ISO Standards for Security

Question 1

ISO 27001

Answer 1

ISMS

ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.

Question 2

ISO 27002

Answer 2

Information technology – Security techniques – Code of practice for information security controls.

ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.

Question 3

ISO 27005

Answer 3

IT Risk Management

ISO/IEC 27005:2018 provides guidelines for information security risk management and supports the general concepts specified in ISO 27001. Last updated in 2011, this standard is designed to assist the implementation of an ISMS based on a risk management approach. In order to gain a complete understanding of ISO/IEC 27005:2018, managers and directors first need to have a knowledge of the concepts, models, processes and terminologies described in ISO 27001 and ISO 27002.

Question 4

ISO 22301

Answer 4

Business continuity management

ISO 22301 Societal security – Business continuity management systems – Requirements is a management system standard that specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. It is intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization.

Question 5

ISO 27031

Answer 5

IT Continuity (DRP)

ISO/IEC 27031:2011 - Information technology — Security techniques — Guidelines for information and communications technology readiness for business continuity

Question 6

ISO 15408

Answer 6

Common Criteria

The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. It is currently in version 3.1 revision 5.

Question 7

ISO 7498-1

Answer 7

OSI Model

Information technology - Open Systems
Interconnection - Basic Reference Model:
The Basic Model

Question 8

ISO 17025

Answer 8

Forensics

ISO/IEC 17025 General requirements for the competence of testing and calibration laboratories is the main ISO standard used by testing and calibration laboratories.

Question 9

ISO 90003

Answer 9

Software engineering

ISO/IEC 90003 Software engineering – Guidelines for the application of ISO 9001:2008 to computer software is a guidelines developed for organizations in the application of ISO 9001 to the acquisition, supply, development, operation and maintenance of computer software and related support services.

Question 10

ISO 31000

Answer 10

Risk Management Framework and Guidelines

ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management.