ISO and NIST

Question 1

NIST 800-145

Answer 1

NIST Definition of Cloud Computing

Question 2

What is the ISO equivalent to NIST 800-145? What does it provide?

Answer 2

ISO 17789 provides Cloud Computing Reference Architecture (CCRA) similar to NIST 800-145

Question 3

ISO

Answer 3

the International Organization for Standardization (ISO)

Question 4

ISO 27001

Answer 4

The “What to Do” for ISMS

Rules and Requirements for the implementation and management of an Information Security Management System (ISMS)

As a standard, the organization is granted a CERTIFICATiON or is CERTIFIED given a successful audit.

—–Extra Info—–

contains 114 controls across 14 domains (or clauses)

a globally recognized standard, it is not cloud specific so must not be used exclusively when evaluating cloud security

Question 5

ISO 27002

Describe, What is the result, What is the NIST equivalent?

Answer 5

builds on ISO 27001 by providing GUIDELINES for organizations to SELECT, IMPLEMENT, and MANAGE security controls based on their own security RISK PROFILE

same security controls as ISO 27001 just more prescriptive

As a standard, the organization is granted a CERTIFICATiON or is CERTIFIED against the requirements given a successful audit.

The “How to”

Similar to NIST 800-53

Question 6

ISO 27017

Answer 6

builds on ISO 27002 and provides guidelines for security controls related to the PROVISION and USE of CLOUD SERVICES. The standard offers security controls and implementation guidance for both CSPs and cloud service CUSTOMERS for relevant controls specified in ISO 27002

Question 7

NIST 800-53

Answer 7

NIST Special Publication 800-53 - A guidance document with the primary goal of ensuring that appropriate security requirements and controls are applied to all US federal government data and information systems. Similar to ISO 27002.

–Extra Info—

NIST Rev 4 (release 2013) contains information on cloud security

outlines 100s of security controls across 18 control families, targeted at US government but used across industry and around the globe

NIST Rev 5 DRAFT, not yet final publication, expected to add modern secure cloud system security and other emerging technologies

Question 8

NIST 800-60

Answer 8

NIST’s Guide for Mapping Types of Information Systems to Security Categories (NIST 800-60) was last published in 2008, is a resource that provides a step-by-step methodology to classifying data based on risk.

Question 9

What does ISO 17788 consist of?

Answer 9

Cloud Computing Definitions

Question 10

Describe what is in ISO 19086-1

Answer 10

Information Technology - Cloud Computing - Service Level Agreement (SLA) Framework - Part 1: Overview and Concepts

Question 11

Describe what is in ISO 19086-2

Answer 11

Information Technology - Cloud Computing - Service Level Agreement (SLA) Framework - Part 2: Metrics

Question 12

Describe what is in ISO 19086-3

Answer 12

Information Technology - Cloud Computing - Service Level Agreement (SLA) Framework - Part 3: Core Requirements

Question 13

ISO 27014

Answer 13

• Governance of Information Security

Question 14

ISO 38501

Answer 14

ISO 38501 - Governance of Information Technology

Question 15

ISO 27018

Answer 15

published in 2014, it is the first international code of practice that focuses on protection of personal data in the cloud; based on ISO 27002 and provides implementation guidelines of ISO 27002 controls applicable to protecting PII in public cloud

Question 16

ISO 31000

Answer 16

Risk Management Guidelines

Provides an overall Enterprise framework and process for managing risk. It can be used by any organization regardless of size, activity or sector.

Cannot be used for certification purposes, however it does provide guidance for internal or external audit programs

Question 17

ISO 27005

Answer 17

Information and Security Risk Management

Guidelines and best practices for information security risk management

Question 18

NIST 800-37r2

Answer 18

Risk Management Framework for Information Systems and Organizations (RMF)

A system LIFECYCLE approach for SECURITY and PRIVACY, which builds RMF into the SDLC and drives the process of the 6 STEPS of the RMF.

Question 19

FIPS 140-3

Answer 19

aligns the new standard with those set forth in ISO/IEC 19790:2012 (Security Requirements for Cryptographic Modules) and ISO/IEC 24759:2017 (Test Requirements for Cryptographic Modules)

Question 20

ISO 28001

Answer 20

provides requirements and guidance for organizations in international supply chains to:

Develop and implement supply chain security processes
Establish and document minimum levels of security within a supply chain(s) or segment of a supply chain

Question 21

ISO 19441

Answer 21

Information Technology - Could Computing - Interoperability and Portability

Focuses on cloud SERVICE AGREEMENTS and related interoperability and portability between cloud services

Question 22

ISO 22237-2

Answer 22

Physical Design of Data Center
Specification and requirements for construction of BUILDING that will house a data center:

• location and site selection
• building construction and configuration
• fire protection
• quality construction measures

4 Protection Classes where the provider is categorizing the most critical and highly valued systems that require the greatest levels of protection

4 Availability Classes that are about power distribution to the data center

Question 23

ISO 22237-6

Answer 23

Addresses security systems and Fire Prevention

Question 24

NIST 800-207

Answer 24

Zero Trust Model - evolving set of cybersecurity paradigms that move defenses from static, network perimeters to focus on users, assets, and resources

Question 25

NIST 800-64

Answer 25

Special Security Considerations in the System Development Lifecycle

(SDLC for security)

Question 26

ISO 27034-1

Answer 26

Information technology - Security techniques - Application security ONF/ANF

Organization Normative Framework/Application Normative Framework

Question 27

ISO 7498

Answer 27

OSI reference model

An educational model to explain how networking protocols work
A framework for designing and building network protocols

Question 28

ISO 20000-1

Answer 28

A Service Management System (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain, and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfill agreed service requirements.

ITIL equivalent

Question 29

ISO 18788

Answer 29

Security Operations Management Systems for security operations

Provides a framework, principles, and requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the management of security

Used to establish a Security Operations Center