ISO 13335 - IT security management

ISO 13335 (which started life as a Technical Report TR before becoming a full ISO standard) comprises a set of guidelines for the management of IT security, focusing primarily on technical security control measures:

• ISO 13335-1:2004 “Information technology – Security techniques – Management of information and communications technology security – Part 1: Concepts and models for information and communications technology security management”. Explains the concepts and models for information and communications technology security management. (ISO/IEC TR 13335 parts 1 and 2 were combined into the revised ISO/IEC 13335-1: 2004. The original TR13335-2:1997 “Guidelines for the management of IT security - Part 2: Managing and planning IT security” was cancelled.)
• ISO 13335-2, when published, is expected to cancel and replace ISO/IEC TR 13335-3:1998 and ISO/IEC TR 13335-4:2000.
• ISO TR 13335-3:1998 “Information technology – Guidelines for the Management of IT Security – Part 3: Techniques for the management of IT Security”. Covers techniques for the management of IT security. This standard is currently under revision and will be inserted into ISO 27005
• ISO TR 13335-4:2000 covers the selection of safeguards (meaning technical security controls). This standard is also currently under revision and will be inserted into ISO 27005
• ISO TR 13335-5:2001 provides management guidance on network security. This standard is currently under revision, being merged into ISO/IEC 18028-1. ISO/IEC 18028-1 will eventually cancel and replace ISO/IEC TR 13335-5:2001.

ISO 15408 - Common Criteria

ISO 15408:1999 describes the Common Criteria for Information Technology Security Evaluation. Products that are evaluated against the Common Criteria have a defined level of assurance as to their information security capabilities that is recognized in most of the world. Unfortunately, the evaluation process is quite costly and slow, and is therefore not very widely used apart from the government and defense markets.

ISO 15489 - Records Management

ISO 15489:2001 is a records management standard in two parts:

·        Part 1 describes a “high level framework for recordkeeping and specifically addresses the benefits of records management, regulatory considerations affecting its operation and the importance of assigning of responsibilities for recordkeeping. It also discusses high level records management requirements, the design of recordkeeping systems and actual processes involved in records management, such as record capture, retention, storage, access etc. It concludes with a discussion of records management audit operations and training requirements for all staff of an organization.” 

·        Part 2 provides “practical and more detailed guidance about how to implement the framework outlined in Part 1. For example it provides specific detail about the development of records management policy and responsibility statements and outlines the DIRKS process for developing recordkeeping systems. Part 2 also provides practical guidance about the development of records processes and controls and specifically addresses the development of key recordkeeping instruments such as thesauri, disposal authorities and security and access classification schemes. It then discusses the use of these tools to capture, register, classify, store, provide access to and otherwise manage records. Part 2 also provides specific guidance about the establishment of monitoring, auditing and training programs to promote and effectively implement records management within an organization.”