Standards for IT and cyber security

There is a wide selection of British and International Standards that UK SMEs (ie small and medium-sized enterprises) can work with to better protect themselves from IT and cyber security-related risks. There are also Publicly Available Specifications (PAS), which are sponsored fast-track standards driven by the needs of client organizations and developed according to guidelines set out by BSI. BSI also publishes a wide range of books for SMEs explaining standards and their benefits.

Please access the below sections by using the following list:

BSI Standards on IT and Cyber Security


Standard number/name Description/Benefits

BS 10012:2009, Specification for a personal information management system

This standards provides a framework for maintaining and improving compliance with data protection legislation and good practice. It has been developed to help businesses to establish and maintain a best practice personal information management system that complies with the Data Protection Act 1998.

BS ISO/IEC 18043:2006, Selection, deployment and operation of intrusion detection systems This standard provides guidelines to assist organizations in selecting, deploying and operating intrusion detection systems (IDS). It also provides background information about IDS technologies. 
BS ISO 22301:2012, Business continuity management systems requirements This standard specifies the requirements for setting up and managing an effective business continuity management system for any business, regardless of type or size. 
BS ISO 22313:2012, Business continuity management systems guidance This standard is the guidance document for BS ISO 22301. It provides a more intuitive framework for those pursuing business continuity best practice.
BS ISO/IEC 27000:2014, Information security management systems – Overview and vocabulary This standard provides an overview of information security management systems and the various International Standards that are available as part of the ISO/IEC 27000 series. It also defines a common vocabulary of terms and definitions used throughout those standards.
BS ISO/IEC 27001:2013, Information security management systems – Requirements This standard is the latest version of the world’s leading standard for information security management. It provides requirements for establishing, implementing, maintaining and continually improving an information security management system. It is intended to be applicable to businesses of all sizes and types.

The standard follows the “common high-level structure and identical common text” being adopted by all major management system standards. Annex A of BS ISO/IEC 27001:2013 contains information security control objectives and controls derived from those listed in BS ISO/IEC 27002:2013, Code of practice for information security controls. However, BS ISO/IEC 27001 can be used independently.

ISO/IEC 27001 is used worldwide as a yardstick to indicate effective information security management. It is the only generally recognized certification standard for information and cyber security.

BS ISO/IEC 27002:2013, Code of practice for information security controls  This standard is the latest version of the world’s leading standard for the specification of information security controls. It is designed for use as a reference when selecting controls while implementing an information security management system based on ISO/IEC 27001. However, it can be used for guidance when looking for information on commonly accepted information security controls. It can also be used as a control source when developing industry or organization-specific information security management guidelines.

Although strongly associated with BS ISO/IEC 27001, Information security management systems – Requirements, BS ISO/IEC 27002 can be used independently. It provides a catalogue of possible information security controls that can be used for benchmarking, as requirement specifications, or part of other forms of security management system.

For every suggested control, BS ISO/IEC 27002 provides implementation guidance and other relevant information, including where appropriate references to other International Standards containing further detail.

BS ISO/IEC 27003:2010, Information security management system implementation guidance This standard gives core recommendations for the design of an Information Security Management System (ISMS) in line with ISO/IEC 27001. It provides clear instructions for planning an ISMS project in businesses of all sizes across all sectors. The current version of ISO/IEC 27003 is aligned to the 2005 edition of ISO/IEC 27001. It is currently being updated to align with the new 2013 edition.
BS ISO/IEC 27004:2009, Information security management measurements This standard provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS). It is designed to be applicable to all types and sizes of organization. The current version of ISO/IEC 27003 is aligned to the 2005 edition of ISO/IEC 27001. It is currently being updated to align with the new 2013 edition.
BS ISO/IEC 27005:2011, Information security risk management This standard provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to help implement information security based on a risk management approach. A new version is under development that will support the 2013 version of BS ISO/IEC 27001. However, Annex E of the 2011 edition, which describes risk assessment approaches, is already aligned to the 2013 edition of 27001.
BS ISO/IEC 27006:2011, Requirements for bodies providing audit and certification of information security management systems This standard specifies requirements and provides guidance for certification bodies providing information security management system (ISMS) audit and certification services. For their certificates to be internationally recognised, certification bodies need to be accredited as complying with ISO/IEC 17021-1. This International Standard sets out the additional requirements and guidance needed for them to offer ISO/IEC 27001 certification. The current version of ISO/IEC 27006 is aligned to the 2005 edition of ISO/IEC 27001. It is currently being updated to align with the new 2013 edition.

