Серията стандарти ISO/IEC 270XX е "швейцарското ножче" на сигурността на информацията.
Стане ли дума за сигурност на информацията, всички обикновено се сещат за стандарта ISO/IEC 27001. Само и единствено за този вече "прочут" стандарт. В полето на стандартизация на тема "сигурност" стандартите са доста повече и тяхното познаване (поне на някои - в смисъл да знаем точно тези, които са приложими за конкретен случай или бизнес) може да спести доста главоблъскане и залитания. Включително и при по-сложни и по-скандални инциденти, на които сме свидетели напоследък (Търговски регистър, НАП, ...). Защото една част от тези стандарти дават указания как се събира, обработва и анализира информация със стойност на доказателства, с който да се решават сложни спорове и се определят извършители.
И не само това...
И не само това...
ISO/IEC 27050-1:2016
Information technology
-- Security techniques -- Electronic discovery -- Part 1: Overview and concepts
Electronic discovery is the process of discovering
pertinent Electronically Stored Information (ESI) or data by one or more parties
involved in an investigation or litigation, or similar proceeding. ISO/IEC
27050:2016 provides an overview of electronic discovery. In addition, it
defines related terms and describes the concepts, including, but not limited
to, identification, preservation, collection, processing, review, analysis, and
production of ESI. This document also identifies other relevant standards (e.g.
ISO/IEC 27037) and how they relate to, and interact with, electronic discovery
activities.
ISO/IEC 27043:2015
Information technology -- Security techniques -- Incident investigation
principles and processes
ISO/IEC 27043:2015 provides
guidelines based on idealized models for common incident investigation
processes across various incident investigation scenarios involving digital
evidence. This includes processes from pre-incident preparation through
investigation closure, as well as any general advice and caveats on such
processes. The guidelines describe processes and principles applicable to
various kinds of investigations, including, but not limited to, unauthorized
access, data corruption, system crashes, or corporate breaches of information
security, as well as any other digital investigation.
ISO/IEC 27042:2015
Information technology -- Security techniques -- Guidelines for the
analysis and interpretation of digital evidence
ISO/IEC 27042:2015 provides
guidance on the analysis and interpretation of digital evidence in a manner
which addresses issues of continuity, validity, reproducibility, and
repeatability. It encapsulates best practice for selection, design, and
implementation of analytical processes and recording sufficient information to
allow such processes to be subjected to independent scrutiny when required. It
provides guidance on appropriate mechanisms for demonstrating proficiency and
competence of the investigative team.
ISO/IEC 27041:2015
Information technology -- Security techniques -- Guidance on assuring suitability
and adequacy of incident investigative method
ISO/IEC 27041:2015 provides
guidance on mechanisms for ensuring that methods and processes used in the
investigation of information security incidents are "fit for
purpose". It encapsulates best practice on defining requirements,
describing methods, and providing evidence that implementations of methods can
be shown to satisfy requirements. It includes consideration of how vendor and
third-party testing can be used to assist this assurance process.
ISO/IEC 27040:2015
Information technology - Security techniques - Storage security
provides detailed technical
guidance on how to effectively manage all aspects of data storage security,
from the planning and design to the implementation and documentation.
ISO/IEC 27039:2015
Information technology -- Security techniques -- Selection, deployment
and operations of intrusion detection and prevention systems (IDPS)
ISO/IEC 27039:2015 provides
guidelines to assist organizations in preparing to deploy intrusion detection
and prevention systems (IDPS). In particular, it addresses the selection,
deployment, and operations of IDPS. It also provides background information
from which these guidelines are derived
ISO/IEC 27038:2014
Information technology -- Security techniques -- Specification for
digital redaction
ISO/IEC 27038:2014 specifies
characteristics of techniques for performing digital redaction on digital
documents. It also specifies requirements for software redaction tools and
methods of testing that digital redaction has been securely completed. ISO/IEC
27038:2014 does not include the redaction of information from databases.
ISO/IEC 27037:2012
Information technology -- Security techniques -- Guidelines for
identification, collection, acquisition and preservation of digital evidence
ISO/IEC 27037:2012 provides
guidelines for specific activities in the handling of digital evidence, which
are identification, collection, acquisition and preservation of potential
digital evidence that can be of evidential value. It provides guidance to
individuals with respect to common situations encountered throughout the
digital evidence handling process and assists organizations in their
disciplinary procedures and in facilitating the exchange of potential digital
evidence between jurisdictions.
