Establishing information security governance following ISO/IEC 27001 is an important first step. But how to implement real security?
I’ve started to collect guidelines and standards that can help lifting your security level.
Standard | Reference/Provider | Description | License |
---|---|---|---|
Security in .NET | Microsoft | ||
IT Grundschutz Kataloge | BSI Germany | Very detailed technical controls (over 4000 pages). E.g. – block B 5.27 software development | free |
OWASP Testing Guide | The OWASP Foundation | Very detailed test guideline addressing all stages of the SDLC | |
OWASP Top 10 - 2017 | The OWASP Foundation | Secure web development, top 10 security risks. | |
ArchiMate | The Open Group | A visual language to support TOGAF | |
COBIT | ISACA | ||
Cyber essentials | UK National Cyber Security Centre (NCSC) | Very basic controls for each business (internet, devices, data, malware, ...) | |
FEDRAMP | FedRAMP | standardized approach to security for the cloud | |
HIPAA Cyber Security Guidance | HHS.gov | national standards to protect individuals’ electronic personal health information | |
ISF | Information Security Forum | business-orientated focus on current and emerging information security topics. This includes enhanced coverage of the following hot topics: Agile system development, alignment of information risk with operational risk, collaboration platforms, Industrial Control Systems (ICS), information privacy and threat Intelligence.supplier assessments, ... | very comprehensive, but not free |
ISO 22301 | |||
ISO/IEC 20000 series | |||
ISO/IEC 27000 series and BS 17799 | Standards to implement ISMS and security governances | Commercial | |
ISO/IEC/IEEE 42010 | ISO/IEC/IEEE 42010 Systems and software engineering — Architecture description is an international standard for architecture descriptions of systems and software. | ||
ISPG Practice Guides | Government Chief Information Officer of Honkong | Guides on risk assessments, incident handling, mobile security, cloud computing, office network printers | |
ITIL | best practices in IT service management (ITSM) | ||
KritisV | BSI Germany | ||
NIS Directive | EU | ||
NIST SP 800 family | NIST | Management framework on information security and guidelines. e.g. NIST SP 800-160 Systems Security Engineering | |
O-TTPS | The Open Group | Open Trusted Technology Provider™ Standard (O-TTPS): Secure development and changes | Free after registration with TOG |
PCI DSS | PCI Security Standards Council | Standards and supporting materials to enhance payment card data security | |
SANS | SANS | Information Security Policy Templates for network, server and web application security. Includes OWASP risk rating. | |
SCADA Security | Digital Guardian | Collection of papers about SCADA security | |
TOGAF® Standard | The Open Group | Implement secure business and systems architecture | Commercial, 90 day trial available |
SSAE 18 | |||
SysTrust | |||
VISP / VICP | Veracode | Veracode Information Security Policy (VISP) and Veracode Information Confidentiality Policy (VICP) | |
TickITPlus | GAGASQ SQ - Global Association for Software Quality AISBL | Standard for software providers. |
Note: For risk assessment methods and tools, I’ve created a separate page: https://blog.mbwiki.de/risk-assessment-tools/
Following sites provide also overviews: