Cybersecurity Standards: What You Need to Know for Organizations and Individuals

While there are no mandatory cybersecurity standards set for individual users, organizations are held to a certain level of security through a variety of established frameworks and practices. These frameworks, though often underdeveloped and not enforced by law, provide valuable guidance and best practices to enhance cybersecurity measures.

Individuals vs. Organizations

When it comes to personal cybersecurity, individuals often have the freedom to choose their measures, such as using strong passwords or enabling two-factor authentication (2FA). However, according to Google's security engineer Grzegorz Milka, only 10% of active Google accounts used two-factor authentication back in 2018. Despite the convenience of relying on companies to protect us, taking proactive measures remains essential.

In contrast, organizations are bound by more stringent standards. These standards, though not universally applicable, provide much-needed guidelines to ensure a robust cybersecurity posture. Some organizations, like a Government Defence research center, enforce extremely thorough and high standards. However, the development and implementation of these standards can be inconsistent, often varying by nationalities, industries, and personal preferences.

Key Cybersecurity Standards

Several organizations and international bodies publish cybersecurity standards that are widely recognized and followed. These include:

ISO/IEC 27001 and 27002: International standards for information security management systems (ISMS). NERC (North American Electric Reliability Corporation): Standards specific to the electricity sector. NIST (National Institute of Standards and Technology): A wide-ranging set of cybersecurity guidelines and frameworks. ISO 15408: Trusted Computer System Evaluation Criteria (TCSEC). IASME (Information and Communications Technology (ICT) Governance): Frameworks for ICT governance. U.S. Banking Regulators: Specific guidelines for financial institutions. ETSI Cyber Security Technical Committee TC CYBER: European standards for cyber security. ANSI/ISA 62443 (Formerly ISA-99): Industrial automation and control systems. IEC 62443: Industrial control systems security standards.

Choosing the Right Standard

The choice of which standard to follow depends on factors such as nationality, industry, and individual organizational needs. While many standards offer similar guidance, they can be broadly categorized into two main categories:

USA-centric standards: Such as NIST 800 and NERC CIP, which are freely available but detailed and often dry to read. These standards outline the procedures, processes, and functionality required to make a system or organization cyber secure, but leave the implementation largely to the practitioner to decide. International standards: Such as ISO 27001, which is IT-centric, and IEC 62443, which is more focused on industrial controls. ISO 27001 is often easier to follow and read, but some sections of IEC 62443 are still under development and require purchase.

Both categories aim to provide a comprehensive framework for cybersecurity, but the choice ultimately depends on the specific needs and circumstances of the organization.

Conclusion

While there is no one-size-fits-all approach to cybersecurity, adhering to established standards can significantly enhance an organization's defenses. Whether you choose an international or USA-centric standard, the key is to implement the guidelines effectively and continuously monitor and update your cybersecurity measures to stay ahead of evolving threats.