BS ISO/IEC 27007:2011, Guidelines for information security management systems auditing

This standard provides guidance on managing an information security management system (ISMS) audit programme, on conducting ISMS audits, and on the competences required of ISMS auditors. It builds upon the general management system auditing guidance contained in ISO 19011.
PD ISO/IEC TR 27008:2011, Guidelines for auditors on information security controls  This standard provides guidance for auditors on reviewing the implementation and operation of security controls, such as those defined in ISO/IEC 27002. It does not provide guidance on auditing the management systems aspects of information security.
BS ISO/IEC 27031:2011, Guidelines for information and communication technology readiness for business continuity This standard gives best-practice guidelines to prepare information and communication technology systems to meet business continuity requirements and provides a framework of methods and processes to assess and improve that capability.
BS ISO/IEC 27032:2012, Guidelines for cybersecurity This standards is an International Standard that provides guidance for improving cyber security, in particular it provides technical guidance for addressing common cyber security risks. The standard contains guidance targeted at different cyber security stakeholders, including consumers, service providers and risk managers. It also identifies different forms of cyber security threats. However, it does not address cyber issues unrelated to internet use. 
BS ISO/IEC 27033-1:2009, Network security - Part 1: Overview and concepts This standard provides significant detail about most network security issues and answers questions most small-business owners and managers are likely to have about network security strategy and technologies.
BS ISO/IEC 27033-2:2012, Network security - Part 2: Guidelines for the design and implementation of network security This standard ably identifies network security requirements. It also includes a documentation template as an annex, which provides a checklist for ensuring that network design covers everything it needs to. It contains very little on designing and implementing networks and thus is more suitable for those people who manage network design and procurement rather than actual network designers.
BS ISO/IEC 27033-3:2010, Network security - Part 3: Reference networking scenarios. Threats, design techniques and control issues This standard is the member of the 27033 series of standards that deals with secure network design. It describes numerous user scenarios where networks are employed and then identifies the threats, design techniques and control issues associated with each.
BS ISO/IEC 27033-4:2014, Information technology. Security techniques. Network security. Securing communications between networks using security gateways This part of ISO/IEC 27033 gives detailed technical guidance for securing communications between networks using security gateways. It describes different types of firewalls and other gateway security devices such as routers and Intrusion Protection Systems.
BS ISO/IEC 27033-5:2013, Information technology. Security techniques. Network security. Securing communications across networks using Virtual Private Networks (VPNs) This part of ISO/IEC 27033 gives detailed technical guidance for securing network interconnections and connecting remote users to networks by use of Virtual Private Networks.
BS ISO/IEC 27035:2011, Information security incident management This standard describes a structured and planned approach to handling information security incidents. Although targeted at larger organizations, it can be used by SMEs to extract a more basic set of documents and procedures suitable for their needs. BS ISO/IEC 27035 was previously published as PD ISO/IEC TR 18044:2004 and is currently being revised. The new version will be a multi-part standard, with separate parts for different aspects of incident management.
BS ISO/IEC 27036-1:2014, Information technology. Security techniques. Information security for supplier relationships. Overview and concepts This part of ISO/IEC 27036 describes the key concepts in securing supplier relationships from the viewpoints of both acquirers and suppliers. It also provides an introduction to the other parts of ISO/IEC 27036. Please note that 27036-2 (fundamental requirements) will be available shortly, and 27036-4 (supplier relationships in the cloud) is still under development.
BS ISO/IEC 27036-3:2013, Information technology. Security techniques. Information security for supplier relationships. Guidelines for information and communication technology supply chain security This part of ISO/IEC 27036 provides guidance on managing the information security risks caused by physically dispersed and multi-layered ICT supply chains; responding to the information security risks from global ICT supply chains; and integrating processes and practices to support information security controls into wider system and software lifecycle processes.
BS ISO/IEC 27037:2012, Guidelines for identification, collection, acquisition, and preservation of digital evidence This standard provides guidelines for handling digital evidence. It applies to all forms of digital device, not just computers. As well as general principles that are primarily of interest to courts and judges, it contains extremely practical advice such as when to use sticky tape to stop machines being accidentally rebooted.
BS ISO 28000:2007, Specification for security management systems for the supply chain This standard addresses the management of activities that affect supply chain security in a way that is consistent with other management system standards. BS ISO/IEC 28000 is supported by other International Standards in the 28000 series that define how organizations can be audited and certified against ISO/IEC 28000.

