cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
non-expert
Newcomer II

What ISO standard or NIST SP do you consider "must-have"?

I ask this under the context of professional development and not necessarily a compliance/regulatory perspective.

 

What particular ISO standard, NIST SP, or anything similar would you as a professional consider a baseline for "must-have" knowledge regardless if you were just starting out or a senior-level person?

 

While I find it unlikely most people (as individuals) would be willing to dish out cash for all the numerous (albeit useful) standards and the like, I'm curious if there's something out there most people consider equivalent to the ten commandments but for cyber/infosec.

4 Replies
AppDefects
Community Champion

Think about control frameworks and control taxonomies. Then about applying technical controls. ISO/IEC is less prescriptive than NIST.

 

1) ISO/IEC 27001:2013

2) NIST SP 800-53 (rev 5 draft) along with 53A and 53B (draft)

3) NIST SP 800-160 (volume 1 and volume 2)

4) NIST SP 800-37, rev 2

Caute_cautim
Community Champion

@AppDefects    I agree, but with the creation of the ISO/IEC 27701 as an extension to 27001, then at least these two by default.

 

"ISO/IEC 27701* is a privacy extension to ISO/IEC 27001 Information Security Management and ISO/IEC 27002 Security Controls. An international management system standard, it provides guidance on the protection of privacy, including how organizations should manage personal information, and assists in demonstrating compliance with privacy regulations around the world."

 

Regards

 

Caute_cautim

Steve-Wilme
Advocate II

Of the 27K series; 27001, 27002, 27005 and 27035 are all worth reading.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
CraginS
Defender I


@non-expert wrote:

....

What particular ISO standard, NIST SP, or anything similar would you as a professional consider a baseline for "must-have" knowledge regardless if you were just starting out or a senior-level person?

...


Bryan,

Lurking in all fo the replies so far is the kernel to understand: both sets of standards, from ISO/IEC and NIST, are based on families of standards, not stand-alone publications. If you choose to follow the NIST SP's you must become familiar with the entire set of Risk Management Framework (RMF) SPs to include SP 800-37, -53A. -160, and others. If you choose to follow the ISO/IEC standards, reading 27001 will show you that you need to accumulate the full set of standards under that umbrella. 

 

You mentioned cost. All of the NIST publications are completely free, while the ISO/IEC standards area mix of free and very costly. The copyright restrictions on the ISOIEC standards are such that for the ones with a price, that buys you ONLY ONE COPY, and disallows sharing digital copies, even within your organization. 

 

Good luck! And you asked a great question. Thank you.

 

Craig

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts