Security Standards Overview

Important:

• Listing "absolutely all" standards is physically impossible (thousands exist, including national, industry-specific, and specialized ones). The most critical and widely adopted standards are included.

• Priority is given to fundamental and industry-specific standards.

• Sources: Official purchase/download locations are provided. Many are paid (ISO, PCI SSC), some are free (NIST, OWASP). Unofficial copies may violate copyright.

• Currency: Standards are constantly updated. Always verify the latest version.

Security Standards Categories (Descriptions)

1. Information Security Management Systems (ISMS): Frameworks for building, implementing, maintaining, and improving an organization-wide information security management system.

2. General Security Frameworks: Structured approaches to managing cyber risks and security, not always certifiable.

3. Industry/Regulatory Standards: Mandatory or de facto mandatory standards for specific sectors (finance, healthcare, government) or legal compliance.

4. Technical Security: Detailed specifications for protecting systems, networks, applications, and data.

5. Cloud Security: Specialized standards for cloud computing.

6. Application Security: Standards and guidelines for secure software development and testing.

7. Identity and Access Management (IAM): Principles and technical standards for access control.

8. Cryptographic Standards: Encryption algorithms and protocols.

9. Physical Security and Personnel Security: Protecting physical assets and addressing human factors.

10. Business Continuity and Disaster Recovery (BC/DR): Ensuring operations continue after incidents.

11. Incident Management: Responding to security breaches.

12. Internet of Things (IoT) Security: IoT-specific risks and protection measures.

Key Standards by Category (with Sources)

Priority 1: Most Fundamental and Widely Applicable

1. ISMS:

   • ISO/IEC 27001: International standard for ISMS. System requirements. (Certifiable).

     • Source: Paid. Purchase from national standards bodies (e.g., ISO Store, ANSI Webstore, BSI Shop).

   • ISO/IEC 27002: Practical guidelines for security controls. Details implementation measures.

     • Source: Paid (same as ISO 27001).

2. General Security Frameworks:

   • NIST Cybersecurity Framework (CSF) v1.1 / v2.0 (2024): Voluntary framework (US) for managing cyber risks (Identify, Protect, Detect, Respond, Recover). Globally adopted.

     • Source: Free. NIST CSF Website (PDFs, tools, guides).

   • NIST SP 800-53 Rev. 5: Catalog of security and privacy controls. Highly detailed; used in US government and commercial sectors.

     • Source: Free. NIST SP 800-53 Rev. 5.

   • COBIT (Control Objectives for Information and Related Technologies): IT governance and security framework focusing on management and audit (by ISACA).

     • Source: Paid. ISACA COBIT Resources.

Priority 2: Critical Industry/Regulatory Standards

1. Industry/Regulatory:

   • PCI DSS v4.0 (Payment Card Industry Data Security Standard): Mandatory for all entities storing, processing, or transmitting cardholder data. Rigorous technical/organizational requirements.

     • Source: Paid. PCI Security Standards Council (Register for "Standards Library").

   • HIPAA Security Rule: Legislative requirement (US) for protecting electronic personal health information (ePHI). De facto standard.

     • Source: Free. HHS HIPAA Security Rule.

   • SOC 2 (Service Organization Control 2): Audit report (based on Trust Services Criteria) focusing on security, availability, processing integrity, confidentiality, and privacy for service providers (especially cloud).

     • Source: Trust Services Criteria (TSC) from AICPA (paid). AICPA SOC Resources.

   • GDPR (General Data Protection Regulation): EU regulation for personal data protection. Often implemented using ISO 27001, NIST CSF, or ISO 27701.

     • Source: Free. EUR-Lex GDPR.

   • FSTEC Russia (Decrees): Mandatory requirements for information protection in Russia (e.g., Decree #31 for state systems, #239 for critical infrastructure).

     • Source: Free. FSTEC Russia Documents or FSTEC NPA Portal.

Priority 3: Technical and Specialized Standards

1. Technical Security:

   • ISO/IEC 27033 (Parts 1-7): Network security. Details ISO 27002 controls.

     • Source: Paid.

   • ISO/IEC 27040: Storage security.

     • Source: Paid.

   • NIST SP 800-171 Rev. 3: Protecting Controlled Unclassified Information (CUI) in non-federal systems (US). Critical for US government contractors.

     • Source: Free. NIST SP 800-171 Rev. 3.

   • NIST FIPS 140-3: Security requirements for cryptographic modules (hardware/software).

     • Source: Free. NIST FIPS 140-3.

2. Cloud Security:

   • ISO/IEC 27017: Security controls for cloud services (supplements ISO 27002).

     • Source: Paid.

   • ISO/IEC 27018: Protecting personally identifiable information (PII) in public clouds.

     • Source: Paid.

   • CSA CCM (Cloud Controls Matrix): Cloud security control framework. Basis for CSA STAR certification.

     • Source: Free. CSA CCM.

