Many times you hear about cybersecurity standards and many times you find yourself in a way to evaluate what you are developing (or what processes are going on in your company) and figure out what is the best standard for your organization to follow. After the third times I had to check a book and to find summaries to see what was the best standard for me, I decided to write a quick overview about cybersecurity standards by summing-up the differences and the main scopes of some of the most known international standards categories.
Aim of this post is to build up a quick place where you can search for “keyword” (CTR+F and type) and see if results are comming up. If so, you might decided to focus your priority in checking that standard first, by reading its scope.
NB: this is not an original content, you might find these information on many documents and organized in a better way. This is just my way to remember the core concepts about international standards. If you like this approach, feel free to bookmark that page and to check it before your next compliance meeting .
| Name | ISO/IEC TS 27100:2020 |
| SCOPE | 1. Covers the cybersecurity basic concepts 2. Covers the cybersecurity in relation to information security 3. Covers general context (!= concepts) about cybersecurity |
| NOT IN SCOPE | 1. Does not cover cybersecurity practices and Definitions 2. Does not cover products 3. Does not cover checklists 4. Does not limit other standards or own checklists or procedure |
| LINK | https://www.iso.org/standard/72434.html |
| SDO | International Organization for Standards |
| Name | ISO/IEC 27102:2019 |
| SCOPE | 1. Covers the guidelines when considering purchasing cybersecurity insurance 2. Covers the cybersecurity risk framework 3. Covers the way to use your cybersecurity insurance to manage impact of cyber incident 4. Covers the artifact to share between insurance and organization after cyber incident 5. Covers the way to claim activities and actions associated with cyber insurance policy |
| NOT IN SCOPE | 1. Does not cover cybersecurity practices and Definitions 2. Does not cover technical aspects on cybersecurity |
| LINK | https://www.iso.org/standard/72436.html |
| SDO | International Organization for Standards |
| Name | ISO/IEC 27032:2012 |
| SCOPE | 1. Covers a general overwiew of cybersecurity 2. Covers the relationships between cybersecurity and physical security 3. Covers cybersecurity stakeholders, definitions, roles and actions 4. Covers a framework to enable stakeholders to collaborate togheter |
| NOT IN SCOPE | 1. Does not cover specific aspects of cybersecurity 2. Does not cover practical checklists or test cases |
| LINK | https://www.iso.org/standard/44375.html |
| SDO | International Organization for Standards |
| Name | NIST Cybersecurity Framework |
| SCOPE | 1. Covers a taxonomy of cybersecurity 2. Covers a framework to check the cyber-risk 3. Covers methodologies to assess and manage company improvements on cybersecurity 4. Cover best practices on cybersecurity 5. Covers outcomes from assessments |
| NOT IN SCOPE | 1. Does not cover specific aspects of cybersecurity implementation 2. Does not cover practical checklists or test cases 3. Does not cover products or product categories |
| LINK | https://www.nist.gov/cyberframework |
| SDO | National Institute oof Standards and Technology |
| Name | ENISA Cybersecurity for SMEs |
| SCOPE | 1. Covers main steps to assure a quality cyberscurity hygiene in a SME environment 2. Covers basic concepts about cybersecurity |
| NOT IN SCOPE | 1. Does not cover specific aspects of cybersecurity implementation 2. Does not cover practical checklists or test cases 3. Does not cover products or product categories |
| LINK | https://www.enisa.europa.eu/publications/enisa-report-cybersecurity-for-smes |
| SDO | European Network and Information Security Agency |
| Name | ISO/SAE 21434:2021 |
| SCOPE | 1. Covers engineering requirements for cybersecurity and risk management 2. Covers cybersecurity process to products, development, maintenance and decommissioning electrical components in road vehicles 3. Covers equipments and components interfaces |
| NOT IN SCOPE | 1. Does not cover specific technologies and solutions |
| LINK | https://www.iso.org/standard/70918.html |
| SDO | International Organization for Standards |
| Name | ISO/IEC 27110:2021 |
| SCOPE | 1. Covers the technical specification for developing a cybersecurity framework. 2. Covers guidelines to build a cybersecurity framework in both small and big companies |
| NOT IN SCOPE | 1. Does not cover specific technologies and solutions |
| LINK | https://www.iso.org/standard/72435.html |
| SDO | International Organization for Standards |
| Name | ASVS (Application Security Verificatoin Standard) |
| SCOPE | 1. Covers the basic steps for web security testing and application technical security controls 2. Covers a checklist of security requirements for secure development |
| NOT IN SCOPE | 1. Does not cover specific technologies and solutions 2. Does not cover general framework methodologies 3. Does not cover advanced security testing techniques |
