides detailed guidance on the security aspects of the management, operation and use of IT networks and interconnections.  Defines and describes the concepts associated with, and provides management guidance on, network security - including on how to identify and analyze the communications-related factors to be taken into account to establish network security requirements, with an introduction to the possible control areas and the specific technical areas of concern.
2. ISO/IEC 18028-2:2005 Information technology. Security techniques. IT network security. Network security architecture.  Defines a network security architecture for providing end-to-end network security. The architecture can be applied to various kinds of networks where end-to-end security is a concern and independently of the network's underlying technology. Serves as a foundation for developing the detailed recommendations for the end-to-end network security.
3. ISO/IEC 18028-3:2005 Information technology. Security techniques. IT network security. Securing communications between networks using security gateways.  Provides an overview of security gateways through a description of different architectures, outlining the techniques for security gateways to analyze network traffic i.e. packet filtering, stateful packet inspection, application proxy, network address translation and content analysis and filtering.  Provides guidelines for the selection and configuration of security gateways.
4. ISO/IEC 18028-4:2005 Information technology. Security techniques. IT network security. Securing remote access.  Provides guidance for securely using remote access - a method to remotely connect a computer either to another computer or to a network using public networks - and its implication for IT security. Introduces the remote access protocols, discusses authentication.
5. ISO/IEC 18028-5:2006 Information technology. Security techniques. IT network security. Securing communications across networks using virtual private networks.  Provides detailed guidance on the security aspects of the management, operation and use of IT networks, and their inter-connections. Defines techniques for securing inter-network connections using virtual private networks (VPNs). Supports IT network managers, administrators, technicians and IT security officers choosing the appropriate VPN. Describes general principals of organization, structure, framework and usage of a VPN. Discusses functional area, used standards and network protocols, the various types of VPN, their respective requirements, characteristics and other aspects.

ISO/IEC 18028 will become ISO/IEC 27033, a seven-part standard (in other words more than a simple re-numbering).

ISO/IEC 18043 Selection, deployment and operations of Intrusion Detection Systems (IDS)

ISO/IEC 18043:2006 focuses on the security principles behind unauthorized intrusion into computer systems/networks and how organizations can establish frameworks to enable comprehensive Intrusion Detection Systems (IDS).  It addresses IDS selection, deployment and operation to help IT managers set up standard, and hence interoperable, IDS configurations.

ISO/IEC TR 18044 Security incident management

Please see the page on ISO/IEC 27035 for information on this standard.

ISO 19011 Guidelines for quality and/or environmental management systems auditing

ISO 19011:2002 provides an introduction to compliance auditing against various ISO management systems standards.  ISO27k is not explicitly covered at present but the standard is being revised to incorporate ISO27k, and is recommended reading for ISMS internal auditors as well as certification auditors and other IT auditors.

ISO/IEC 19770 Software asset management

ISO/IEC 19770-1:2006 promotes the implementation of an integrated set of software asset management processes, using good practices for efficient software management.  Contents:

• Scope, terms and definitions;
• Field of application;
• Conformance;
• Intended usage;
• Agreement compliance;
• General Software Asset Management processes;
• Control environment for Software Asset Management;
• Planning and implementation;
• Inventory processes;
• Verification and compliance processes;
• Operations management processes and interfaces;
• Life cycle process interfaces.

ISO/IEC 20000 - ITIL  IT service management

“ITIL (IT Infrastructure Library) is the most widely accepted approach to IT service management in the world. ITIL provides a cohesive set of best practice, drawn from the public and private sectors internationally. It is supported by a comprehensive qualifications scheme, accredited training organisations, and implementation and assessment tools.”  While ISO 20000 is not strictly the same as ITIL, ITIL became BS 15000 and became ISO/IEC 20000, a two part standard, in 2005:

• ISO/IEC 20000 Part 1:2005 Information technology service management. Specification for Service Management describes the requirements for IT service management against which organizations may be independently certified.
• ISO/IEC 20000 Part 2:2005 Information technology service management. Code of Practice for Service Management gives more practical guidance to implementers, a suite of best practices for IT service management.

Read more about ISO/IEC 20000 on the IT Service Management Forum (itSMF) website.

