Andrew Reeves on 17 Jan 2020

A guide to Information Security Standards

A Guide to Information Security Standards 

The Information Security industry has created a confusing and large variety of Information Security Standards (Cyber Security Standards), frameworks and maturity models. By the end of this blog you should understand each of the major standards cover, how it came into existence and if it is relevant to your business. 

Satalyst’s experienced security team can help you on journey towards becoming certified and industry complaint.

Australian Government Information Security Manual (ISM):

Australian Signals Directorate produces the Australian Government Information Security Manual (ISM). This is a cyber security framework designed to comply with Australian legislation and was last updated in December 2019.  If you implement this framework in your organization, compliance certification can be done via the ASD Information Security Registered Assessors Program (IRAP).

The full standard is available here: https://www.cyber.gov.au/ism

If you work or want to work with Australian Government PROTECTED data, Implementing and certification to this standard is mandatory.  You are also required to comply with the Australian Attorney-Generals’ Protective Security Policy Framework (PSPF).

Attorney-Generals’ Protective Security Policy Framework (PSPF)

The Attorney-General’s Department maintains the PSPF and was last update in 2018 with the reissued Directive on the Security of Government Business.
The PSPF was developed specifically for the security and management of classified information. Certification is via the IRAP Assessment program and requires the implementation of the above ISM.

PSPF: https://www.protectivesecurity.gov.au/
IRAP Assessments: https://www.cyber.gov.au/irap/irap_assessments

Australian Government Department of Defence’s Defence Industry Security Program (DISP) 

The Department of Defence DISP is a mandatory industry program if your company wishes to work with sensitive or classified Defence information and assets, be involved in storing or transporting Defence weapons or provide security services for Defence bases or facilities. 

Membership requires companies to be certified to one of following standards:
UK Defence Standard 05-138
US NIST SP 800-171
ISO/IEC 27001:2013

Companies are also required to meet 4 of the ASD Essential 8, have a Chief Security Officer, at least 1 Security Officer and complete Foreign Ownership Control and Influence (FOCI) checks.
There are 4 levels of membership and anything above the baseline membership requires DOD training and possibly security clearances.

Once certified your company may be required to conform with the DOD Defence Security Principles Framework. This is a framework built for defence to comply with the above ISM and PSPF.  

DOD DISP: https://www.defence.gov.au/DSVS/Industry/
DOD DISP Cyber Security Requirements: https://www.defence.gov.au/dsvs/industry/DISP-cyber.asp
DOD DSPF: https://www.defence.gov.au/DSVS/dspf.asp 

UK Defence Standard 05-138 Issue 2.  

This standard was developed to protect the defence supply chain from cyber treats and is a requirement for UK Ministry of Defence suppliers and subcontractors. It was last updated in September 2017.  

Unless you are working specifically with the UK MoD, Try avoid having to certify to this standard.  

UK Defence Standard 05-138: https://www.gov.uk/government/publications/cyber-security-for-defence-suppliers-def-stan-05-138 

US NIST SP 800-171  

NIST SP 800-171 was first published in 2015 and has been updated several times since inception. It is a set of standards that govern the use of “Controlled Unclassified Information” in Non-Federal Information Systems. It’s worth noting that there is not an official auditing/assessment/compliance standard for NIST SP 800-171. 

This standard is a subset of the NIST SP 800-53 standards, Security and Privacy Controls for Federal Information Systems and Organizations. 

NIST SP 800-171 Rev. 1:

ISO/IEC 27001:2013  

ISO 27001 is probably the best known and most adopted security framework with an estimated 57,000 companies having officially adopted and been audited to the standard. Fully implementation of ISO 27001 demonstrates that a company has identified their security risks, put in place system controls to limit the damage and have a well-supported Information Security Management System (ISMS) in place. Certification to this standard can be provided by many accredited registrars with ISO having a formal Auditor training and certification process. 

There are many closely related ISO/IEC standards that complement and extend ISO 27001 such as ISO/IEC 27002, ISO/IEC 27005, ISO/IEC 21827. For most organisations, ISO 27001 is sufficient.

Unfortunately, the International Organization for Standardization do not publish their standards for free.
ISO 27001:2013: https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en 

ASD Essential 8

The Essential 8 Strategies to Mitigate Cyber Security Incidents is a simple list of security controls to prevent most cyber security incidents. Developed by the Australian Cyber Security Centre (Part of the Australian Signals Directorate), Australian organisations are advised to implement the mitigation strategies along with a more formal Information Security Management System. 
ASD Essential 8: https://www.cyber.gov.au/publications/essential-eight-explained

For West Australian Government agencies, the Office of Digital Government recommends a smaller subset of the Essential 8 as a minimum-security standard. 

Western Australia Office of Digital Government Security Posture framework  

The Security Posture framework outlines 5 security achievements that align to 6 of the ASD Essential 8 plus an extra security control for mitigating weak password-based attacks.  This standard is the minimum required by government agencies in Western Australia, however Satalyst recommends adhering to the full ASD Essential 8 + Password filtering wherever possible.  

PCI DSS 

If you process, store or transmit credit card data, you are required to meet and be audited to the Payment Card Industry Data Security Standard. It can be quite complicated to work out if you need to comply with PCI DSS or not but Satalyst’s experts can help you assess your obligations to PCI DSS and what level of compliance you must maintain.  

PCI DSS: https://www.pcisecuritystandards.org/pci_security/how 

 

Well done if you made it this far! I hope this blog has helped you understand Information Security Standards and where you want to head with your own certifications.

Interested in Satalyst’s Security offerings, have a look here.

If you want to have a chat about your specific needs and gain some advice on certifications, give us a call or fill the contact form below.   

Contact Us

 

Categories:
Tags: