目录
ISO 27000 family (international)
清单 https://download.csdn.net/download/strings_lei/12369414
ISO/IEC 27000:2018
Information security management systems - Overview and vocabulary (fifth edition)
ISO/IEC 27000 “provides an overview of information security management systems” (and hence the ISO27k standards), and “defines related terms” (i.e. a glossary that formally and explicitly defines many of the specialist terms as they are used in the ISO27k standards).
https://download.csdn.net/download/strings_lei/12369356
ISO/IEC 27001
ISO/IEC 27001:2005(old version)
Information security management systems — Requirements (first edition)
http://www.securitycn.net/img/uploadimg/20070924/183844756.pdf
ISO/IEC 27001:2013
Information security management systems — Requirements (second edition)
ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information risks (called ‘information security risks’ in the standard). The ISMS is an overarching management framework through which the organization identifies, analyzes and addresses its information risks. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts - an important aspect in such a dynamic field, and a key advantage of ISO27k’s flexible risk-driven approach as compared to, say, PCI-DSS.
The standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profits), all sizes (from micro-businesses to huge multinationals), and all industries or markets (e.g. retail, banking, defense, healthcare, education and government). This is clearly a very wide brief.
ISO/IEC 27001 does not formally mandate specific information security controls since the controls that are required vary markedly across the wide range of organizations adopting the standard. The information security controls from ISO/IEC 27002 are noted in annex A to ISO/IEC 27001, rather like a menu. Organizations adopting ISO/IEC 27001 are free to choose whichever specific information security controls are applicable to their particular information risks, drawing on those listed in the menu and potentially supplementing them with other a la carte options (sometimes known as extended control sets). As with ISO/IEC 27002, the key to selecting applicable controls is to undertake a comprehensive assessment of the organization’s information risks, which is one vital part of the ISMS.
Furthermore, management may elect to avoid, share or accept information risks rather than mitigate them through controls - a risk treatment decision within the risk management process.
ISO/IEC 27002: 2013
Security techniques — Code of practice for information security controls (second edition)
ISO/IEC 27002 is a popular, internationally-recognized standard of good practice for information security. ISO/IEC 27002’s lineage stretches back more than 30 years to the precursors of British Standard BS 7799, published in 1995.
https://www.iso27001security.com/html/27002.html
ISMS implementation and certification process flowchart v4.1
SOX(US-SEC)/SOC
https://socauditservices.com/2017/03/28/soc-vs-sox/
SOX
Remember the Enron scandal? How about WorldCom and Tyco? These early-2000, high-profile financial disasters rattled investor trust and consumer confidence. SOX was created to ensure greater accountability and corporate governance by a public entity for its investors.
The Sarbanes-Oxley Act (SOX) was instituted in 2002 for the purpose of protecting shareholders (and the general public) from accounting fraud, miscalculated financial records and potentially harmful corporation disclosures and practices.
SOX is monitored by the US Securities and Exchange Commission (SEC) and impacts both the financial and IT departments of a corporation. While SOX compliance doesn’t tell you exactly how to run your record keeping, it does spell out what controls should be in place to provide accurate financial statements.
The Likely Users of SOX Include:
= Publicly-traded companies
= Wholly-owned subsidiaries of publicly-traded companies
= Non-US-based, publicly-traded companies
= Private companies preparing to go public (IPOs)
SOC
Service Organizational Control (SOC) audits are incredibly granular, internal control reports that provide a great deal of transparency for shareholders, investors and future auditors. Long story short, they make sure the information and data you store is accurate and protected at all times. Nothing gets through the cracks during a SOC audit.
SOC audits yield a robust report that can be used by other auditors. It covers all the bases, saves on audit time and cuts the costs of the project. As small business accountants, a SOC audit also gives us great comfort and confidence with our financial projects and planning. These reports boost shareholder confidence, minimize potential security breaches and significantly cuts waste throughout the organization’s procedures and processes.
- SOC 1 : An audit of internal controls over financial reporting. Think of it like this: if the service you perform provides a number that affects the financial status of your customer, this might apply to you.
- SOC 2: An audit over one, to all five, of the Trust Services Principles (TSP’s). What are the TSP’s? Security, Availability, Processing Integrity, Confidentiality, and Privacy. (This audit is typically very IT focused.)
- SOC 3: Similar to a SOC 2 audit, this covers IT controls related to Security, Availability, Processing Integrity, Confidentiality, and Privacy, but has less detail presented about internal processes and results of the auditors testing and is most generally used for marketing purposes.
- SOC for Cybersecurity As digital security breaches continue to pop up around the world, this new SOC report focuses on highlighting an organization’s efforts to prevent, monitor and effectively handle any cyber security threats.
The Likely Users of SOC Services Include:
= Healthcare & medical practices
= Data centers
= Banks & investment firms
= Co-Location service providers
= Tax service providers
= Any organization that cannot afford a data breach
MLPS/CPC网络安全等级保护(China)
网络安全等级保护2.0标准体系解读
http://www.djbh.net/webdev/web/SafeProductAction.do?p=getBzgfZxbz&id=8a81825671429a6701715c98cfee000d
2007年到2017年,这期间使用等保1.0。为什么从2017年后叫做等保2.0了呢?原因是2017年6月1号,《中华人民共和国网络安全法》出台,它提到,国家实行等级安全保护制度,注意,这时候等级保护已经成为法律制度,不做等保就是违法。同时,第31条说,如果单位系统非常非常重要,称之为“关键信息基础设施”,那么这个系统做等保还不够,还要在等保的基础上做重点保护。
EUCC(Europe)
ENISA
EU cybersecurity certification framework
Public Consultation on Candidate Cybersecurity Certification Scheme, EUCC
《欧盟网络安全法》同时新建了一套欧洲范围内的网络安全认证框架,该认证工作也由ENISA统一协调。在拟议框架下,ENISA将与欧洲网络安全认证小组合作,负责设计产品和服务的认证方案,这些认证方案将在若干预先确定的目标范围内运作。同时,该法明确:在准备欧洲网络安全认证方案时,ENISA应定期咨询标准化组织,特别是欧洲标准化组织。就目前而言,这些认证均是自愿的,但到2034年,欧盟委员会将决定是否对其适用的产品强制实施相关认证。
Mission of ENISA
The mission of ENISA in the area of the EU cybersecurity certification framework is outlined as follows: “To pro-actively contribute to the emerging EU framework for the ICT certification of products and services and carry out the drawing up of candidate certification schemes in line with the Cybersecurity Act, and additional services and tasks”.
Throughout its lifespan ENISA has received due recognition for its outputs. In a shift towards a role that adds more value to the EU policy on network and information security, ENISA has been singled out as the appropriate organisation to deliver on the promise of drawing up candidate certification schemes in an EU cybersecurity certification framework. ENISA, with its pivotal role as an agency that engages with public services as well as with industry and standardisation organisations, provides a sound reference point to draw up candidate cybersecurity certification schemes. The expected output of ENISA includes draft and finalised candidate schemes for the certification of ICT products and services, within the meaning of the Cybersecurity Act.
3829
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