 Please note: the ITIL security book has been thoroughly revised for ITIL version 3 (for example, with much more extensive alignment to ISO27k) and is due to be published by Van Haren in January 2010.

ISO 21827 Systems Security Engineering Capability Maturity Model (SSE CMM)

Like other Capability Maturity Models (CMMs), the Systems Security Engineering (SSE) CMM defines the essential characteristics of SSE processes, emphasizing those which indicate process maturity.  The model covers the entire systems development lifecycle from concept definition to decommissioning.  It applies to those developing or integrating secure products/systems, and those providing specialist security services such as security engineering. Read more about the SSE CMM.  It was published as ISO 21827 in 2002.

ISO/PAS 22399 Societal security - Guideline for incident preparedness and operational continuity management

ISO/PAS 22399:2007 provides general guidance for private, governmental, and nongovernmental organizations to develop specific performance criteria for incident preparedness and operational continuity, and design appropriate management systems.  It provides a basis for understanding, developing and implementing continuity of operations and services within the organization and to provide confidence in business, community, customer, first responder and organizational interactions.  It also enables the organization to measure its resilience in a consistent and recognized manner.

ISO/IEC 24762:2008 Guidelines for information and communications technology disaster recovery services

This new standard offers guidance on Information and Communications Technology Disaster Recovery (ICT DR) within the context of business continuity management. It supports the operation of an ISMS by addressing the information security and availability aspects of business continuity management in times of crisis.  A business continuity plan comprises an organization’s strategies to prepare for future national, regional or local crises that could jeopardize its capacity to continue with its core mission, as well as its long term stability. Business continuity management is an integral part of holistic risk management that involves:

• Identifying potential threats that may cause adverse impacts on an organization’s business operations, and associated risks;
• Providing a framework for building resilience for business operations;
• Providing capabilities, facilities, processes, action task lists, etc., for effective responses to disasters and failures.

Using the standard, organizations can build greater resilience into their ICT infrastructure supporting critical business activities and complementing their business continuity management and information security management activities.

ISO/PAS 28000:2005 Specification for security management systems for the supply chain

This standard specifies the requirements for a security management system [as opposed to an information security management system - see the ISO27k standards for that], including those aspects critical to security assurance of the supply chain such as financing, manufacturing, information management and the facilities for packing, storing and transferring goods between modes of transport and locations. Security management is linked to many other aspects of business management. These other aspects should be considered directly, where and when they have an impact on security management, including transporting goods along the supply chain.

ISO/PAS 28000 is applicable to all sizes of organizations, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to:

1. Establish, implement, maintain and improve a security management system;

2. Assure compliance with stated security management policy;

3. Demonstrate such compliance to others;

4. Seek certification/registration of its security management system by an accredited certification body or self-declare compliance with ISO/PAS 28000.  Organizations that choose certification demonstrate that they are contributing significantly to supply chain security.

ISO 31000: Risk management — Principles and guidelines on implementation DRAFT

ISO 31000 bears resemblance to AS/NZS 4360, a widely used Australia/New Zealand standard for risk management.  From the current draft: “This International Standard recognizes the variety of the nature, level and complexity of risks and provides generic guidelines on principles and implementation of risk management. To apply these generic guidelines in a specific situation, this International Standard sets out how an organization should understand the specific context in which it implements risk management.”  In other words, ISO 31000 will cover risk management in the broad, not specifically information security or even IT risks.  Publication is not expected before the end of 2008.

ISO/IEC 31010: Risk management – Risk assessment guidelines DRAFT

Although I haven’t yet seen this draft standard, I presume it is a formal guideline on the assessment of risks as defined in ISO 31000 ...

ISO/IEC 38500: Corporate governance of information technology

ISO/IEC 38500:2008, an ISO/IEC standard developed from Australian Standard AS 8015:2005, is described on the ISO website as follows:

“ISO/IEC 38500:2008 provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.  [The standard] applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization. These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization.  It also provides guidance to those advising, informing, or assisting directors.  They include:

• senior managers;
• members of groups monitoring the resources within the organization;
• external business or technical specialists, such as legal or accounting specialists, retail associations, or professional bodies;
• vendors of hardware, software, communications and other IT products;
• internal and external service providers (including consultants);
• IT auditors.”