ISO/IEC 27036-1:2014
Information technology -- Security techniques -- Information security
for supplier relationships -- Part 1: Overview and concepts
ISO/IEC 27036-1:2014 is an
introductory part of ISO/IEC 27036. It provides an overview of the guidance
intended to assist organizations in securing their information and information
systems within the context of supplier relationships. It also introduces
concepts that are described in detail in the other parts of ISO/IEC 27036.
ISO/IEC 27036-1:2014 addresses perspectives of both acquirers and suppliers.
ISO/IEC 27035-1:2016
Information technology -- Security techniques -- Information security
incident management -- Part 1: Principles of incident management
ISO/IEC 27035-1:2016 is the
foundation of this multipart International Standard. It presents basic concepts
and phases of information security incident management and combines these
concepts with principles in a structured approach to detecting, reporting,
assessing, and responding to incidents, and applying lessons learnt.
ISO/IEC 27034-1:2011
Information technology -- Security techniques -- Application security
-- Part 1: Overview and concepts
ISO/IEC 27034 provides guidance
to assist organizations in integrating security into the processes used for
managing their applications. ISO/IEC 27034-1:2011 presents an overview of
application security. It introduces definitions, concepts, principles and
processes involved in application security. ISO/IEC 27034 is applicable to
in-house developed applications, applications acquired from third parties, and
where the development or the operation of the application is outsourced.
ISO/IEC 27033-1:2015
Information technology -- Security techniques -- Network security --
Part 1: Overview and concepts
ISO/IEC 27033-1:2015 provides an
overview of network security and related definitions. It defines and describes
the concepts associated with, and provides management guidance on, network
security. (Network security applies to the security of devices, security of
management activities related to the devices, applications/services, and
end-users, in addition to security of the information being transferred across
the communication links.)
ISO/IEC 27032:2012
Information technology -- Security techniques -- Guidelines for
cybersecurity
ISO/IEC 27032:2012 provides
guidance for improving the state of Cybersecurity, drawing out the unique
aspects of that activity and its dependencies on other security domains, in
particular:
§ network security,
§ internet security, and
§ critical information infrastructure protection (CIIP).
It covers the baseline security
practices for stakeholders in the Cyberspace.
This International Standard
provides:
§ an explanation of the relationship between Cybersecurity and other types of security,
§ a definition of stakeholders and a description of their roles in Cybersecurity,
§ guidance for addressing common Cybersecurity issues, and
§ a framework to enable stakeholders to collaborate on resolving Cybersecurity issues.
ISO/IEC 27031:2011
Information technology -- Security techniques -- Guidelines for
information and communication technology readiness for business continuity
ISO/IEC 27031:2011 describes the
concepts and principles of information and comunication technology (ICT)
readiness for business continuity, and provides a framework of methods and
processes to identify and specify all aspects (such as performance criteria,
design, and implementation) for improving an organization's ICT readiness to
ensure business continuity. It applies to any organization (private,
governmental, and non-governmental, irrespective of size) developing its ICT
readiness for business continuity program (IRBC), and requiring its ICT services/infrastructures
to be ready to support business operations in the event of emerging events and
incidents, and related disruptions, that could affect continuity (including
security) of critical business functions. It also enables an organization to
measure performance parameters that correlate to its IRBC in a consistent and
recognized manner.
ISO/IEC TR 27023:2015
Information technology -- Security techniques -- Mapping the revised
editions of ISO/IEC 27001 and ISO/IEC 27002
ISO/IEC TR 27023:2015 is to show
the corresponding relationship between the revised versions of ISO/IEC 27001
and ISO/IEC 27002. ISO/IEC TR 27023:2015 will be useful to all users migrating
from the 2005 to the 2013 versions of ISO/IEC 27001 and ISO/IEC 27002.
ISO/IEC WD 27022
Information technology
-- Security techniques -- Guidance on ISMS processes
XXX
ISO/IEC 27021:2017
Information technology -- Security techniques -- Competence
requirements for information security management systems professionals
ISO/IEC 27021:2017 specifies the
requirements of competence for ISMS professionals leading or involved in
establishing, implementing, maintaining and continually improving one or more
information security management system processes that conforms to ISO/IEC
27001.
ISO/IEC 27019:2017
Information technology -- Security techniques -- Information security
controls for the energy utility industry
ISO/IEC 27019:2017 provides
guidance based on ISO/IEC 27002:2013 applied to process control systems used by
the energy utility industry for controlling and monitoring the production or
generation, transmission, storage and distribution of electric power, gas, oil
and heat, and for the control of associated supporting processes.
ISO/IEC 27018:2019
Information technology -- Security techniques -- Code of practice for
protection of personally identifiable information (PII) in public clouds acting
as PII processors
This document establishes
commonly accepted control objectives, controls and guidelines for implementing
measures to protect Personally Identifiable Information (PII) in line with the
privacy principles in ISO/IEC 29100 for the public cloud computing environment.
