Some of the standards, frameworks and guidelines that auditors use in security audits include:

    • ISO 27001/27002 standards
    • Control Objectives for Information and Technology (COBIT) framework
    • ISACA’s IT Assurance Framework (ITAF)
    • IT Audit and Assurance Guidelines
    • SysTrust and WebTrust frameworks

Leading cybersecurity standards and best practices include:

The International Organization for Standardization (ISO), the information security series, (also available from ANSI at

The American National Standards Institute (ANSI)—the U.S. member body to ISO. Copies of all ISO standards can be purchased from ANSI at

National Institute of Standards and Technology (NIST) Special Publication 800 (SP-800) series and Federal Information Processing Standards (FIPS),
publications/index.html or
Information Technology Infrastructure Library (ITIL),

International Society of Automation (ISA),

Information Systems Audit and Control Association (ISACA), the Control Objectives for Information and Related Technology (COBIT),

Payment Card Industry Security Standards Council (PCI SSC),

Information Security Forum (ISF) Standard of Good Practice for Information Security,

Carnegie Mellon University’s Software Engineering Institute, Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE),

Health Insurance Portability and Accountability Act (HIPAA) regulations for security programs,

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP),

U.S. Nuclear Regulatory Commission, Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities,

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.