The governance model appears relatively simple: senior managers evaluate the organization’s requirements and make plans, cascade them through the organization as directives, policies etc., and monitor their implementation, revising the plans or directives where necessary.  This is similar in style to the plan-do-check-act cycle of ISO/IEC 27001 and ISO 9001.

ANSI sells a single-user PDF version of ISO/IEC 38500 for US$86.

One of the six governance principles from AS 8015 is to ‘Ensure ICT performs well, whenever required’.  This specifically requires Directors to evaluate risks to information and direct that ICT supports the business and is protected, specifically invoking the ISMS standards and monitor that policies are properly followed.  Another principle (‘Ensure ICT conforms to formal rules’) implies the need for compliance in ISMS terms.  An itSMF pocket guide gives more information on AS 8015.

ISO/IEC Guide 73:2002 Risk management – Vocabulary – Guidelines for use in standards

In recognition of the variety of specialist terms in the field of risk management, Guide 73 lays out specific interpretations of more than 50 terms in order that ISO/IEC risk management standards are consistent in their use of the terminology.  Standards such as ISO 31000 can therefore simply reference Guide 73 instead of defining the terms.

As an example, ‘risk assessment’ and ‘risk analysis’ are often used loosely and interchangeably by practitioners.  Guide 73 defines risk assessment as the overall process of identifying, analyzing and evaluating risks, therefore risk analysis is a component of risk assessment.

‘Residual risk’ is another example that has a variety of meanings in common use.  Guide 73 defines it specifically as “risk remaining after risk treatments”, with notes pointing out that residual risk includes risks than have not been identified, and is also known as ‘retained risk’ (although ‘risk retention’ is also defined separately).

Guide 73 is currently being revised for reissue, probably in the first half of 2009.  It will presumably take full account of the terms now defined in ISO/IEC 27000.

Other ISO/IEC standards cited by ISO/IEC 27002:2005

• ISO/IEC Guide 2:1996 Standardization and related activities – General vocabulary
• ISO/IEC 9796-2:2002 Information technology – Security techniques – Digital signature schemes giving message recovery – Part 2: Integer factorization based mechanisms
• ISO/IEC 9796-3:2000 Information technology – Security techniques – Digital signature schemes giving message recovery – Part 3: Discrete logarithm based mechanisms
• ISO 10007:2003 Quality management systems – Guidelines for configuration management
• ISO/IEC 11770-1:1996 Information technology – Security techniques – Key management – Part 1: Framework
• ISO/IEC 12207:1995 Information technology – Software life cycle processes - please refer to ISO/IEC 27034 for more on this topic
• ISO/IEC 13888-1:1997 Information technology – Security techniques – Non-repudiation – Part 1: General
• ISO/IEC 14516:2002 Information technology – Security techniques – Guidelines for the use and management of Trusted Third Party services
• ISO/IEC 14888-1:1998 Information technology – Security techniques – Digital signatures with appendix – Part 1: General
• ISO 15489-1:2001 Information and documentation – Records management – Part 1: General
• ISO 19011:2002 Guidelines for quality and/or environmental management systems auditing - please see ISO/IEC 27007 and ISO/IEC TR 27008 for more on the topic of ISMS audits.

Back to top

Non-ISO information security standards and methods

ACSI33

... is the Australian Government’s Information and Communications Technology Security Manual, the unclassified version of which is available on the web.

ANSI American National Standards Institute

ANSI publishes a range of technical security standards under the X.9 series e.g. ANSI X9.43 Key archiving and retrieval explains why cryptographic keys need to be archived and describes the archival and retrieval mechanisms.

AS/NZS 4360 Risk management

This Australia/New Zealand standard defines a risk management process which involves:

• Establishing the context;
• Identification, analysis, evaluation, treatment, monitoring and review of the risks; and
• Consultation and communication with stakeholders.