   • NIST SP 800-144: Public cloud security guidelines.

     • Source: Free. NIST SP 800-144.

3. Application Security:

   • OWASP Top 10: Awareness document listing 10 critical web application security risks.

     • Source: Free. OWASP Top Ten.

   • OWASP ASVS (Application Security Verification Standard): Standard for application security requirements. Used for testing.

     • Source: Free. OWASP ASVS.

   • OWASP SAMM (Software Assurance Maturity Model): Maturity model for integrating security into SDLC.

     • Source: Free. OWASP SAMM.

   • NIST SSDF (Secure Software Development Framework): Secure development guidelines.

     • Source: Free. NIST SSDF.

4. Identity and Access Management (IAM):

   • NIST SP 800-63 Rev. 3: Digital identity guidelines (identity assurance levels).

     • Source: Free. NIST SP 800-63-3.

   • ISO/IEC 29115: Entity authentication assurance framework.

     • Source: Paid.

5. Cryptographic Standards:

   • NIST FIPS 180-4 (SHA-3), FIPS 186-5 (DSA), FIPS 197 (AES), FIPS 198-1 (HMAC): Cryptographic algorithms.

     • Source: Free. NIST CSRC Publications.

   • IETF RFCs: Protocols (TLS 1.2/1.3: RFC 5246/8446; IPsec: RFC 4301; OAuth 2.0: RFC 6749).

     • Source: Free. IETF RFC Search.

6. Physical and Personnel Security:

   • ISO 27001: Includes physical security controls (Annex A.11).

   • ISO 22301: Business continuity management systems (BCMS). (Certifiable).

     • Source: Paid.

   • Local/Industry Regulations: Often defined by national laws or regulators (e.g., banking, nuclear facilities).

7. Business Continuity and Disaster Recovery (BC/DR):

   • ISO 22301: Business continuity management. (Certifiable).

   • NIST SP 800-34 Rev. 1: IT disaster recovery planning.

     • Source: Free. NIST SP 800-34 Rev. 1.

8. Incident Management:

   • ISO/IEC 27035: Information security incident management.

     • Source: Paid.

   • NIST SP 800-61 Rev. 2: Computer security incident handling.

     • Source: Free. NIST SP 800-61 Rev. 2.

9. IoT Security:

   • NIST IR 8259 Series: Foundational IoT cybersecurity guidelines.

     • Source: Free. NIST IoT Program.

   • ETSI EN 303 645: Cybersecurity standard for consumer IoT.

     • Source: Paid/Partial Free. ETSI EN 303 645.

Key Professional Certifications

1. General/Management:

   • CISSP (Certified Information Systems Security Professional): Gold standard for security managers/architects. By (ISC)². Requires experience.

     • Source: (ISC)² CISSP

   • CISM (Certified Information Security Manager): Focuses on risk management and security programs. By ISACA. Requires management experience.

     • Source: ISACA CISM

   • ISO 27001 Lead Auditor/Implementer: Certifications for auditing/implementing ISO 27001. By accredited providers (PECB, BSI).

     • Source: Example: PECB ISO 27001 Training

2. Technical:

   • CompTIA Security+: Foundational technical certification.

     • Source: CompTIA Security+

   • CEH (Certified Ethical Hacker): Penetration testing and ethical hacking. By EC-Council.

     • Source: EC-Council CEH

   • OSCP (Offensive Security Certified Professional): Hands-on penetration testing certification (24-hour exam).

     • Source: Offensive Security OSCP

   • CCSP (Certified Cloud Security Professional): Cloud security expertise. By (ISC)².

     • Source: (ISC)² CCSP

3. Audit:

   • CISA (Certified Information Systems Auditor): Leading IT/security audit certification. By ISACA.

     • Source: ISACA CISA

4. Standard-Specific:

   • PCI Professional (PCIP) / PCI Internal Security Assessor (ISA): For PCI DSS compliance. By PCI SSC.

     • Source: PCI SSC Qualifications

   • Certified HIPAA Security Professional (CHSP): HIPAA Security Rule specialization.

Critical Considerations

1. Combinations: Organizations rarely use one standard. ISO 27001 is often combined with NIST CSF, industry standards (PCI DSS, HIPAA), and technical guidelines (NIST SP 800-53, OWASP).

2. National Standards: Most countries have specific standards (e.g., FSTEC in Russia, BSI Grundschutz in Germany). Always check local requirements.

3. Currency: Standards evolve! Always verify the latest version via official sources.

4. Accessibility: Paid standards (ISO, PCI DSS) are copyright-protected. Free standards (NIST, OWASP, RFCs) are openly available.

5. Start with Fundamentals: Focus on ISO 27001/27002, NIST CSF, and NIST SP 800-53 first. Then specialize by industry (PCI DSS, HIPAA) or domain (OWASP Top 10, NIST cryptography).

▶︎ Pro Tip: Bookmark these key resources: