IT Security

The standard defines specific methodologies to help employers to certify how they approach accessing, collecting, storing, utilizing, sharing, and destroying employee data. The standard provides specific metrics and conformance criteria regarding these types of uses from trusted global partners and how vendors and employers can meet them.
You can look here for a preview of the Standard Document

Development Status: Under development
 

The standard defines specific methodologies to help users certify how they approach accessing, collecting, storing, utilizing, sharing, and destroying child and student data. The standard provides specific metrics and conformance criteria regarding these types of uses from trusted global partners and how vendors and educational institutions can meet them.
You can look here for a preview of the Standard Document

Development Status: Under development
 

This standard defines requirements for a systems/software engineering process for privacy-oriented considerations regarding products, services, and systems utilizing employee, customer or other external user's personal data. It extends across the life cycle from policy through development, quality assurance, and value realization. It includes a use case and data model (including metadata). It applies to organizations and projects that are developing and deploying products, systems, processes, and applications that involve personal information. By providing specific procedures, diagrams, and checklists, users of this standard will be able to perform a conformity assessment on their specific privacy practices. Privacy impact assessments (PIAs) are described as a tool for both identifying where privacy controls and measures are needed and for confirming they are in place.
You can look here for a preview of the Standard Document

Development Status: Under development

This International Standard specifies methods for generating and testing prime numbers as required in cryptographic protocols and algorithms.
Firstly, this International Standard specifies methods for testing whether a given number is prime. The testing methods included in this International Standard can be divided into two groups:
• Probabilistic primality tests, which have a small error probability. All probabilistic tests described here may declare a composite to be a prime. One test described here may declare a prime to be composite.
• Deterministic methods, which are guaranteed to give the right verdict. These methods use so-called primality certificates.

This document provides guidelines for adopting cyber insurance as a risk treatment option to manage the impact of a cyber incident within the organization’s information security risk management framework.

Source: https://www.iso.org/standard/72436.html

This document gives machine manufacturers guidance on potential security aspects in relation to safety of machinery when putting a machine into service or placing on the market for the first time. It provides essential information to identify and address IT-security threats which can influence safety of machinery.

Source: https://www.iso.org/standard/73335.html

This document provides the specialized requirements to demonstrate competence of individuals in performing IT product security evaluations in accordance with ISO/IEC 15408 (all parts) and 
ISO/IEC 18045.
This document includes knowledge and skills especially in the following areas.
      — Information security

Knowledge: Information security principles, information security properties, information security threats and vulnerabilities
Skills: Understand information security requirements, understand the context

— Information security evaluation

Knowledge: Knowledge of ISO/IEC 15408 (all parts) and ISO/IEC 18045, laboratory management system
Skills: Basic evaluation skills, core evaluation skills, skills required when evaluating specific security assurance classes, skills required when evaluating specific security functional requirements classes

— Information systems architecture

Knowledge: Technology being evaluated
Skills: Understand the interaction of security components and information

— Information security testing

Knowledge: Information security testing techniques, information security testing tools, product development lifecycle, test types
Skills: Create and manage an information security test plan, design information security tests, prepare and conduct information security tests

Source: https://www.iso.org/standard/71122.html

Effective information security in the process control domain of the energy utility sector can be achieved by establishing, implementing, monitoring, reviewing and, if necessary, improving the applicable measures set forth in this document, in order to attain the specific security and business objectives of the organization.
Ultimately, the overall success of the cybersecurity of energy industries is based on collaborative efforts by all stakeholders (vendors, suppliers, customers, etc.).
This document provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes.
For example this includes in particular the following:
- central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices.
- all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes.

Source: https://www.iso.org/standard/68091.html

In the contexts of information technology and cybersecurity, a vulnerability is a behaviour or set of conditions present in a system, product, component, or service that violates an implicit or explicit security policy
Attackers exploit vulnerabilities to compromise confidentiality, integrity, availability, operation, or some other security property.
This document provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. Vulnerability disclosure enables users to perform technical vulnerability management as specified in ISO/IEC 27002:2013, 12.6.1.
Vulnerability disclosure helps users protect their systems and data, prioritize defensive investments, and better assess risk. The goal of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. Coordinated vulnerability disclosure is especially important when multiple vendors are affected.

Source: https://www.iso.org/standard/72311.html

This part of ISO 28004 identifies supply chain risk and threat scenarios, procedures for conducting risks/threat assessments, and evaluation criteria for measuring conformance and effectiveness of the documented security plans in accordance with ISO 28000 and the ISO 28004 series implementation guidelines. An output of this effort will be a level of confidence rating system based on the quality of the security management plans and procedures implemented by the seaport to safeguard the security and ensure continuity of operations of the supply chain cargo being processed by the seaport. The rating system will be used as a means of identifying a measurable level of confidence (on a scale of 1 to 5) that the seaport security operations are in conformance with ISO 28000 for protecting the integrity of the supply chain.

Source: https://www.iso.org/standard/60905.html

This document provides guidance on how to leverage existing standards in a cybersecurity framework.
The concepts behind information security can be used to assess and manage cybersecurity risks. The key question is how to manage cybersecurity risk in a comprehensive and structured manner, and ensure that processes, governance and controls exist and are fit for purpose. This can be done through a management systems approach. An Information Security Management System (ISMS) as described in ISO/IEC 27001 is a well proven way for any organization to implement a risk-based approach to cybersecurity.

This document demonstrates how a cybersecurity framework can utilize current information security standards to achieve a well-controlled approach to cybersecurity management.

Source: https://www.iso.org/standard/72437.html

This part of IEC 80001 creates a framework for the disclosure of security-related capabilities and risks necessary for managing the risk in connecting medical devices to IT-networks and for the security dialog that surrounds the IEC 80001-1 risk management of IT-network connection. This security report presents an informative set of common, high-level security-related capabilities useful in understanding the user needs, the type of security controls to be considered and the risks that lead to the controls. Intended use and local factors determine which exact capabilities will be useful in the dialog about risk.

The capability descriptions in this report are intended to supply:

a) health delivery organizations (HDOs),

b) medical device manufacturers (MDMs), and

c) IT vendors

Source: https://www.iso.org/standard/57939.html