BSI = British Standards Institute

BS 7799, of course, was the progenitor - the granddaddy of the ISO/IEC 27000 family.  The code of practice for information security management now known as ISO/IEC 27002 was originally published as a DTI guide and became BS 7799 in 1995.  When the accompanying certification standard that later became ISO/IEC 27001 was released as BS 7799 part 2 in 1999, the original standard was renamed BS 7799 part 1. 

Although BS 7799 parts 1 and 2 have both been withdrawn and replaced by ISO/IEC standards, BS 7799 part 3 Information security management systems - guidelines for information security risk management is technically still current.  It was published in 2006 and costs ~£70 from BSI.  Now that ISO/IEC 27005 has been released, BS 7799 looks set to fade into the history books for good.  Long live BS 7799!

BS 10008:2008 Evidential weight and legal admissibility of electronic information. Specification specifies requirements electronic information management systems and the electronic transfer of information between computers.  It addresses data authenticity, integrity and availability issues including identity verification through electronic signatures and electronic copyright.

BS 25999 part 1, a Code of Practice for Business Continuity Management, establishes the process, principles and terminology of Business Continuity Management plus a comprehensive set of best practice BCM controls covering the whole BCM lifecycle. It is based on PAS56 and was published in 2006.  Price ~£90 from BSI. 

BS 25999 part 2, the Specification for Business Continuity Management, is now available for £90 from BSI.  [By the way, the '999' part of BS 25999 is equivalent to '911' in the 'States or '111' in New Zealand, in other words it’s the emergency services phone number.]

The ITIL standard BS 15000 has now become ISO/IEC 20000.

BSI = Bundesamt fur Sicherheit in der Informationstechnik

The German federal office for information security publishes some of its publications in English, and is well known for its IT-Grundschutz [IT baseline protection] manual, originally released in 1994.  The manual describes an ISMS comprising a governance structure and suite of information security controls ranging from technological, organizational and  sociological to infrastructural (physical) in nature.  It has now been divided to separate the methods (which are gradually being aligned with ISO27k) from the huge catalogue of threats and controls (which is like an extreme version of ISO/IEC 27002).  While in various places it claims to be based on ISO27k, IT-Grundshutz has in reality been adapted slightly to reflect some aspects of ISO27k.  There are some oddities as a consequence of shoehorning the German standards into the ISO27k mold, for instance noting that it uses the term “IT security” instead of “information security” because it is equivalent but shorter - in fact, these are subtly different concepts.  The main difference is that IT-Grundshutz recommends the adoption of a standardized de facto security baseline as a starting point rather than ISO27k’s pure de novo risk-based approach.  Neither is necessarily right or wrong - there are pros and cons to each approach.

BSI Standard 100-1 Information Security Management Systems (ISMS) is a 38-page overview of the IT-Grundshutz approach to developing and implementing an ISMS, not dissimilar to ISO/IEC 27000’s introduction to ISO27k.

BSI Standard 100-2 IT-Grundschutz Methodology is 93 pages long and loosely equivalent to ISO/IEC 27001, in the sense that it is basically about governance of information security within the organization using an ISMS.  It explains how to develop and operate an ISMS, for example how to establish an information security management body, develop an information security policy, select appropriate information security controls etc.  It uses worked examples based on a fictitious government agency to demonstrate certain aspects of the approach.  It makes little if any reference to PDCA, and runs out of steam  at the ISMS implementation stage (neglecting ISMS maintenance, audits/management reviews, risk/control updates etc.).

BSI Standard 100-3 Risk Analysis Based on IT-Grundschutz is 23 pages long and vaguely resembles ISO/IEC 27005.  In contrast to ISO27k, the IT-Grundschutz baseline approach uses the catalogues to specify security controls for ‘normal’ systems that are assumed to have ‘normal’ risks, using risk analysis only to identify additional risk and control requirements for ‘high’ or ‘very high’ systems (which, in military and government organizations, presumably equate to unclassified, secret and top secret systems, respectively).

BSI Standard 100-4 Business Continuity Management is 128 pages long.  It explains how to establish and maintain a BCM system, based on IT-Grundschutz.  It incorporates a useful summary of several other BCM standards and, like most of them, it is purely concerned with preparing for activities that will be necessary in the event of a crisis or disaster affecting critical business operations and/or the supporting IT systems and networks, rather than attempting to avoid or avert such crises and disasters (for example through resilience, redundancy, high-availability systems etc.).

