Important Security Standards

NIST SP 800-53

Publisher: National Institute of Standards and Technology

Purpose: A catalog and standard of security and privacy controls for federal systems

Details: This standard was implemented for government agencies and contractors that handle sensitive or classified information. It defines hundreds of controls (around 900) which span areas like access control, auditing, configuration management and incident response. Although this a U.S. government standard it is also used by private sector organizations as more of a framework because of it's rigorous guidelines to improve security.

ISO/IEC 27001

Publisher: International Organization for Standardization (ISO)

Purpose: Used to establish standard requirements for information and security management systems (ISMS)

Details: ISO/IEC 27001 is an international standard that is focused on a top-down risk based approach which involves leadership and continuous improvement. ISO 27001 is a popular choice for organizations companies that need to demonstrate trustworthiness on a global scale or specific regulated markets. While ISO/IEC is technically a standard that can be certified by a third-party auditor. It's important to note that it is frequently referred to and used as a framework by many companies who want to implement it's controls and guidelines without an audit or certification.

PCI DSS (Payment Card Industry Data Security Standard)

Publisher: PCI Security Standards Council

Purpose: Protect credit cardholder data and reduce credit card fraud

Description: The PCI DSS is published and maintained by the PCI Security Standards Council which is made up major credit card companies like Mastercard and Visa. Companies that process and/or store credit care data are required to comply with this standard. The standard outlines 12 specific requirements that must be in place in organizations. Some examples include strong access controls, monitoring and testing of networks, tools like firewalls, encryption and EDR and a detailed information security policy.

SOC2 (System and Organization Controls)

Publisher: AICPA (American Institute of Certified Public Accountants)

Purpose: Evaluate security controls related to the trust services criteria

Details: SOC 2 is an auditing standard that focuses on how service providers manage data based on the five trust services criteria which are: security, availability, processing integrity, confidentiality, and privacy. SOC 2 is unique in that it is not a standard that comes with a certification. Instead a SOC 2 audit is performed by an independent third party auditor which results in a SOC 2 report. This report can then be presented to clients to help them evaluate an organizations security and reliability as a vendor.

PreviousPopular Security FrameworksNextImportant Security Regulations

Last updated