When identifying the most useful best-practice standards and guidance for implementing effective cybersecurity, it is important to establish the role that each fulfills, its scope, and how it interacts (or will interact) with other standards and guidance.
Cybersecurity standards are generally applicable to all organizations regardless of their size or the industry and sector in which they operate. This page provides generic information on each of the common standards that are usually recognized as offering a strong basis for any cybersecurity strategy.
Want to know more about a specific Standard or framework?
If you would like more information or advice on any of the Standards or frameworks coverd below, speak to one of our experts today to discover how we can support your organization.
Contact us
NIST CSF (Cybersecurity Framework)
The CSF is a voluntary framework primarily intended to manage and mitigate cybersecurity risk for critical infrastructure organizations, based on existing standards, guidelines, and practices. However, the CSF has proven to be flexible enough to also be implemented by non-US and non-critical-infrastructure organizations.
The CSF is a living document – it recognizes that continual improvement is necessary to adapt to changing industry needs – the latest version, v1.1, was released in 2018.
Learn more about the NIST CSF >>
Gain a clear understanding of the NIST CSF (Cybersecurity Framework) with our essential pocket guide >>
NIST SPs (Special Publications) 800-53 and 800-171
NIST SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations”, recommends controls for all US federal information systems (excluding those in national security).
As NIST SP 800-53 contains a tremendous set of 272 recommended controls, NIST created SP 800-171, a simplified version with just 110 controls across 14 families, serving as a more approachable framework for contractors to implement.
Learn more about NIST >>
- Ensure the security and confidentiality of customer records and information
- Protect against any anticipated threats or hazards to the security or integrity of customer records and information
- Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer
- Provide initial and annual privacy notices to customers describing information sharing policies and informing customers of their rights
- Limit disclosures to third parties and reuse
- Properly dispose of the information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal
DFARS (Defense Federal Acquisition Regulation Supplement)
The cybersecurity requirements under the DFARS mandate that DoD contractors and subcontractors must implement controls that are specified in the NIST SP (Special Publication) 800-171.
Controlled Unclassified Information (CUI) requires safeguarding in accordance with applicable laws, regulations, and policies. All contractors and subcontractors processing, storing, or transmitting CUI need to meet minimum security standards specified in the DFARS. Failing to meet these standards can result in the loss of contracts with the DoD.
Learn more about DFARs >>
- Involve the board of directors
- Conduct a risk assessment
- Apply risk management and controls
- Conduct regular staff training
- Obtain oversight of service providers
- Implement a written security incident response plan
- Apply periodic reviews and updates
The law also institutes a Privacy Rule. The Privacy Rule (12 CFR 1016) requires financial institutions to undertake certain activities to protect consumer rights.
Enforcement of the GLBA depends on the type of financial institution that is being regulated and on what is being regulated: the Security Rule or the Privacy Rule. For the former, banks are regulated by federal banking regulators including Federal Reserve, Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and National Credit Union Administration (NCUA).
Federal Information Security Management Act (FISMA) 2002
FISMA was put in place to strengthen information security within federal agencies, NIST, and the OMB (Office of Management and Budget). It requires each agency to implement “policies and procedures to cost-effectively reduce information technology security risks to an acceptable level”, recognizing the importance of information security to the economy and national security.
Learn more about FISMA >>
HIPAA: Health Insurance Portability and Accountability Act
HIPAA established a national standard for the security of electronic health information, including the protection of individually identifiable health information, the rights granted to individuals, breach notification requirements, and the role of the OCR (Office for Civil Rights).
