Security Standards Overview

Important

• Listing “absolutely all” standards is physically impossible (there are thousands, including national, industry-specific, and specialized ones).

• This list includes the most important and widely adopted.

• Priority is given to fundamental and industry-specific standards.

• Sources: official purchase/download locations are provided. Many are paid (ISO, PCI SSC), some are free (NIST, OWASP). Unofficial copies may violate copyright.

• Currency: standards are constantly updated. Always verify the latest version.

Security Standards Categories (Descriptions)

• ISMS (Information Security Management Systems): Standards for building, implementing, maintaining, and improving an organization-wide ISMS.

• General Security Frameworks: Approaches to managing cyber risks, not always certifiable.

• Industry/Regulatory Standards: Mandatory or de facto mandatory for specific sectors (finance, healthcare, government).

• Technical Security: Detailed specifications for protecting systems, networks, applications, and data.

• Cloud Security: Standards for cloud computing.

• Application Security: Standards and guidelines for secure development and testing.

• Identity and Access Management (IAM): Principles and technical standards for access control.

• Cryptographic Standards: Algorithms and encryption protocols.

• Physical and Personnel Security: Protection of physical assets and consideration of human factors.

• Business Continuity and Disaster Recovery (BC/DR): Ensuring operations continue after incidents.

• Incident Management: Responding to security incidents.

• IoT Security: Risks and protection measures specific to the Internet of Things.

Key Standards by Category

Priority 1 — Fundamental and Widely Applicable

ISMS:

• ISO/IEC 27001 — international ISMS standard. System requirements. Certifiable. Source: Paid (national standards bodies).

• ISO/IEC 27002 — practical guidelines for implementing security controls. Source: Paid.

General Frameworks:

• NIST Cybersecurity Framework (CSF) v1.1 / v2.0 (2024) — voluntary US framework, globally adopted (Identify, Protect, Detect, Respond, Recover). Source: Free (NIST CSF Website).

• NIST SP 800-53 Rev. 5 — catalog of security and privacy controls. Used in US government and industry. Source: Free.

• COBIT (Control Objectives for Information and Related Technologies) — IT governance and security framework (ISACA). Source: Paid (ISACA).

Priority 2 — Industry/Regulatory Standards

• PCI DSS v4.0 — standard for organizations handling cardholder data. Mandatory. Source: Paid (PCI SSC Standards Library).

• HIPAA Security Rule — US legal requirement for protecting ePHI. Source: Free (HHS).

• SOC 2 — audit for service providers (cloud, SaaS). Source: Paid (AICPA).

• GDPR — EU regulation for personal data protection. Source: Free (EUR-Lex).

• FSTEC Russia (Decrees): mandatory requirements for information protection in Russia (e.g., Decree #31 for government systems, #239 for critical infrastructure). Source: Free (FSTEC Russia).

Priority 3 — Technical and Specialized Standards

Technical Security:

• ISO/IEC 27033 (1–7): Network security.

• ISO/IEC 27040: Storage security.

• NIST SP 800-171 Rev. 3: Protecting CUI in non-federal systems (important for US contractors).

• NIST FIPS 140-3: Cryptographic module requirements.

Cloud Security:

• ISO/IEC 27017: Security controls for cloud services.

• ISO/IEC 27018: PII protection in public clouds.

• CSA CCM (Cloud Controls Matrix): Cloud security control framework; basis for CSA STAR.

• NIST SP 800-144: Public cloud security guidelines.

Application Security:

• OWASP Top 10: Ten critical web application risks.

• OWASP ASVS: Application security requirements.

• OWASP SAMM: Software Assurance Maturity Model (secure SDLC integration).

• NIST SSDF: Secure Software Development Framework.

IAM:

• NIST SP 800-63 Rev. 3: Digital identity guidelines (assurance levels).

• ISO/IEC 29115: Entity authentication assurance framework.

Cryptography:

• NIST FIPS 180-4, 186-5, 197, 198-1: Algorithms (SHA-3, DSA, AES, HMAC).

• IETF RFCs: Protocols (TLS 1.2/1.3, IPsec, OAuth 2.0).

Physical Security:

• ISO/IEC 27001: Includes physical controls (Annex A.11).

• ISO 22301: Business continuity management (certifiable).

BC/DR:

• ISO 22301: Business continuity planning.

• NIST SP 800-34 Rev. 1: IT disaster recovery planning.

Incident Management:

• ISO/IEC 27035: Information security incident management.

• NIST SP 800-61 Rev. 2: Computer security incident handling.

IoT Security:

• NIST IR 8259: Foundational IoT cybersecurity guidance.

• ETSI EN 303 645: Cybersecurity standard for consumer IoT.

Key Professional Certifications

General/Management:

• CISSP — gold standard for security managers/architects ((ISC)²).

• CISM — focuses on risk and security program management (ISACA).

• ISO 27001 Lead Auditor/Implementer — ISO 27001 auditors/implementers.

Technical:

• CompTIA Security+ — foundational technical certification.

• CEH — ethical hacking and penetration testing (EC-Council).

• OSCP — hands-on penetration testing (24-hour exam).

• CCSP — cloud security ((ISC)²).

Audit:

• CISA — leading IT/security audit certification (ISACA).

Specialized:

• PCIP / PCI ISA — PCI DSS-focused (PCI SSC).

• CHSP — HIPAA Security Rule specialization.

Critical Considerations

• Combinations: Organizations rarely use a single standard. Typically ISO 27001 + NIST CSF + industry (PCI DSS, HIPAA) + technical (NIST SP 800-53, OWASP).

• National Standards: Each country has its own (e.g., FSTEC in Russia, BSI in Germany).

• Currency: Always verify the latest version.

• Accessibility: ISO and PCI DSS are paid, NIST, OWASP, and RFCs are free.

• Where to Start: ISO 27001/27002 + NIST CSF + NIST SP 800-53 first. Then add industry (PCI DSS, HIPAA) and domain-specific (OWASP, cryptography).