Some of the standards, frameworks and guidelines that auditors use in security audits include:

    • ISO 27001/27002 standards
    • Control Objectives for Information and Technology (COBIT) framework
    • ISACA’s IT Assurance Framework (ITAF)
    • IT Audit and Assurance Guidelines
    • SysTrust and WebTrust frameworks

Leading cybersecurity standards and best practices include:

The International Organization for Standardization (ISO), the information security series, http://www.iso.org/iso/home/search.htm?qt=information+security&published=on&active_tab=standards&sort_by=rel (also available from ANSI at http://www.ansi.org)

The American National Standards Institute (ANSI)—the U.S. member body to ISO. Copies of all ISO standards can be purchased from ANSI at http://webstore.ansi.org/

National Institute of Standards and Technology (NIST) Special Publication 800 (SP-800) series and Federal Information Processing Standards (FIPS), http://csrc.nist.gov/
publications/index.html or http://csrc.nist.gov/publications/PubsFL.html
Information Technology Infrastructure Library (ITIL), http://www.itlibrary.org/.

International Society of Automation (ISA), https://www.isa.org/templates/two-column.aspx?pageid=131422

Information Systems Audit and Control Association (ISACA), the Control Objectives for Information and Related Technology (COBIT), http://www.isaca.org/cobit/pages/default.aspx

Payment Card Industry Security Standards Council (PCI SSC), https://www.pcisecuritystandards.org/

Information Security Forum (ISF) Standard of Good Practice for Information Security, https://www.securityforum.org/shop/p-71-173

Carnegie Mellon University’s Software Engineering Institute, Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), http://www.cert.org/resilience/products-services/octave/

Health Insurance Portability and Accountability Act (HIPAA) regulations for security programs, http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP), http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx

U.S. Nuclear Regulatory Commission, Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities, https://scp.nrc.gov/slo/regguide571.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.