In particular, this document
specifies guidelines based on ISO/IEC 27002, taking into consideration the
regulatory requirements for the protection of PII which can be applicable
within the context of the information security risk environment(s) of a
provider of public cloud services.
ISO/IEC 27017:2015
Information technology -- Security techniques -- Code of practice for
information security controls based on ISO/IEC 27002 for cloud services
ISO/IEC 27017:2015 gives
guidelines for information security controls applicable to the provision and
use of cloud services by providing:
§ additional implementation guidance for relevant controls specified in ISO/IEC 27002; § additional controls with implementation guidance that specifically relate to cloud services.
§ additional implementation guidance for relevant controls specified in ISO/IEC 27002; § additional controls with implementation guidance that specifically relate to cloud services.
This Recommendation |
International Standard provides controls and implementation guidance for both
cloud service providers and cloud service customers.
ISO/IEC TR 27016:2014
Information technology -- Security techniques -- Information security
management -- Organizational economics
ISO/IEC TR 27016:2014 provides
guidelines on how an organization can make decisions to protect information and
understand the economic consequences of these decisions in the context of
competing requirements for resources. ISO/IEC
TR 27016:2014 is applicable to all types and sizes of organizations and
provides information to enable economic decisions in information security
management by top management who have responsibility for information security
decisions.
ISO/IEC 27014:2013
Information technology -- Security techniques -- Governance of
information security
ISO/IEC 27014:2013 provides
guidance on concepts and principles for the governance of information security,
by which organizations can evaluate, direct, monitor and communicate the
information security related activities within the organization.
ISO/IEC 27013:2015
Information technology -- Security techniques -- Guidance on the
integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
ISO/IEC 27013:2015 provides
guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000‑1
for those organizations that are intending to either
a) implement ISO/IEC 27001 when
ISO/IEC 20000‑1 is already implemented, or vice versa,
b) implement both ISO/IEC 27001
and ISO/IEC 20000‑1 together, or
c) integrate existing management
systems based on ISO/IEC 27001 and ISO/IEC 20000‑1.
ISO/IEC 27013:2015 focuses
exclusively on the integrated implementation of an information security
management system (ISMS) as specified in ISO/IEC 27001 and a service management
system (SMS) as specified in ISO/IEC 20000‑1. In practice, ISO/IEC 27001 and ISO/IEC 20000‑1
can also be integrated with other management system standards, such as ISO 9001
and ISO 14001.
ISO/IEC 27011:2016
Information technology -- Security techniques -- Code of practice for
Information security controls based on ISO/IEC 27002 for telecommunications
organizations
The scope of this Recommendation
| ISO/IEC 27011:2016 is to define guidelines supporting the implementation of
information security controls in telecommunications organizations.
The adoption of this
Recommendation | ISO/IEC 27011:2016 will allow telecommunications organizations
to meet baseline information security management requirements of
confidentiality, integrity, availability and any other relevant security
property.
ISO/IEC 27010:2015
Information technology -- Security techniques -- Information security
management for inter-sector and inter-organizational communications
ISO/IEC 27010:2015 provides
guidelines in addition to the guidance given in the ISO/IEC 27000 family of
standards for implementing information security management within information
sharing communities.
This International Standard
provides controls and guidance specifically relating to initiating,
implementing, maintaining, and improving information security in
inter-organizational and inter-sector communications. It provides guidelines
and general principles on how the specified requirements can be met using
established messaging and other technical methods.
This International Standard is
applicable to all forms of exchange and sharing of sensitive information, both
public and private, nationally and internationally, within the same industry or
market sector or between sectors. In particular, it may be applicable to
information exchanges and sharing relating to the provision, maintenance and
protection of an organization's or nation state's critical infrastructure. It
is designed to support the creation of trust when exchanging and sharing
sensitive information, thereby encouraging the international growth of
information sharing communities.
ISO/IEC 27009:2016
Information technology -- Security techniques -- Sector-specific
application of ISO/IEC 27001 -- Requirements
ISO/IEC 27009:2016 defines the
requirements for the use of ISO/IEC 27001 in any specific sector (field,
application area or market sector). It explains how to include requirements
additional to those in ISO/IEC 27001, how to refine any of the ISO/IEC 27001
requirements, and how to include controls or control sets in addition to
ISO/IEC 27001:2013, Annex A.
It ensures that additional or
refined requirements are not in conflict with the requirements in ISO/IEC
27001.
It is applicable to those
involved in producing sector-specific standards that relate to ISO/IEC 27001.