BSI IS audit guideline [unnumbered]  Information Security Audit (IS Audit) - a guideline for IS audits based on IT-Grundschutz is primarily aimed at IS auditors working for German federal agencies.  It is, however, a solid and well-written description of the performance of typical IS audits in 38 pages, although rather light on the strategic planning of a portfolio of IS audits (e.g. IS audits are normally conducted by IT auditors, who often audit various aspects of information security in the course of other audits, or by certification auditors, who have to follow strict processes laid down by the certification bodies).

IT-Grundschutz Catalogues, updated annually in German but slightly out-of-date versions have been released in English too.  Contains over 4,000 pages (!) of excruciatingly detailed advice on information security threats, controls etc., and hence are roughly the same as ISO/IEC 27002 but much more specific (e.g. recommending WEP for WiFi security!).  “One of the most important objectives of IT-Grundschutz is to reduce the expense of the information security process by offering reusable bundles of familiar procedures to improve information security.  In this manner, the IT-Grundschutz Catalogues contain standard threats and security safeguards for typical business processes and IT systems which can be used in your organisation, if necessary.  Through appropriate application of the standard technical, organisational, personnel, and infrastructural security safeguards recommended for IT-Grundschutz, a security level is reached for the business processes being analysed that is appropriate and adequate to protect business-related information having normal protection requirements. Furthermore, the safeguards in the IT-Grundschutz Catalogues not only form a basis for IT systems and applications requiring a high level of protection, but also provide an even higher level of security in many areas.”  The idea is basically for users to thumb through the catalogue and select standard controls for the situations they face, forming the baseline onto which additional security controls may then be added where necessary.

If you are clever enough to understand German (if not Swedish and Estonian!), there are several more IT/information security publications on the BSI site.

COBIT Control OBjectives in IT

COBIT  from ISACA (formerly known as the IS Audit and Control Association and still known as a professional body representing IT auditors) has matured over the past decade from quite modest beginnings as a guide for computer auditors on best practice IT management controls into a comprehensive model or tool to guide the implementation of sound IT governance processes/systems.

The current incarnation, COBIT v4, is described by ISACA as “an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations ... [It] emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.”

GAISP Generally Accepted Information Security Practices

GAISP developed from and consolidated earlier works such as GASSP Generally Accepted System Security Practices. It was at one time being reworked by ISSA (the Information Systems Security Association), although the project has floundered despite the good intentions of a number of well-meaning volunteers, having been largely overtaken by events such as the release of ISO/IEC 27002.

GAIT (Guide to the Assessment of IT risk)

GAIT is the Institute of Internal Auditors’ top-down method/guidance to identify key IT risks (such as SOX-relevant IT-related risks that could materially impact the financial statements, and those covered by PCI-DSS, HIPAA etc.) and assess the associated IT controls within the organization.  It is only available to IIA members  :-(

IEEE Institute of Electrical and Electronic Engineers

The IEEE’s Security in Storage Working Group (SISWG) drafted IEEE 1619, a standard for the use of shared storage (hard disk) encryption.  IEEE P1363:2000 contains Standard Specifications for Public-Key Cryptography.

ISF Information Security Forum

The Information Security Forum (ISF) was  originally the European Security Forum (ESF) before it broadened its horizons.  Its Standard of Good Practice for Information Security has long been well regarded as a broadly-scoped pragmatic standard for information security.  It is available free of charge as a PDF from the ISF website and provides a useful crosscheck on the coverage and content of security policies and procedures written to follow ISO/IEC 27002 or other standards.

The latest version of the ISF standard was released in October 2007.

ISM³ Information Security Management Maturity Model

ISM³ (ISM-cubed) is an evolving method that applies ISO 9000-style quality management and ‘capability maturity model’ concepts to information security management.  ISM³ combines elements of ISO27k, COBIT, ITIL, CRAMM and other approaches.  ISM³ is still in development but is already being used to support ISO27k implementations and at least one ISO/IEC 27001 certification.

