Cybersecurity Standards overview

Home / News / Cybersecurity Standards overview

Cybersecurity is an issue so important that no one in the world – except for pioneers with wellequipped laboratories at their disposal and mastery at using them – implements solutions by trial and error. All technologies, processes and roles are (or at least should be) tested – whether it is during the so-called “War games” or during organizational IT audits. Roles in IT security are characterized by high responsibility, therefore the use of standardized best practices is common. After all, it’s about defending your organization’s critical assets.

Standards make it possible to define a set of required recommendations and assumptions to achieve the desired state in a given area. They act as correctness criteria – of a process, technology or method. Standardization, industry, international or state organizations are responsible for their determination.

Below, we present the key organizations that publish cybersecurity standards. We see their traces in working with our clients – in the results or criteria of audits, security policies, software portfolio in the field of IT security or rules configured in this software.

International standards:

Regional – UE:

Regional- UK:

Industrial:

Below, we will briefly discuss the most important of the above and their scope:

International standards – ISO:

ISO / IEC TS 27100: 2020, Information technologies – Cybersecurity

Published by: ISO
This document provides a general cybersecurity overview:
a) describes cybersecurity and the relevant concepts, including how it is related to and differs from information security;
b) establish the cybersecurity context;
(c) does not cover all terms and definitions applicable to cybersecurity; and
d) does not limit other standards in defining new concepts related to cybersecurity

The standard is applicable to all types and sizes of organizations (e.g. commercial companies, government agencies, non-profit organizations).

ISO / IEC 27102: 2019, Information security management – Guidelines for cyber-insurance

The document provides guidance on considering the purchase of cyber-insurance as a risk management option to manage the consequences of a cyber incident as part of an organization’s information security risk management.

This document provides guidance on:

a) considering purchasing cyber insurance as a risk treatment option to share cyber risk;
b) using cyber-insurance to help manage the consequences of a cyber incident;
c) sharing data and information between the insured and the insurer in order to support underwriting, monitoring and loss activities related to the cyber-insurance policy;
d) the use of the information security management system when making relevant data and information available to the insurer.

This document is applicable to organizations of all types, sizes and nature to assist with organization planning and purchasing cyber insurance.

ISO / IEC TR 27103: 2018, Information technology – Security techniques – Cybersecurity and
ISO and IEC standards – provides guidance on the practical use of existing cybersecurity standards

ISO / IEC 27032: 2012, Technika informatyczna – Techniki bezpieczeństwa – Wytyczne
dotyczące cyberbezpieczeństwa

Provides tips on how to improve cybersecurity, highlighting the unique aspects of this activity
and its dependence on other security domains. Covers essential security practices for
stakeholders in cyberspace. This International Standard provides:

a) cybersecurity review,
b) clarifying the relationship between cybersecurity and other types
security,
c) definition of stakeholders and description of their roles in cybersecurity,
d) guidelines for resolving common cybersecurity problems, and
(e) a framework for stakeholders to collaborate on developing a cybersecurity issue.

ISO/IEC TS 27110:2021, Information technology, cybersecurity and privacy protection — Cybersecurity framework development guidelines

This technical specification provides guidance on the development of a cybersecurity framework. It applies to cybersecurity framework developers regardless of their organization, type, size or nature.

ISO / IEC TR 27109, Information technology – Information security, cybersecurity and privacy
protection – Cybersecurity education and training

This document provides cutting-edge information on cybersecurity education and training useful to those involved in cybersecurity such as users, suppliers, certifiers, policymakers and regulators, educators, consumers, suppliers, and manufacturers.

ISO / IEC DIS 27400 Cybersecurity – IoT security and privacy – Guidelines

This document provides guidance on policies, (informational) risks, and appropriate information security and privacy controls to mitigate these risks to the IoT

Regional – ENISA:

ENISA Cybersecurity for SMEs – challenges and recommendations

In response to the COVID19 pandemic, ENISA analyzed the ability of small and medium-sized enterprises (SMEs) in the EU to deal with the cybersecurity challenges posed by the pandemic and identified good practices to meet these challenges. The report provides advice on cybersecurity for SMEs, but also proposals for actions that Member States should consider to help SMEs improve their cybersecurity attitudes.

National:

NIST Cybersecurity Framework (CSF)

The NIST Framework for Improving Critical Infrastructure Cybersecurity is a set of guidelines for mitigating an organization’s cybersecurity risk, based on existing standards, guidelines and practices. The framework provides a high-level taxonomy of cybersecurity outcomes and a methodology for assessing and managing those outcomes. This framework is voluntary, but used by many organizations as one of the mandatory standards to be met.

NCSC Cyber Assessment Framework

The Cyber Assessment Framework (CAF) provides a systematic and comprehensive approach to assessing the extent to which cyber threats related to core functions are managed by a responsible organization. It is intended for use by the organization itself (self-assessment) or by an independent third party, possibly a regulatory body. The NCSC’s Cybersecurity and Resilience Principles form the basis of the CAF. The 14 principles are written in terms of results, i.e. a specification of what needs to be achieved, not a checklist of what needs to be done. The CAF adds additional levels of detail to the top-level principles, including a set of structured sets of good practice indicators (IGPs).

Industrial:

PCI DSS 2

PCI DSS 2.0 (Payment Card Industry Data Security Standard Version 2.0) is the second version of the Payment Card Industry Data Security Standard (PCI DSS). P According to Payment Card Industry (PCI) Security Standards Council version 2.0 does not introduce any major changes to the 12 requirements. Minor linguistic corrections have been made to clarify the meaning of the requirements. Version 2.0 reinforces the need for accurate scoping prior to evaluation and promotes more effective log management. It also extends the validation requirements for vulnerability assessment in a commercial environment. As a result, organizations can now use industry best practices to prioritize vulnerability.

ISACA IT Risk Framework

The IT Risk Framework offers guidelines and practices that optimize risk, opportunities, security, and business value, and help build consensus on IT risk-related decisions at all levels of the enterprise. The latest ITF emphasizes cybersecurity and is compatible with the latest version of COBIT. Risk IT Framework offers a structured, systematic methodology to help enterprises:

•Identify current and emerging risks throughout the extended enterprise
•Develop appropriate operational capabilities to ensure that business processes continue to function in the event of adverse events
•Put I&T risk in a business context to understand aggregate exposure in terms of enterprise value

As a word of summary…

Most importantly, it is up to the organization to decide which standards to implement. There are many selection parameters, but the key ones are:

I. The industry in which the company operates
II. Certifications / standards whose implementation is appreciated by their customers
III. The size of the enterprise
IV. Current infrastructure and associated risks
V. The organization’s risk appetite
VI. Cybersecurity budget available


Analyzing the above, we can prioritize not only the implementation of individual standards, but even part of their scope. It is not always necessary to implement the standard in its entirety – at the end of the day, what counts is the practical possibility of ensuring safety, not a framed certificate of compliance on the wall.


As specialists in the field of security implementations, we are happy to share knowledge about tools supporting the said security assurance – some of them can translate 1:1 to obtain the visibility and control mechanisms required by a given standard. Write to us and we will tell you more!

Related articles

SASE & SSE - foundations
2022 PREDICTIONS BY Mandiant
Secure proxy gateways - authenticate to protect
Please be advised that our website is using cookies for marketing, statistical and functional reasons. In order to optimize the content on our website and to adapt them to your individual needs, we use informations saved using cookies on users’ end devices. Cookies can be controlled by the user through the settings of their web browser. By contiuning to use our website without changing your web browser settings, you are accepting the use of cookies.
I accept More info