ISO and NIST Flashcards
NIST 800-145
NIST Definition of Cloud Computing
What is the ISO equivalent to NIST 800-145? What does it provide?
ISO 17789 provides Cloud Computing Reference Architecture (CCRA) similar to NIST 800-145
ISO
the International Organization for Standardization (ISO)
ISO 27001
The “What to Do” for ISMS
Rules and Requirements for the implementation and management of an Information Security Management System (ISMS)
As a standard, the organization is granted a CERTIFICATiON or is CERTIFIED given a successful audit.
—–Extra Info—–
contains 114 controls across 14 domains (or clauses)
a globally recognized standard, it is not cloud specific so must not be used exclusively when evaluating cloud security
ISO 27002
Describe, What is the result, What is the NIST equivalent?
builds on ISO 27001 by providing GUIDELINES for organizations to SELECT, IMPLEMENT, and MANAGE security controls based on their own security RISK PROFILE
same security controls as ISO 27001 just more prescriptive
As a standard, the organization is granted a CERTIFICATiON or is CERTIFIED against the requirements given a successful audit.
The “How to”
Similar to NIST 800-53
ISO 27017
builds on ISO 27002 and provides guidelines for security controls related to the PROVISION and USE of CLOUD SERVICES. The standard offers security controls and implementation guidance for both CSPs and cloud service CUSTOMERS for relevant controls specified in ISO 27002
NIST 800-53
NIST Special Publication 800-53 - A guidance document with the primary goal of ensuring that appropriate security requirements and controls are applied to all US federal government data and information systems. Similar to ISO 27002.
–Extra Info—
NIST Rev 4 (release 2013) contains information on cloud security
outlines 100s of security controls across 18 control families, targeted at US government but used across industry and around the globe
NIST Rev 5 DRAFT, not yet final publication, expected to add modern secure cloud system security and other emerging technologies
NIST 800-60
NIST’s Guide for Mapping Types of Information Systems to Security Categories (NIST 800-60) was last published in 2008, is a resource that provides a step-by-step methodology to classifying data based on risk.
What does ISO 17788 consist of?
Cloud Computing Definitions
Describe what is in ISO 19086-1
Information Technology - Cloud Computing - Service Level Agreement (SLA) Framework - Part 1: Overview and Concepts
Describe what is in ISO 19086-2
Information Technology - Cloud Computing - Service Level Agreement (SLA) Framework - Part 2: Metrics
Describe what is in ISO 19086-3
Information Technology - Cloud Computing - Service Level Agreement (SLA) Framework - Part 3: Core Requirements
ISO 27014
- Governance of Information Security
ISO 38501
ISO 38501 - Governance of Information Technology
ISO 27018
published in 2014, it is the first international code of practice that focuses on protection of personal data in the cloud; based on ISO 27002 and provides implementation guidelines of ISO 27002 controls applicable to protecting PII in public cloud
ISO 31000
Risk Management Guidelines
Provides an overall Enterprise framework and process for managing risk. It can be used by any organization regardless of size, activity or sector.
Cannot be used for certification purposes, however it does provide guidance for internal or external audit programs
ISO 27005
Information and Security Risk Management
Guidelines and best practices for information security risk management
NIST 800-37r2
Risk Management Framework for Information Systems and Organizations (RMF)
A system LIFECYCLE approach for SECURITY and PRIVACY, which builds RMF into the SDLC and drives the process of the 6 STEPS of the RMF.
FIPS 140-3
aligns the new standard with those set forth in ISO/IEC 19790:2012 (Security Requirements for Cryptographic Modules) and ISO/IEC 24759:2017 (Test Requirements for Cryptographic Modules)
ISO 28001
provides requirements and guidance for organizations in international supply chains to:
Develop and implement supply chain security processes
Establish and document minimum levels of security within a supply chain(s) or segment of a supply chain
ISO 19441
Information Technology - Could Computing - Interoperability and Portability
Focuses on cloud SERVICE AGREEMENTS and related interoperability and portability between cloud services
ISO 22237-2
Physical Design of Data Center
Specification and requirements for construction of BUILDING that will house a data center:
- location and site selection
- building construction and configuration
- fire protection
- quality construction measures
4 Protection Classes where the provider is categorizing the most critical and highly valued systems that require the greatest levels of protection
4 Availability Classes that are about power distribution to the data center
ISO 22237-6
Addresses security systems and Fire Prevention
NIST 800-207
Zero Trust Model - evolving set of cybersecurity paradigms that move defenses from static, network perimeters to focus on users, assets, and resources
NIST 800-64
Special Security Considerations in the System Development Lifecycle
(SDLC for security)
ISO 27034-1
Information technology - Security techniques - Application security ONF/ANF
Organization Normative Framework/Application Normative Framework
ISO 7498
OSI reference model
An educational model to explain how networking protocols work
A framework for designing and building network protocols
ISO 20000-1
A Service Management System (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain, and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfill agreed service requirements.
ITIL equivalent
ISO 18788
Security Operations Management Systems for security operations
Provides a framework, principles, and requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the management of security
Used to establish a Security Operations Center