Learn more about HIPAA >>
- The confidentiality, integrity, and availability of electronic protected health information (ePHI) be protected. ePHI only consists of individually identifiable health care information that is produced, saved, transferred, or received in electronic form
- ePHI must be protected with administrative safeguards
- ePHI must be protected with physical safeguards
- ePHI must be protected with technical safeguards
The Privacy Rule requires that ePHI can only be used or disclosed in the following cases:
- The individual gives their consent
- For treatment, payment, or health care operations
- Incident to a permitted disclosure
- Public interest
The Breach Notification Rule has specific requirements:
- Individuals to be notified within 60 days of the discovery of a breach
- Notification must include the type of information compromised, steps the individual needs to take to protect themselves, a description of what the covered entity is doing to investigate and mitigate the breach, and contact information
- Breaches of more than 500 individuals require notification to the media and to the Secretary of Health and Human Services (HHS)
- Breaches of fewer than 500 individuals should be logged and reported to the Secretary of HHS annually
ISO/IEC 27001
ISO/IEC 27001 is the international standard for best-practice ISMSs (information security management systems).
It is a rigorous and comprehensive specification for protecting and preserving your information under the principles of confidentiality, integrity, and availability. The Standard offers a set of best-practice controls that can be applied to your organization based on the risks you face, and implemented in a structured manner in order to achieve externally assessed and certified compliance.
As part of the ISO 27000 series of guidelines, ISO/IEC 27032 can be neatly integrated with your ISMS simply by updating and expanding the policies, processes and training your organization needs.
Purchase the latest ISO/IEC 27001 Standard >>
Learn more about ISO 27001 >>
- The Regulation’s requirement extends mandatory compliance to all subcontractors
- The Regulation provides a detailed process for investigating cyber incidents and reporting them to the DoD and the prime contractor (or next higher-tier subcontractor), including protecting and preserving evidence that includes malware for possible forensic analysis
ISO/IEC 27032
ISO/IEC 27032 is the international standard focusing explicitly on cybersecurity.
While the controls recommended are not as precise or prescriptive as those supplied in ISO/IEC 27001, this standard recognizes the vectors that cyber attacks rely upon. It also includes guidelines for protecting your information beyond the borders of your organization, such as in partnerships, collaborations, or other information-sharing arrangements with clients and suppliers.
As part of the ISO 27000 series of guidelines, ISO/IEC 27032 can be neatly integrated with your ISMS simply by updating and expanding the policies, processes, and training your organization needs.
Purchase the latest ISO/IEC 27032 Standard >>
- Provide a reasonable means for a parent to review the personal information collected from a child, and enable them to refuse to permit its further use or maintenance
- Not make the child’s participation in a game, the offering of a prize, or another activity cannot be a condition for a child to provide information
- Provide reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children
ISO/IEC 27035
ISO/IEC 27035 is the international standard for incident management.
While cybersecurity management systems are designed to protect your organization, it is essential to be prepared to respond quickly and effectively when something does go wrong. This standard also includes guidance for updating policies and processes to strengthen existing controls following analysis of the event, and minimizing the risk of recurrence.
Additional benefits can come from implementing ISO/IEC 27035 because an incident management regime is a requirement of the PCI DSS.
Learn more about the PCI DSS >>
Purchase the latest ISO/IEC 27035 Standard >>
ISO/IEC 27031
ISO/IEC 27031 is the international standard for ICT (information and communication technologies) readiness for business continuity.
This is a logical step to proceed to from incident management, as an uncontrolled incident can transform into a threat to ICT continuity. It is essential that your organization is prepared for a cyber attack beating your first line of defense and threatening your information systems as a whole.
This standard bridges the gap between the incident itself and general business continuity, and forms a key link in the chain of cyber resilience.
Learn more about cyber resilience >>
Purchase the latest ISO/IEC 27031 Standard >>
ISO 22301
ISO 22301 is the international standard for BCMS (Business Continuity Management Systems) and forms a crucial part of cyber resilience.
This standard not only focuses on recovery from disasters but also on maintaining access to and security of information, which is crucial when attempting to return to full and secure functionality.
Learn more about Business Continuity >>
Purchase the lastet ISO 22301 Standard >>
Speak to an expert
To find out more on how our cybersecurity products and services can protect your organization, or to receive some guidance and advice, speak to one of our experts.