Security Implementation Standards

Security Implementation Standards

Establishing information security governance following ISO/IEC 27001 is an important first step. But how to implement real security?

I’ve started to collect guidelines and standards that can help lifting your security level.

StandardReference/ProviderDescriptionLicense
Security in .NETMicrosoft
IT Grundschutz KatalogeBSI GermanyVery detailed technical controls (over 4000 pages). E.g. – block B 5.27 software developmentfree
OWASP Testing GuideThe OWASP FoundationVery detailed test guideline addressing all stages of the SDLC
OWASP Top 10 - 2017The OWASP FoundationSecure web development, top 10 security risks.
ArchiMateThe Open GroupA visual language to support TOGAF
COBITISACA
Cyber essentials UK National Cyber Security Centre (NCSC)Very basic controls for each business (internet, devices, data, malware, ...)
FEDRAMP FedRAMPstandardized approach to security for the cloud
HIPAA Cyber Security Guidance HHS.govnational standards to protect individuals’ electronic personal health information
ISFInformation Security Forumbusiness-orientated focus on current and emerging information security topics. This includes enhanced coverage of the following hot topics: Agile system development, alignment of information risk with operational risk, collaboration platforms, Industrial Control Systems (ICS), information privacy and threat Intelligence.supplier assessments, ...very comprehensive, but not free
ISO 22301
ISO/IEC 20000 series
ISO/IEC 27000 series
and BS 17799
Standards to implement ISMS and security governancesCommercial
ISO/IEC/IEEE 42010ISO/IEC/IEEE 42010 Systems and software engineering — Architecture description is an international standard for architecture descriptions of systems and software.
ISPG Practice GuidesGovernment Chief Information Officer of HonkongGuides on risk assessments, incident handling, mobile security, cloud computing, office network printers
ITILbest practices in IT service management (ITSM)
KritisVBSI Germany
NIS DirectiveEU
NIST SP 800 familyNISTManagement framework on information security and guidelines. e.g. NIST SP 800-160 Systems Security Engineering
O-TTPSThe Open GroupOpen Trusted Technology Provider™ Standard (O-TTPS): Secure development and changesFree after registration with TOG
PCI DSSPCI Security Standards CouncilStandards and supporting materials to enhance payment card data security
SANSSANSInformation Security Policy Templates for network, server and web application security. Includes OWASP risk rating.
SCADA SecurityDigital GuardianCollection of papers about SCADA security
TOGAF® StandardThe Open GroupImplement secure business and systems architectureCommercial, 90 day trial available
SSAE 18
SysTrust
VISP / VICPVeracodeVeracode Information Security Policy (VISP) and Veracode Information Confidentiality
Policy (VICP)
TickITPlusGAGASQ SQ - Global Association for Software Quality AISBLStandard for software providers.

Note: For risk assessment methods and tools, I’ve created a separate page: https://blog.mbwiki.de/risk-assessment-tools/

Following sites provide also overviews:

Leave a Reply

Your email address will not be published. Required fields are marked *