It is not intended to be all inclusive, but rather, representative of the most useful standards for designing, implementing, and maintaining a cybersecurity programme.
For additional information on each of these standards, as well as references to other standards not listed here, please visit the following sites:
International Telecommunications Union (ITU) provides a comprehensive database of approved standards from ISO, IEEE, and several others at www.itu.int/ITUT/studygroups/com17/ict/part02.html.
The National Institute of Standards and Technology (NIST) provides access to its free standards at http://ts.nist.gov/Standards/ssd.cfm. Note that NIST security standards are all published under NIST SP 800-XX.
The American National Standards Institute (ANSI) has a standards store at http://webstore.ansi.org/ for standards from multiple sources.
The Information Systems Audit and Control Association (ISACA) provides several free downloads of standards information related to COBIT at www.isaca.org/template.cfm?section=home.
ISO/IEC27000, Information Security Management Systems – Fundamentals and vocabulary (See also ISO/IEC17799)
ISO/IEC27001, Information Security Management Systems – Requirements
Most of the NIST Special Publications are focused on programme execution, rather than governance.
COBIT, Control Objectives for Information and Related Technologies
ITGI, Information Security Governance: Guidance for Boards of Directors and Executive Management
Committee of Sponsoring Organization of the Treadway Commission located at www.coso.org/
ISO/IEC27002, Code of Practice for Information Security Management
ISO/IEC27003, Information Technology – Security Techniques – Information Security Management System Implementation Guidance
NIST SP 800-65, Integrating IT Security into the Capital Planning and Investment Control Process
NIST SP 800-55, Security Metrics Guide for Information Technology Systems
NIST SP 800-53, Recommended Security Controls for Federal Information Systems
NIST SP 800-39 (Draft), Managing Risk from Information Systems: An Organizational Perspective
ITIL, Information Technology Infrastructure Library
Information Security Forum, Standard of Good Practice for Information Security located at www.isfsecuritystandard.com
ISO/IEC13335, Parts 1-5, Guidelines for the Management of IT Security
ISO/IEC27004, Information Security Management Measurements
ISO/IEC27005, Management of Information and Communications Technology Security (MICTS) Part 2: Techniques for information and communications technology security risk management
ISO/IEC12207, Information Technology – Software Life Cycle Processes
ISO/IEC15288, Systems Engineering – System Life Cycle Processes
NIST SP 800-100, Information Security Handbook: A Guide for Managers
NIST SP 800-80 (Draft), Guide for Developing Performance Metrics for Information Security
NIST SP 800-64, Security Considerations in the Information System Development Life Cycle
NIST SP 800-61, Computer Security Incident Handling Guide
NIST SP 800-53A (Draft), Guide for Assessing the Security Controls in Federal Information Systems
NIST SP 800-50, Building an Information Technology Security Training and Awareness Program
NIST SP 800-34, Contingency Planning for Information Technology Systems
Generally Accepted Information Security Principles (GAISP)
CMU-SEI, Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
ISO/IEC15408, Parts 1-3, Evaluation Criteria for IT Security (Common Criteria)
NIST SP 800-42, Guideline on Network Security Testing
NIST SP 800-42, Creating a Patch and Vulnerability Management Program
NIST SP 800-33, Underlying Technical Models for Information Technology Security
NIST SP 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security)
NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems
Center for Internet Security (CIS) Benchmark/Scoring Tools
US Department of Homeland Security (DHS) Information Security Automation Program (ISAP) and the Security Content Automation Program (SCAP), http://nvd.nist.gov/nvd.cfm
Vigilant Software Ltd www.vigilantsoftware.co.uk for ISO27001 Information Security Risk Assessment tools