Some of the standards, frameworks and guidelines that auditors use in security audits include:
- ISO 27001/27002 standards
- Control Objectives for Information and Technology (COBIT) framework
- ISACA’s IT Assurance Framework (ITAF)
- IT Audit and Assurance Guidelines
- SysTrust and WebTrust frameworks
Leading cybersecurity standards and best practices include:
The International Organization for Standardization (ISO), the information security series, http://www.iso.org/iso/home/search.htm?qt=information+security&published=on&active_tab=standards&sort_by=rel (also available from ANSI at http://www.ansi.org)
The American National Standards Institute (ANSI)—the U.S. member body to ISO. Copies of all ISO standards can be purchased from ANSI at http://webstore.ansi.org/
National Institute of Standards and Technology (NIST) Special Publication 800 (SP-800) series and Federal Information Processing Standards (FIPS), http://csrc.nist.gov/
publications/index.html or http://csrc.nist.gov/publications/PubsFL.html
Information Technology Infrastructure Library (ITIL), http://www.itlibrary.org/.
International Society of Automation (ISA), https://www.isa.org/templates/two-column.aspx?pageid=131422
Information Systems Audit and Control Association (ISACA), the Control Objectives for Information and Related Technology (COBIT), http://www.isaca.org/cobit/pages/default.aspx
Payment Card Industry Security Standards Council (PCI SSC), https://www.pcisecuritystandards.org/
Information Security Forum (ISF) Standard of Good Practice for Information Security, https://www.securityforum.org/shop/p-71-173
Carnegie Mellon University’s Software Engineering Institute, Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), http://www.cert.org/resilience/products-services/octave/
Health Insurance Portability and Accountability Act (HIPAA) regulations for security programs, http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html
North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP), http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
U.S. Nuclear Regulatory Commission, Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities, https://scp.nrc.gov/slo/regguide571.pdf