Establishing information security governance following ISO/IEC 27001 is an important first step. But how to implement real security?
I’ve started to collect guidelines and standards that can help lifting your security level.
| Standard | Reference/Provider | Description | License |
|---|---|---|---|
| Security in .NET | Microsoft | ||
| IT Grundschutz Kataloge | BSI Germany | Very detailed technical controls (over 4000 pages). E.g. – block B 5.27 software development | free |
| OWASP Testing Guide | The OWASP Foundation | Very detailed test guideline addressing all stages of the SDLC | |
| OWASP Top 10 - 2017 | The OWASP Foundation | Secure web development, top 10 security risks. | |
| ArchiMate | The Open Group | A visual language to support TOGAF | |
| COBIT | ISACA | ||
| Cyber essentials | UK National Cyber Security Centre (NCSC) | Very basic controls for each business (internet, devices, data, malware, ...) | |
| FEDRAMP | FedRAMP | standardized approach to security for the cloud | |
| HIPAA Cyber Security Guidance | HHS.gov | national standards to protect individuals’ electronic personal health information | |
| ISF | Information Security Forum | business-orientated focus on current and emerging information security topics. This includes enhanced coverage of the following hot topics: Agile system development, alignment of information risk with operational risk, collaboration platforms, Industrial Control Systems (ICS), information privacy and threat Intelligence.supplier assessments, ... | very comprehensive, but not free |
| ISO 22301 | |||
| ISO/IEC 20000 series | |||
| ISO/IEC 27000 series and BS 17799 | Standards to implement ISMS and security governances | Commercial | |
| ISO/IEC/IEEE 42010 | ISO/IEC/IEEE 42010 Systems and software engineering — Architecture description is an international standard for architecture descriptions of systems and software. | ||
| ISPG Practice Guides | Government Chief Information Officer of Honkong | Guides on risk assessments, incident handling, mobile security, cloud computing, office network printers | |
| ITIL | best practices in IT service management (ITSM) | ||
| KritisV | BSI Germany | ||
| NIS Directive | EU | ||
| NIST SP 800 family | NIST | Management framework on information security and guidelines. e.g. NIST SP 800-160 Systems Security Engineering | |
| O-TTPS | The Open Group | Open Trusted Technology Provider™ Standard (O-TTPS): Secure development and changes | Free after registration with TOG |
| PCI DSS | PCI Security Standards Council | Standards and supporting materials to enhance payment card data security | |
| SANS | SANS | Information Security Policy Templates for network, server and web application security. Includes OWASP risk rating. | |
| SCADA Security | Digital Guardian | Collection of papers about SCADA security | |
| TOGAF® Standard | The Open Group | Implement secure business and systems architecture | Commercial, 90 day trial available |
| SSAE 18 | |||
| SysTrust | |||
| VISP / VICP | Veracode | Veracode Information Security Policy (VISP) and Veracode Information Confidentiality Policy (VICP) | |
| TickITPlus | GAGASQ SQ - Global Association for Software Quality AISBL | Standard for software providers. |
Note: For risk assessment methods and tools, I’ve created a separate page: https://blog.mbwiki.de/risk-assessment-tools/
Following sites provide also overviews: