business continuity

#ICYMI, check these online fully accessible + freely downloadable ISO standards, relevant for information security, privacy & data protection

#ICYMI, In case you missed it.

Online freely accessible ISO standards

In the midst of the #COVID19 corona pandemic, the ISO (International Organization for Standardization) has unlocked free reading access to a bunch of relevant standards, including

  • ISO 22301:2019, Security and resilience – Business continuity management systems –Requirements
  • ISO 22316:2017, Security and resilience – Organizational resilience – Principles and attributes
  • ISO 22320:2018, Security and resilience – Emergency management – Guidelines for incident management
  • ISO 31000:2018, Risk management – Guidelines
  • ISO 13485:2016, Medical devices — Quality management systems – Requirements for regulatory purposes

The general access page with all online, fully accessible standards can be found here: https://www.iso.org/covid19.

Important note:

  • these standards are available online, but not downloadable (for legitimate downloads you need to purchase your copy in the ISO shop or with your national standards organisation)
  • there is no guarantee for continued free access once the Covid pandemic is over, if ever. That’s the sole discretion of the ISO, of course.

Freely downloadable ISO standards

Next to the (temporary) free online access, there is also a set of standards you can download for free, no payment required.
See here: https://standards.iso.org/ittf/PubliclyAvailableStandards/

Short url to bookmark: https://ffwd2.me/FreeISO.

Check the interesting ISO standards (from the information security point of view) below

ISO27000 (Information security)

The ISO27001 vocabulary

ISO/IEC 27000:2018
EN – FR		5thInformation technology — Security techniques — Information security management systems — Overview and vocabularyISO/IEC JTC 1/SC 27

Privacy Framework (ISO29100)

ISO/IEC 29100:2011
EN – FR		1stInformation technology — Security techniques — Privacy frameworkISO/IEC JTC 1/SC 27

Cloud Computing Reference architecture

SO/IEC 17788:2014
EN		1stInformation technology — Cloud computing — Overview and vocabularyISO/IEC JTC 1/SC 38
ISO/IEC 17789:2014
EN		1stInformation technology — Cloud computing — Reference architectureISO/IEC JTC 1/SC 38

Cloud computing vocabulary

ISO/IEC 22123-1:2021
EN		1stInformation technology — Cloud computing — Part 1: VocabularyISO/IEC JTC 1/SC 38

Cloud computing policy development

ISO/IEC TR 22678:2019
EN		1stInformation technology — Cloud computing — Guidance for policy developmentISO/IEC JTC 1/SC 38

Cloud Computing SLAs

ISO/IEC 19086-1:2016
EN		1stInformation technology — Cloud computing — Service level agreement (SLA) framework — Part 1: Overview and conceptsISO/IEC JTC 1/SC 38
ISO/IEC 19086-2:2018
EN		1stCloud computing — Service level agreement (SLA) framework — Part 2: Metric modelISO/IEC JTC 1/SC 38

Common Criteria (ISO 15408)

ISO/IEC 15408-1:2009
EN – FR		3rdInformation technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general modelISO/IEC JTC 1/SC 27
ISO/IEC 15408-2:2008
EN – FR		3rdInformation technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional componentsISO/IEC JTC 1/SC 27
ISO/IEC 15408-3:2008
EN – FR		3rdInformation technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance componentsISO/IEC JTC 1/SC 27

Identity management

ISO/IEC 24760-1:2019
EN – FR		2ndIT Security and Privacy — A framework for identity management — Part 1: Terminology and conceptsISO/IEC JTC 1/SC 27

Note-to-self: 2020 IDG Security priorities study

Source: https://f.hubspotusercontent40.net/hubfs/1624046/2020_Security%20Priorities%20Executive%20Summary_final.pdf

End 2020 IDG published a study on Security priorities, and it provides important guidelines to the priorities of securing yourself and your company

  1. Protection of confidential and sensitive data
  2. End-user awareness
  3. Corporate resilience
  4. Enhance access control
  5. Understand external threats
  6. Application security
  7. Plan for unexpected risks

This pretty much confirms that your customers, stakeholder’s and staff interest in protecting personal data is driving security from business perspective.

If you see the increase of cyberattacks and ransomware hitting the business, it’s pretty obvious that Business Continuity Management and Disaster recovery must be on top of your priority list.
You need to have a tested plan against successful cyberattacks and ransomware, to avoid extended business damage and massive (ransom) costs … afterwards.

To put a plan together, you need to understand who is your adversary and what the current state of cybersecurity is.
And this study is a simple but smart guide to define your priorities.

The better you prepare, the less it will cost.
But you’ll only be able to tell when it goes wrong.

Don’t get caught by surprise, be ready.