Here’s the updated table that includes a new column specifying the relation of each standard to Certified Ethical Hacking (CEH), programming, or web development:
| Standard | Title | Description | Use Cases | Used in Popular Tools | Related to CEH/Programming/Web |
|---|---|---|---|---|---|
| ISO/IEC 27001 | Information Security Management Systems (ISMS*) | Specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS. | Establishing a comprehensive ISMS framework | Splunk, Tenable, Qualys | CEH, Programming |
| ISO/IEC 27002 | Code of Practice for Information Security Controls | Provides guidelines for organizational information security standards and practices. | Developing security policies and procedures | NIST Cybersecurity Framework, ISACA | CEH |
| ISO/IEC 27005 | Information Security Risk Management | Offers guidelines for information security risk management in an organization. | Risk assessments and management processes | RiskWatch, LEGATO | CEH |
| ISO/IEC 27017 | Guidelines for Information Security Controls for Cloud Services | Provides guidelines for information security controls applicable to the use of cloud services. | Securing cloud services and data | Microsoft Azure, AWS Security Hub | Web |
| ISO/IEC 27018 | Protection of Personal Data in the Cloud | Focuses on protection of personal identifiable information (PII) in public cloud computing environments. | GDPR compliance, cloud data protection | AWS (with Compliance tools), Google Cloud | Web |
| ISO/IEC 27032 | Guidelines for Cybersecurity | Addresses the cybersecurity aspects associated with the protection and availability of information. | General cybersecurity frameworks | Fortinet, Cisco Security | CEH |
| ISO/IEC 27035 | Incident Management | Provides a framework for incident management/control to minimize impact on business operations. | Incident response planning | ServiceNow, IBM QRadar | CEH |
| ISO/IEC 27036 | Information Security for Supplier Relationships | Focuses on security in the context of supplier relationships and the management of third-party risks. | Vendor security assessments | Archer, GRC tools | CEH |
| ISO/IEC 27037 | Guidelines for Identification, Collection, and Preservation of Digital Evidence | Provides guidelines on how to manage digital evidence in a forensically sound manner. | Digital forensics investigations | EnCase, FTK | CEH |
| ISO/IEC 29100 | Privacy Framework | Provides a privacy framework to help organizations manage personal privacy requirements. | Compliance with privacy regulations | OneTrust, TrustArc | Programming, Web |
| ISO/IEC 29101 | Privacy Architecture Framework | Sets out architectural principles to protect privacy of individuals and contexts in organizations. | Designing privacy-aware systems | SAS, IBM InfoSphere | Programming, Web |
| ISO/IEC 29134 | Privacy Impact Assessment | Guidelines for conducting privacy impact assessments (PIAs) to manage risks related to personal data. | Assessing data processing impacts | Privacy Impact Assessment Tools | Programming |
ISMS stands for Information Security Management System, which is a systematic approach to managing sensitive company information to remain secure. It includes people, processes, and IT systems by applying a risk management process. This includes conducting risk assessments, defining security controls, and ensuring ongoing compliance through regular audits and reviews.
An Information Security Management System (ISMS) is critical for managing the security of sensitive information, ensuring systematic and consistent data protection.
ISO 27001 is focused on establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Key requirements include:
Key Components of ISMS
Table: ISMS Components
| Component | Description |
|---|---|
| Risk Assessment | Identify and assess information security risks to determine appropriate controls. |
| Statement of Applicability (SoA) | Document all applicable controls and outline how they are implemented.The org must create an SoA that details which controls from Annex A of ISO 27001 are applicable and how they are implemented. |
| Continuous Improvement | Regular reviews, audits, and updates to enhance the ISMS based on new risks and technological developments. |
| Documentation | Maintain comprehensive documentation of security policies, procedures, and control measures for compliance and ease of audits. |
Example of a Risk Assessment Process:
- Identify Assets: Catalog all information assets (data, systems, etc.).
- Identify Threats and Vulnerabilities: Assess potential threats and existing vulnerabilities.
- Assess Risks: Determine the likelihood and impact of identified risks.
- Implement Controls: Apply security controls based on the risk assessment to mitigate the identified risks.
Summary
This updated table not only details the purposes and applications of various ISO cybersecurity standards but also highlights their relevance to ethical hacking, programming, and web development. This information can help professionals understand which standards might apply specifically to their roles and responsibilities in cybersecurity.