ITU International Telecommunications Union

The ITU Telecommunication Standardization Sector (ITU-T), formerly known as the CCITT, is the part of the ITU which publishes X-series standards specifically intended for the telecomms industry.  [We are awaiting news of the publication of X.1051, the ITU’s guidance for implementing ISO/IEC 27002 in the telecomms industry ... watch this space.]

NFPA National Fire Protection Association

NFPA 1600, the Standard on Disaster/Emergency Management and Business Continuity Programs, advises on disaster management structures/governance.

NIST standards

See below - they are so good and so numerous, they get their own section!

OECD Organization for Economic and Cultural Development

The OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (2002) presented some useful high level principles for information security (which are quoted in the current draft of ISO/IEC 27000).

OECD Guidelines for Cryptography Policy (1997) focused on cryptography, strangely enough.

PAS 56

PAS56 (Publicly Accessible Specification 56) was a Guide to Business Continuity Management produced jointly by the British Standards Institute (BSI) and Business Continuity Institute (BCI) in March 2003.  It was superseded by BS 25999 part 1 and withdrawn.  [Before you ask, we have no idea what became of PAS 1 through 55, nor 57 through 76.  Try Google.]

PAS 77

PAS77 (Publicly Accessible Specification 77) is a generic framework and guideline on IT Service Continuity Management, developed by the BSI in partnership with Adam Continuity, Dell Corporation, Unisys and SunGard.  Contents: Scope; Terms and definitions; Abbreviations; IT service continuity management; IT service continuity strategy; Understanding risks and impacts within your organization; Conducting business critically and risk assessments; IT service continuity plan; Rehearsing an IT service continuity plan; Solutions architecture and design consideration; Buying continuity services. Price ~£49 from BSI.

PCI DSS Payment Card Industry Data Security Standard

American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International collaborated on PCI DSS through the PCI Security Standards Council.  The standard imposes specific information security control requirements on merchants and banks handling card data.  Structured compliance activities, including routine independent security assessments by accredited PCI experts, are intended to enforce the standards and protect the whole credit card industry.

PCI DSS version 1.2 came into effect on October 1^st 2008.

RFCs Requests For Comment

Many RFCs are a throwback to the early days of the Internet when proposals for new protocols etc. were circulated to the relatively small Internet user community for comments and input.  The RFC mechanism remains and is still used although a wealth of standards bodies now dominate Internet and Web development.

RFC 1281 Guidelines for the Secure Operation of the Internet (1991), for example, may be of historical interest and embodies security principles that many would argue remain valid today but it’s hardly cutting-edge.

Nevertheless, many current Internet security-related protocols (such as S/MIME and MD5) were first defined as RFCs.  Indeed, the TCP/IP family was conceived as RFCs and some fundamental security issues in the original architecture plague us to this day.

SAA/SNZ HB 231 Information Security Risk Management Guidelines

The handbook provides guidance on an information security risk management process suitable for a wide range of organizations.

SAA/SNZ HB 240 Guidelines for managing risk in outsourcing utilizing the AS/NZS 4360 process

Specific guidance for managing the risks associated with outsourcing, using the risk management model from AS/NZS 4360.  Includes case studies and a checklist.

SEI Software Engineering Institute

OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) from Carnegie Mellon University’s Software Engineering Institute defines a systematic, context-driven information security risk evaluation process. Through a self-directed three-phase approach, risk assessors come to understand the risks and make informed risk management decisions. OCTAVE examines organizational and technical issues, building up a comprehensive picture of the organization’s information security requirements.

Singapore Standards

SS507:2004 covered Business Continuity/Disaster Recovery (BC/DR) Service Providers.  It “provides a basis to certify and differentiate the BC/DR service providers, helps the end-user organisations in selecting the best-fit service providers and provides quality assurance. Also establishes industry best practices to mitigate outsourcing risks.”  It was withdrawn in February 2008, presumably being replaced by ISO 25999?

STIGs Security Technical Implementation Guides

NIST, NSA and DISA/DoD have jointly developed several STIGs and related documents.  These form an excellent basis for corporate technical security standards and are highly recommended.