ISO/IEC TS 27008:2019
Information technology -- Security techniques -- Guidelines for the
assessment of information security controls
This document provides guidance
on reviewing and assessing the implementation and operation of information
security controls, including the technical assessment of information system
controls, in compliance with an organization's established information security
requirements including technical compliance against assessment criteria based
on the information security requirements established by the organization.
This document offers guidance on
how to review and assess information security controls being managed through an
Information Security Management System specified by ISO/IEC 27001.
It is applicable to all types and
sizes of organizations, including public and private companies, government
entities, and not-for-profit organizations conducting information security
reviews and technical compliance checks.
ISO/IEC 27007:2017
Information technology -- Security techniques -- Guidelines for
information security management systems auditing
ISO/IEC 27007 provides guidance
on managing an information security management system (ISMS) audit programme,
on conducting audits, and on the competence of ISMS auditors, in addition to
the guidance contained in ISO 19011:2011.
ISO/IEC 27007 is applicable to those needing to understand or conduct
internal or external audits of an ISMS or to manage an ISMS audit programme.
ISO/IEC 27006:2015
Information technology -- Security techniques -- Requirements for
bodies providing audit and certification of information security management
systems
ISO/IEC 27006:2015 specifies
requirements and provides guidance for bodies providing audit and certification
of an information security management system (ISMS), in addition to the
requirements contained within ISO/IEC 17021‑1 and ISO/IEC 27001. It is
primarily intended to support the accreditation of certification bodies providing
ISMS certification.
The requirements contained in
this International Standard need to be demonstrated in terms of competence and
reliability by any body providing ISMS certification, and the guidance
contained in this International Standard provides additional interpretation of
these requirements for any body providing ISMS certification.
NOTE This International Standard
can be used as a criteria document for accreditation, peer assessment or other
audit processes.
ISO/IEC 27005:2018
Information technology -- Security techniques -- Information security
risk management
This document provides guidelines
for information security risk management.
This document supports the
general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory
implementation of information security based on a risk management approach.
Knowledge of the concepts,
models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC
27002 is important for a complete understanding of this document.
This document is applicable to
all types of organizations (e.g. commercial enterprises, government agencies,
non-profit organizations) which intend to manage risks that can compromise the
organization's information security.
ISO/IEC 27004:2016
Information technology -- Security techniques -- Information security
management -- Monitoring, measurement, analysis and evaluation
ISO/IEC 27004:2016 provides
guidelines intended to assist organizations in evaluating the information
security performance and the effectiveness of an information security
management system in order to fulfil the requirements of ISO/IEC 27001:2013,
9.1. It establishes:
a) the monitoring and measurement
of information security performance;
b) the monitoring and measurement
of the effectiveness of an information security management system (ISMS)
including its processes and controls;
c) the analysis and evaluation of
the results of monitoring and measurement.
ISO/IEC 27003:2017
Information technology -- Security techniques -- Information security
management systems -- Guidance
ISO/IEC 27003:2017 provides
explanation and guidance on ISO/IEC 27001:2013.
ISO/IEC 27002:2013
Information technology -- Security techniques -- Code of practice for
information security controls
ISO/IEC 27002:2013 gives
guidelines for organizational information security standards and information
security management practices including the selection, implementation and
management of controls taking into consideration the organization's information
security risk environment(s).
It is designed to be used by
organizations that intend to:
§ select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001; § implement commonly accepted information security controls; § develop their own information security management guidelines.
§ select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001; § implement commonly accepted information security controls; § develop their own information security management guidelines.
ISO/IEC 27001:2013
Information technology -- Security techniques -- Information security
management systems -- Requirements
ISO/IEC 27001:2013 specifies the
requirements for establishing, implementing, maintaining and continually
improving an information security management system within the context of the
organization. It also includes requirements for the assessment and treatment of
information security risks tailored to the needs of the organization. The
requirements set out in ISO/IEC 27001:2013 are generic and are intended to be
applicable to all organizations, regardless of type, size or nature.
ISO/IEC 27000:2018
Information technology
-- Security Techniques -- Information security management systems -- Overview and
vocabulary
ISO/IEC 27000:2018 provides the overview of
information security management systems (ISMS). It also provides terms and
definitions commonly used in the ISMS family of standards. This document is
applicable to all types and sizes of organization (e.g. commercial enterprises,
government agencies, not-for-profit organizations).
The terms and definitions provided in this
document
- cover commonly used terms and definitions in
the ISMS family of standards;
- do not cover all terms and definitions
applied within the ISMS family of standards; and
- do not limit the ISMS family of standards in
defining new terms for use.
Няма коментари:
Публикуване на коментар