Information Technology

ISO/IEC 27001 and 27002

ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard, of which the last revision was published in October 2013 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems – Requirements.

ISO/IEC 27001 formally specifies a management system intended to bring information security under explicit management control.

ISO/IEC 27002 incorporates part 1 of the BS 7799 good security management practice standard. The latest version of BS 7799 is BS 7799-3. Sometimes ISO/IEC 27002 is therefore referred to as ISO 17799 or BS 7799 part 1 and, sometimes it refers to part 1 and part 7. BS 7799 part 1 provides an outline or good practice guide for cybersecurity management; whereas BS 7799 part 2 and ISO/IEC 27001 are normative and therefore provide a framework for certification. ISO/IEC 27002 is a high-level guide to cybersecurity. It is most beneficial as explanatory guidance for the management of an organisation to obtain certification to the ISO/IEC 27001 standard. The certification once obtained lasts three years. Depending on the auditing organisation, no or some intermediate audits may be carried out during the three years.

ISO/IEC 27001 (ISMS) replaces BS 7799 part 2, but since it is backwards compatible any organization working toward BS 7799 part 2 can easily transition to the ISO/IEC 27001 certification process. There is also a transitional audit available to make it easier once an organization is BS 7799 part 2-certified for the organization to become ISO/IEC 27001-certified. ISO/IEC 27002 provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). It states the information security systems required to implement ISO/IEC 27002 control objectives. Without ISO/IEC 27001, ISO/IEC 27002 control objectives are ineffective. ISO/IEC 27002 controls objectives are incorporated into ISO 27001 in Annex A.

ISO/IEC 21827 (SSE-CMM – ISO/IEC 21827) is an International Standard based on the Systems Security Engineering Capability Maturity Model (SSE-CMM) that can measure the maturity of ISO controls objectives.

ISO/IEC 15408

This standard develops what is called the “Common Criteria.” It allows many different software and hardware products to be integrated and tested in a secure way.

IEC 62443

The IEC 62443 cybersecurity standard defines processes, techniques and requirements for Industrial Automation and Control Systems (IACS). Its documents are the result of the IEC standards creation process where all national committees involved agree upon a common standard.

The numbering and organization of IEC 62443 work products into categories.
Planned and published IEC 62443 work products for IACS Security.
All IEC 62443 standards and technical reports are organized into four general categories called General, Policies and Procedures, System and Component.

The first category includes foundational information such as concepts, models and terminology.
The second category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program.
The third category includes work products that describe system design guidelines and requirements for the secure integration of control systems. Core in this is the zone and conduit, design model.
The fourth category includes work products that describe the specific product development and technical requirements of control system products.
ISO/SAE 21434
ISO/SAE 21434 “Road vehicles – Cybersecurity engineering” is a cybersecurity standard jointly developed by ISO and SAE working groups. It proposes cybersecurity measures for the development lifecycle of road vehicles. The standard was published in August 2021.

The standard is related to the European Union (EU) regulation on cyber security that is currently being developed. In coordination with the EU, the UNECE is developing a certification for a “Cyber Security Management System” (CSMS), which is to be mandatory for the type approval of vehicles. ISO/SAE 21434 is a technical standard for automotive development that can demonstrate compliance with those regulations.

A derivative of this is in the work of UNECE WP29, which provides regulations for vehicle cybersecurity and software updates.

ETSI EN 303 645
The ETSI EN 303 645 standard provides a set of baseline requirements for security in consumer Internet of things (IoT) devices. It contains technical controls and organizational policies for developers and manufacturers of Internet-connected consumer devices. The standard was released in June 2020[10] and is intended to be complemented by other, more specific standards. As many consumer IoT devices handle personally identifiable information (PII), implementing the standard helps with complying to the General Data Protection Regulation (GDPR) in the EU.[11]

The Cybersecurity provisions in this European standard are:

No universal default passwords
Implement a means to manage reports of vulnerabilities
Keep software updated
Securely store sensitive security parameters
Communicate securely
Minimize exposed attack surfaces
Ensure software integrity
Ensure that personal data is secure
Make systems resilient to outages
Examine system telemetry data
Make it easy for users to delete user data
Make installation and maintenance of devices easy
Validate input data
Conformance assessment of these baseline requirements is via the standard TS 103 701, which allows self-certification, or certification by another group