A compilation of STIGs plus the associated checklists and scripts is now available as a downloadable ISO CD image (261 Mb!) covering: Active Directory, application security, biometrics, database security, desktop applications, DNS, DSN (Defense Switched Network), enclave security, network infrastructure, Secure Remote Computing (SRC), Sharing Peripherals Across the Network (SPAN), UNIX & Linux & various flavours of Windows, VoIP, Web server and wireless networking.

TickIT

TickIT is a software Quality Assurance (QA) framework built upon the foundations of ISO 9001 and ISO 12207.  [QA is extremely relevant to software security: software must meet confidentiality, integrity and availability requirements (which means being free of bugs that create security vulnerabilities) and deliver necessary security operations and audit functionality (such as event logging and analysis, and access rights management) in order to be ‘fit for purpose’.  The patching treadmill clearly demonstrates that even well designed, developed and tested mass-market commercial software often fails to meet perfectly reasonable quality objectives  :-( ]

Back to top

NIST Special Publications

The US National Institute of Standards and Technology (NIST) is renowned for producing a wide range of well-written, clear and comprehensive technical standards and (unlike the ISO27k standards) they are available to all free of charge.  The standards are primarily intended for US Government, military and commercial use but are well worth the trouble of downloading and adopting or considering in other contexts.  If you want to know the professional way to ‘do’ information security, check the NIST Special Publications.

Below is a selection of some of NIST’s universally excellent SP 800-series standards that are relevant to information security management in general (please note: there are many more NIST SP 800 standards - see NIST’s roadmap for the overview or their website for the full nine yards including numerous cryptographic, identification & authentication, and technical security standards not listed here):