| LINK | https://owasp.org/www-project-application-security-verification-standard/ |
| SDO | Open Web Application Security Project (OWASP) |
| Name | Web Security Testing Guide (WSTG) |
| SCOPE | 1. Covers a wide guide to secure of web applications and web services. 2. Covers a framework of known best practices used by penetration testers. 3. Covers detailed informations on steps and checklist |
| NOT IN SCOPE | 1. Does not cover specific technologies and solutions 2. Does not cover advanced security testing techniques |
| LINK | https://owasp.org/www-project-web-security-testing-guide/ |
| SDO | Open Web Application Security Project (OWASP) |
| Name | OWASP TOP 10 |
| SCOPE | 1. Covers the rank of the most critical web application security risks 2. Covers the the rank of the most critical web application security vulnerabilities and atttack paths 3. Covers remediation guidance |
| NOT IN SCOPE | 1. Does not cover specific technologies and solutions 2. Does not cover advanced security testing techniques 3. Does not cover exaustive web application risks |
| LINK | https://owasp.org/www-project-top-ten/ |
| SDO | Open Web Application Security Project (OWASP) |
| Name | Software Assurance Maturity Model (SAMM) |
| SCOPE | 1. Covers the evaluation of existing software security practices 2. Covers a well defined process to security assurance program 3. Covers the path to prove the continuosly improvement to a security assurance program 4. Covers the definition security related activities 5. Covers the way to measure the improvements of the security assurance program |
| NOT IN SCOPE | 1. Does not cover specific technologies and solutions 2. Does not cover advanced security testing techniques 3. Does not cover exaustive web application risks |
| LINK | https://owasp.org/www-project-samm/ |
| SDO | Open Web Application Security Project (OWASP) |
| Name | ISO/IEC 27109 |
| SCOPE | 1. Covers processes of cybersecurity education 2. Covers the process to cybersecurity training 3. Covers informations and improvements on cybersecurity education |
| NOT IN SCOPE | 1. Does not cover technical and IT technologies |
| LINK | https://www.iso.org/standard/81556.html |
| SDO | International Organization for Standardization |
| Name | ISO/IEC 27400 |
| SCOPE | 1. Covers the processes about information risks on Internet of Things 2. Covers principles on cybersecurity of Internet of Things 3. Covers principles and controls to be adopted to mitigate data privacy in Internet of Things |
| NOT IN SCOPE | 1. Does not cover technical testing actions 2. Does not cover best practices on developing and designing Internet of Things |
| LINK | https://www.iso.org/standard/44373.html |
| SDO | International Organization for Standardization |
| Name | ISO/IEC 27001 |
| SCOPE | 1. Covers the framework of evaluation Company IT structure 2. Covers the way assessment shall be done in IT infrastructure 3. Covers the best practices on Information Technology 4. Covers and verifies the processes in Information Technologies 5. Build on self improvement loops |
| NOT IN SCOPE | 1. Does not cover technical testing actions 2. Does not cover specific technologies 3. Does not cover detailed check lists on defence or protection 4. It is not a substitute of any other certifications |
| LINK | https://www.iso.org/standard/27001.html |
| SDO | International Organization for Standardization |
| Name | PCI DSS |
| SCOPE | 1. Covers the framework for evaluating Data protection on credit card payment services 2. Covers best practice to protect data of credit card customers 3. The defacto standard in credit card payments 4. Covers a wide aspect of data protection in both company and applications |
| NOT IN SCOPE | 1. Does not cover specific technologies 2. It is not a substitute of any other certifications |
| LINK | https://pcisecuritystandards.org |
| SDO | PCI Security Standards Council |
| Name | TIBER-EU |
| SCOPE | 1. Covers a common framework that delivers a controlled, bespoke, intelligenceled red team test of entities’ critical live production systems. 2. Covers Intelligence-led red team tests mimic the tactics, techniques and procedures (TTPs) of real-life threat actors who, on the basis of threat intelligence, are perceived as posing a genuine threat to entities enhance the cyber resilience of entities, and of the financial sector more generally; 3. Covers the cyber resilience of entities, and of the financial sector more generally; 4. Covers and standardise and harmonise the way entities perform intelligence-led red team tests across the EU, while also allowing each jurisdiction a degree of flexibility to adapt the framework according to its specificities; 5. Covers the guidance to authorities on how they might establish, implement and manage this form of testing at a national or European level; |
| NOT IN SCOPE | 1. Does not cover specific technologies 2. Does not cover specific procedures and technologies 3. In 2022 not in stable release yet |
| LINK | https://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework.en.pdf |
| SDO | European Central Bank |
If anything relevant is missing, please do not hesitate to contact me HERE
