The good news for IT security professionals is that there are a number of IT security standards that they can use as a guideline when developing or implementing IT projects. Remember that these standards are well thought out and proven practices that can improve information security goals of your organization. Only the popular and globally recognized IT security standards have been presented in this post.
- BITS Financial Services Roundtable (www.bits.org/FISAP/index.php): this is a set of Security assessment questionnaire and review process which has been developed using ISO/IEC 27002. (Also information on the overlaps between ISO/IEC 27002, PCI-DSS 1.1 and COBIT.
- Common Criteria (www.commoncriteriaportal.org/thecc.html): it does not provide any standards. Instead, it will give you a common set of Provides Criteria to evaluate your IT security status. These criteria also have been published as ISO/IEC 15408.
- ISO/IEC 27001:2013: this specifies the standards of information security management system, which consists of ten short clauses and a long annex. If your organization follows these standards, you can apply for certification to an accredited certification body. But before applying for certification, you need to go through a formal audit process.
- NIST special publication 800-171 series: this is basically a computer security report that addresses general guidelines and research outcomes on computer security, conducted by academics, industries and governments.
- ISO27002:2013: this is an information security standard developed by ISO from BS7799 (British standard of information security). This standard describes general controls of IS security, which is helpful for those who both implement and manage information systems.
- COBIT 5-it stands for Control Objectives for Information and Related Technology, which was developed by ISACA for IT governance and management. One of the important parts of COBIT is to provide a set of controls to mitigate IT risk. To complement COBIT, you can use RISK IT framework, also developed by ISACA, in order to manage all types of risks related to the use of IT.
Note:If you want to learn about ISO standards in simple English you can use the following link that explains a list of useful information systems management standards. http://praxiom.com/#ISO_IEC_27001_2005_LIBRARY_
For those who wants to explore more specific ISO standards for information security can have a look at ISO/IEC 27000-series , which is a family of IS management standards. Even if you do not want to spend money on ISO certification or any other accreditation, you can follow these standards in order to enhance the overall security of your IT and relevant assets.