• SP 800-12 (Oct 1995) An Introduction to Computer Security: The NIST Handbook may be getting a bit long-in-the-tooth but serves as a general introduction to, for example, security policies and procedures.  At 290 pages, this is no lightweight overview (like most NIST Special Publications).
• SP 800-18 (Feb 2006) Guide for Developing Security Plans for Information Technology Systems guides the design and documentation of  IT security controls.
• SP 800-27 (June 2004) Engineering Principles for Information Technology Security (A Baseline for Achieving Security).
• SP 800-28 (Oct 2001) Guidelines on Active Content and Mobile Code.
• SP 800-30 (July 2002) Risk Management Guide for Information Technology Systems guides the assessment and control of IT risks.
• SP 800-34 (June 2002) Contingency Planning Guide for Information Technology Systems.
• SP 800-35 (Oct 2003) Guide to Information Technology Security Services.
• SP 800-36 (Oct 2003) Guide to Selecting Information Security Products.
• SP 800-37 (May 2004) Guide for the Security Certification and Accreditation of Federal Information Systems provides guidance on security certification, accreditation and authorization of information systems.
• SP 800-39 (2^nd DRAFT Apr 2008) Managing Risk from Information Systems - An Organizational Perspective.  This is the flagship document in the series of FISMA-related security standards and guidelines developed by NIST. The second public draft contains substantial improvements.
• SP 800-40 (Nov 2005) Creating a Patch and Vulnerability Management Program.
• SP 800-44 v2 (Sep 2007) Guidelines on Securing Public Web Servers.
• SP 800-45 v2 (Jun 2007) Guidelines on Electronic Mail Security.
• SP 800-46 (Aug 2002) Security for Telecommuting and Broadband Communications.
• SP 800-47 (Aug 2002) Security Guide for Interconnecting Information Technology Systems.
• SP 800-48 (Nov 2002) Wireless Network Security: 802.11, Bluetooth, and Handheld Devices.
• SP 800-50 (Oct 2003) Building an Information Technology Security Awareness and Training Program is recommended reading for anyone planning a professional approach to security awareness, training and education activities.
• SP 800-53 v3 (July 2009) Recommended Security Controls for Federal Information Systems, in effect another ISMS standard, contains a handy cross-reference table comparing its control coverage to that of standards such as ISO/IEC 27002, Government Audit Office Federal Information System Controls Audit Manual, Department of Defense Instruction 8500.2, Information Assurance Implementation and Director of Central Intelligence Directive (DCID) 6/3 Policy and Manual Protecting Sensitive Compartmented Information within Information Systems.  It explains the process of implementing and then building on a security baseline.  SP 800-53A (Jun 2008), the accompanying Guide for Assessing the Security Controls in Federal Information Systems, is now available.
• SP 800-55 (Rev 1, July 2008) Performance Measurement Guide for Information Security. “This document is a guide to assist in the development, selection, and implementation of measures be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting information security programs.”  See also SP 800-80 (info and link below).
• SP 800-58 (Jan 2005) Security Considerations for Voice Over IP Systems.
• SP 800-60 plus appendices (rev 1 Aug 2008) Guide for Mapping Types of Information and Information Systems to Security Categories guides the categorization of computer systems and data.
• SP 800-61 (Jan 2004) Computer Security Incident Handling Guide.
• SP 800-63 (Apr 2006) Electronic Authentication Guideline.
• SP 800-64 (v2 2008) Security Considerations in the Information System Development Life Cycle.  “The most effective way to protect information and information systems is to integrate security into every step of the system development process, from the initiation of a project to develop a system to its disposition ...”  Right on NIST!
• SP 800-65 (Jan 2005) Integrating Security into the Capital Planning and Investment Control Process.
• SP 800-66 (Mar 2005) An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
• SP 800-68 (Oct 2005) Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist
• SP 800-70 (DRAFT rev 1 Sept 2008) National Checklist Program for IT Products--Guidelines for Checklist Users and Developers comprises a set of technical security baselines for a variety of operating system platforms (Windows, AIX, Solaris, HP-UX, Redhat Linux etc.).
• SP 800-72 (Nov 2004) Guidelines on PDA forensics.
• SP 800-82 (DRAFT 2008) Guide to Industrial Control Systems (ICS) Security.  Guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability and safety requirements.
• SP 800-83 (Nov 2005) Guide to Malware Incident Prevention and Handling.
• SP 800-88 (Sep 2006) Guidelines for Media Sanitization. Vital information if you have unsanitary computer media covered in nasty viruses ... or murky secrets.
• SP 800-92 (Sep 2006) Guide to Computer Security Log Management.
• SP 800-95 (Aug 2007) Guide to Secure Web Services.
• SP 800-97 (Feb 2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i.
• SP 800-100 (Oct 2006) Information Security Handbook: a Guide for Managers.
• SP 800-101 (May 2007) Guidelines on Cell Phone Forensics.
• SP 800-115 (Oct 2008) Technical Guide to Information Security Testing helps with the planning and execution of technical information security tests, analyzing findings and developing mitigation strategies. Provides practical recommendations for designing, implementing and maintaining test processes. Overviews key elements of security testing with an emphasis on technical testing techniques, the benefits and limitations of each technique, and recommendations for their use.
• SP800-123 (July 2008) Guide to General Server Security lays out a set of generic principles that can readily be converted to corporate policy statements in, say, a server hardening policy, and supported by a suite of platform-specific server hardening standards and procedures (see also SP 800-70 and the CIsecurity.org site).

Like ISO and BSI, NIST has published various other security-related standards over the years in addition to those in the SP 800 series, including Federal Information Processing Standards (FIPS) Publication  standards such as:

• FIPS 199 (Feb 2004) Standards for Security Categorization of Federal Information and Information Systems.
• FIPS 200 (Mar 2006) Minimum Security Requirements for Federal Information and Information Systems.
• FIPS 201 (June 2006) Personal Identity Verification for Federal Employees and Contractors.

Finally, NIST identifies aspects of information security that deserve further research and perhaps standardization in its NISTIRs (Interagency/Internal Reports), including:

• NISTIR 7564 (Aug 2009) Directions in Security Metrics Research covers a wide brief, drawing on metrication practices from other fields and with six pages of references to deepen your knowledge still further.
• NISTIR 7621 (Aug 2009) Small Business Information Security - The Fundamentals is an admirable but arguably misguided attempt to provide generic guidance on basic information security controls for small organizations.  [The trouble is that many organizations are substantially different and some are unique in terms of their information security risks and hence control requirements.   ISO27k deals with this issue by insisting that all organizations first identify their information security risks before selecting and then implementing the controls.  However, the costs involved in ISO27k’s comprehensive approach undoubtedly deters some small businesses.]

Back to top