Information security standards


Information security standards are techniques generally outlined in published materials that attempt to protect a user's or organization's cyber environment. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.
The principal objective is to reduce the risks, including preventing or mitigating cyber-attacks. These published materials comprise tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies.

History

standards have existed over several decades as users and providers have collaborated in many domestic and international forums to effect the necessary capabilities, policies, and practices – generally emerging from work at the Stanford Consortium for Research on Information Security and Policy in the 1990s.
A 2016 US security framework adoption study reported that 70% of the surveyed organizations use the NIST Cybersecurity Framework as the most popular best practice for Information Technology computer security, but many note that it requires significant investment. Cross-border, cyber-exfiltration operations by law enforcement agencies to counter international criminal activities on the dark web raise complex jurisdictional questions that remain, to some extent, unanswered. Tensions between domestic law enforcement efforts to conduct cross-border cyber-exfiltration operations and international jurisdiction will likely continue to provide improved cybersecurity norms.

International Standards

The subsections below detail international standards related to cybersecurity.

ISO/IEC 27000 Family of Standards

The ISO/IEC 27000 series is a family of international standards jointly published by the International Organization for Standardization and the International Electrotechnical Commission. These standards provide a globally recognized framework for establishing, implementing, maintaining, and continually improving an Information Security Management System. The series is designed to help organizations of all sizes and industries protect their information assets systematically and cost-effectively.
At the center of the ISO/IEC 27000 series is ISO/IEC 27001, which specifies the requirements for establishing and maintaining an ISMS. The standard emphasizes a risk-based approach to managing information security, encouraging organizations to identify, assess, and mitigate risks specific to their operational environment. The ISO/IEC 27000 series is built upon the Plan-Do-Check-Act cycle, a methodology aimed at continuous improvement.
While ISO/IEC 27001 sets the baseline for ISMS requirements, other standards in the series provide complementary guidelines and sector-specific recommendations. Together, they form a comprehensive ecosystem that addresses everything from risk assessment and incident management to privacy controls and cloud security.
Supporting ISO/IEC 27001 is ISO/IEC 27002, which serves as a practical guide for implementing the controls outlined in ISO/IEC 27001. It provides detailed recommendations and best practices for managing information security risks across different domains, including human resource security, physical security, and network security.
For organizations focused on risk management, ISO/IEC 27005 offers a dedicated framework for identifying, assessing, and treating information security risks. It complements ISO/IEC 27001 by providing a methodology specifically tailored to managing information security vulnerabilities.
In recent years, cloud computing has introduced unique security challenges, and ISO/IEC 27017 was developed to address these concerns. This standard provides guidelines for implementing cloud-specific information security controls, ensuring secure use of cloud services by both cloud providers and customers. Alongside it, ISO/IEC 27018 focuses on protecting personally identifiable information in public cloud environments, helping organizations meet privacy regulations and maintain customer trust.
Additionally, ISO/IEC 27035 addresses incident management, offering guidance on how to effectively prepare for, detect, and respond to security incidents. It emphasizes structured incident response processes to minimize potential damage and ensure timely recovery.
With the rise of data privacy regulations such as the General Data Protection Regulation, ISO/IEC 27701 was introduced as an extension of ISO/IEC 27001 and ISO/IEC 27002. This standard provides guidelines for establishing and operating a Privacy Information Management System, aligning information security management with privacy and data protection requirements.

ISO/IEC 15408

The Common Criteria for Information Technology Security Evaluation is an international standard used to assess and certify the security properties of IT products and systems. It provides a globally recognized framework for defining security requirements, implementing protective measures, and evaluating whether these measures meet specified criteria.
ISO/IEC 15408 is divided into five parts:
  • Part 1: Introduction and General Model – Defines key concepts, principles, and the general evaluation framework.
  • Part 2: Security Functional Components – Provides a catalog of security functional requirements.
  • Part 3: Security Assurance Components – Specifies assurance levels, representing the depth and rigor of security evaluations.
  • Part 4: Framework for the specification of evaluation methods and activities – Details the methodology and framework for conducting security evaluations, including evaluator responsibilities and reporting requirements.
  • Part 5: Pre-defined Packages of Security Requirements – Offers reusable packages of security requirements, streamlining the evaluation process for common product types.
Certification under Common Criteria is facilitated by the Common Criteria Recognition Arrangement , ensuring mutual recognition of certifications among participating countries. This reduces duplication of effort and cost for vendors seeking global market access.
The EU has adopted the European Cybersecurity Certification Scheme , which is based on ISO/IEC 15408, to align with international standards while addressing regional requirements.

IEC 62443

The IEC 62443 cybersecurity standard defines processes, techniques and requirements for Industrial Automation and Control Systems. Its documents are the result of the IEC standards creation process where all national committees involved agree upon a common standard.
All IEC 62443 standards and technical reports are organized into six general categories: General, Policies and Procedures, System, ''Component, Profiles, and Evaluation.''
  1. The first category includes foundational information such as concepts, models, and terminology.
  2. The second category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program.
  3. The third category includes work products that describe system design guidelines and requirements for the secure integration of control systems. The core of this is the zone, conduit, and design model.
  4. The fourth category includes work products that describe the specific product development and technical requirements of control system products.
  5. The fifth category provides profiles for industry-specific cybersecurity requirements according to IEC 62443-1-5.
  6. The sixth category defines assessment methodologies that ensure that assessment results are consistent and reproducible.

    ISO/SAE 21434

ISO/SAE 21434 "Road vehicles - Cybersecurity engineering" is a cybersecurity standard jointly developed by ISO and SAE working groups. It proposes cybersecurity measures for the development lifecycle of road vehicles. The standard was published in August 2021.
The standard is related to the European Union regulation on cyber security that is currently being developed. In coordination with the EU, the UNECE has created a Cyber Security Management System certification mandatory for vehicle-type approval. This is defined in the overarching UN Regulation 155; ISO/SAE 21434 is a technical standard for automotive development which can demonstrate compliance with those regulations.
A derivative of this is in the work of UNECE WP29, which provides regulations for vehicle cybersecurity and software updates.

ETSI EN 303 645

The ETSI EN 303 645 standard provides a set of baseline requirements for security in consumer Internet of Things devices. It contains technical controls and organizational policies for developers and manufacturers of Internet-connected consumer devices. The standard was released in June 2020 and is intended to complement other, more specific standards. As many consumer IoT devices handle personally identifiable information, implementing the standard helps comply with the EU's General Data Protection Regulation in the EU.
The Cybersecurity provisions in this European standard are:
  1. No universal default passwords
  2. Implement a means to manage reports of vulnerabilities
  3. Keep software updated
  4. Securely store sensitive security parameters
  5. Communicate securely
  6. Minimize exposed attack surfaces
  7. Ensure software integrity
  8. Ensure that personal data is secure
  9. Make systems resilient to outages
  10. Examine system telemetry data
  11. Make it easy for users to delete user data
  12. Make installation and maintenance of devices easy
  13. Validate input data
Conformance assessment of these baseline requirements is via the standard TS 103 701, which allows self-certification or certification by another group.