Cyber Security Standards
A high level description with references
--
Note: First off, this is intrinsically connected to Information Security Management System Compliance, a topic I discussed before, here.
Note 2: Standards’ Organizations Name/Acronyms meanings:
ISO (which is NOT an acronym) means, in english: “International Organization for Standardization”
[fun fact: ISO is derived from the Greek word isos (ίσος, meaning “equal”)]
IEC means “International Electrotechnical Community”.
./standards
First, what are Cybersecurity standards?
A cyber security standard defines both functional and assurance requirements within a product, system, process, or technology environment. Well-developed cyber security standards enable consistency among product developers and serve as a reliable metric for purchasing security products.
And, from itgovernanceusa:
Cybersecurity standards are collections of best practice, created by experts to protect organizations from cyber threats. Cybersecurity standards and frameworks are generally applicable to all organizations, regardless of their size, industry or sector.
You see how broad that description is, it is because standards might exist for any activity that has practices. So looking from the perspective of our previous subject, GRC, we can infer that there are best practices (standards) for these Cybersecurity pillars — and all require Compliance.
Generic examples for each:
Governance: ISO — ISO/IEC 27014:2013 — Information technology — Security techniques — Governance of information security
Risk: ISO — ISO 31000:2018 — Risk management — Guidelines
./scope
An important understanding now would be around the relevance of Standards to your business/customer. Knowing that there could be hundreds, thousands of standards to follow, means you have to adhere to all of them?
Of course not, there might be geographic, industry or even business relevance why to adopt standard X or Y. It all depends on the situation.