Publicly Available Specifications for IT and Cyber Security


Standard number/name Description/Benefits
PAS 555:2013, Cyber security risk - Governance and management - Specification This PAS details a framework for the governance and management of cyber security risk. The requirements of this PAS (publicly available specification) define the outcomes of effective cyber security and include technical, physical, cultural and behavioural measures, alongside effective leadership and governance. It is designed to be scalable and so is suitable for businesses of all sizes.

BSI Books on IT and Cyber Security


Title Description
Guidelines on Requirements and Preparation for ISMS Certification based on ISO/IEC 27001 Second Edition (BIP 0071) This book provides guidance on the requirements specified in the ISMS standard ISO/IEC 27001:2013 and best practice described in ISO/IEC 27002:2013 to support the appropriate use of these standards. It gives guidance on the complete “life cycle” of ISMS (information security management system) processes and activities required to establish, implement, monitor and continually improve a set of management controls and processes to achieve effective information security.
Are you ready for an ISMS Audit based on ISO/IEC 27001? Second Edition (BIP 0072) This book provides user guidance on getting ready and prepared for a ISMS certification audit based on ISO/IEC 27001:2013. It is essential reading for those organizations that are about embark on third party certification.
Guide to the Implementation and Auditing of ISMS Controls based on ISO/IEC 27001 Second Edition (BIP 0073) This book provides guidance on the implementation of ISMS control requirements for auditing existing control implementations, to help organizations preparing for certification in accordance with requirements specified in ISO/IEC 27001:2013. It provides guidance on the implementation, checking and auditing of controls.
Information Security Risk Management (BIP 0076) ISO/IEC 27005 is an ISMS risk management standard that supports the implementation of ISO/IEC 27001. This book is a practical handbook for the use and application of ISO/IEC 27005. It provides guidance and advice to specifically support the implementation of those requirements specified in ISO/IEC 27001:2005 that relate to risk management processes and associated activities. Although this handbook is based on a superseded version of ISO/IEC 27001, most of its content is version independent and remains valid.
Managing security in outsourced and off-shored environments (BIP 0116)

Sets out guidance, best practice and critical success factors for managing security in outsourced environments. Where applicable, it addresses cyber security matters. One chapter addresses cloud computing.

Cloud computing: a practical introduction to the legal issues (BIP 0117) Provides advice concerning the legal issues associated with cloud computing. To do so, it provides a technical description of the different forms of cloud computing and their associated information security and data protection issues.
An Introduction to ISO 27001:2013 (BIP 0139) This book serves as a basic introduction to ISO/IEC 27001:2013 and a straightforward guide to implementation. No prior knowledge of ISO/IEC 27001 or management systems is assumed. The guidance is applicable to a wide range of ISMS implementations appropriate to small firms and larger organizations. The book also includes a practical, easy to use risk assessment and risk treatment method that delivers results directly expressed in business meaningful terms.

ISO Books on IT and Cyber Security


Title Description
ISO/IEC 27001 for Small Businesses - Practical advice Intended to take the mystery out of information security and presents a practical, clearly explained step-by-step approach for SMEs to implementing an information ISMS based on ISO/IEC 27001:2005. It uses a questionnaire checklist approach. This handbook is available in paper only. It is published by ISO and IEC and available from the ISO web store. It is not available from BSI.

UK Government standards on IT and Cyber Security


Standard name/number Description
Cyber Essentials Scheme, Summary (BIS/14/696)(PDF) This booklet provides a summary of the Cyber Essentials Scheme, together with background information about its intended use and benefits.
Cyber Essentials Scheme, Cyber Essentials Scheme: Requirements for basic technical protection from cyber attacks (BIS/14/696) (PDF) This document describes the five types of technical controls underlying the Cyber Essentials Scheme. It links them to ISO/IEC 27002 and other standards.
Cyber Essentials Scheme, Assurance Framework (BIS/14/697) (PDF) This document describes the certification framework supporting Cyber Essentials. It defines the assurance philosophy and mandated tests. It includes information on what systems and services can and cannot be within scope of the Scheme.
HMG IA Standard No. 1, Technical Risk Assessment(PDF) This standard is an information assurance (IA) standard for risk managers and IA Practitioners responsible for identifying, assessing and treating the technical risks to cyber systems and services handling UK government information. Use of this standard is a mandatory requirement for all cyber systems that handle, store and process government protectively marked information or business critical data, or that are interconnected to cross-government networks or services. The full version of this document is not in the public domain.