Information Security Collection
This page puts together a collection of documents, standards and regulations related to information security, cybersecurity, risk, privacy and vulnerability management to help the security practitioner.
Topics
- General
- Library
- Laws
- Information Security standards
- Audit and certification
- Other Information Security standards
- Cybersecurity
- Risk Management
- Privacy
- Best practices
- Laws and Regulation
- Supervisory Authorities
- Patch and Vulnerability Management
- Cloud and Virtualization Security
- Big Data
- Internet of Things (IoT)
- End User Device and Mobile Security
- Security best practices
- Cryptography
- Timestamping
- Cryptography
- Identity Management and Biometrics
- Biometrics
- Finance sector
- Blockchain Security
- CSIRTs
- Incident Management and Business Continuity Management
- Incident Management
- Business Continuity Management
- Cyber Crisis Management
- Digital Forensics
- Security Guides and Checklists
- Security Awareness
- Frameworks
- Glossaries
General
- [EU] ENISA Topics on Security
- [US] NIST Special Publication 800 series
- [US] NIST Special Publication 1800 series
- [UK] GOV.UK
- [UK] NCSC
Library
- [EU] ENISA Online Training Material
- [US] North Carolina State University - Enterprise Risk Management Initiative
Laws
- [EU] NIS Directive
- [US] Sarbanes-Oxley Act of 2002 (SOX)
- [US] Gramm-Leach-Bliley Act of 1999 (GLBA)
- [US] Children’s Online Privacy Protection Rule (COPPA)
- [DE] IT-Sicherheitsgesetz
- [MX] Law on the Protection of Personal Data Held by Private Parties
Information Security standards
- ISO/IEC 27000:2018 Information technology – Security techniques – Information security management systems – Overview and vocabulary
- ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements
- ISO/IEC 27002:2013 Information technology – Security techniques – Code of practice for information security controls
- ISO/IEC 27003:2017 Information technology – Security techniques – Information security management systems – Guidance
- ISO/IEC 27004:2016 Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation
- ISO/IEC 27013:2015 Information technology – Security techniques – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
- ISO/IEC 27014:2013 Information technology – Security techniques – Governance of information security
- ISO/IEC TR 27016:2014 Information technology – Security techniques – Information security management – Organizational economics
Audit and certification
- ISO/IEC 27006:2015 Information technology – Security techniques – Requirements for bodies providing audit and certification of information security management systems
- ISO/IEC 27007:2017 Information technology – Security techniques – Guidelines for information security management systems auditing
- ISO/IEC TS 27008:2019 Information technology – Security techniques – Guidelines for the assessment of information security controls
Other Information Security standards
- ISO/IEC 27009:2016 Information technology – Security techniques – Sector-specific application of ISO/IEC 27001 – Requirements
- ISO/IEC 27010:2015 Information technology – Security techniques – Information security management for inter-sector and inter-organizational communications
- ISO/IEC 27011:2016 Information technology – Security techniques – Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations
- ISO/IEC 27021:2017 Information technology – Security techniques – Competence requirements for information security management systems professionals
- ISO/IEC TR 27023:2015 Information technology – Security techniques – Mapping the revised editions of ISO/IEC 27001 and ISO/IEC 27002
- ISO/IEC 27038:2014 Information technology – Security techniques – Specification for digital redaction
Cybersecurity
- [EU] EU NIS Directive
- [EU] EU Cyber Security Strategy
- [US] NIST Cybersecurity Framework
- [US] NIST Cybersecurity practice guides
- [UK] NCSC Cyber Security: Small Business Guide
- ISO/IEC 27032:2012 Information technology – Security techniques – Guidelines for cybersecurity
Risk Management
- [EU] ENISA Threat and Risk Management publications
- [US] NIST Risk Management Framework
- [UK] NCSC Risk Management Collection
- ISO/IEC 27005:2018 Information technology – Security techniques – Information security risk management
- ISO Guide 73:2009 Risk management – Vocabulary
- ISO 31000:2018 Risk management – Guidelines
- ISO/TR 31004:2013 Risk management – Guidance for the implementation of ISO 31000
- IEC 31010:2009 Risk management – Risk assessment techniques
- ISO/DIS 31022 Risk management – Guidelines for the management of legal risk
- ISO/AWI 31030 Risk management – Managing travel risks – Guidance for organizations
- ISO/NP 31050 Guidance for managing emerging risks to enhance resilience
- ISO/AWI 31073 Risk management – terminology
- OECD Data Security Risk Management
Privacy
Best practices
- [EU] ENISA Handbook on Security of Personal Data Processing
- [EU] ENISA Privacy by Design
- [EU] ENISA Privacy and Data Protection in Mobile Applications
- [US] NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
- [US] NIST SP 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
- OECD Privacy guidelines
- OECD Guidance on Policy and Practice
- OECD Security and privacy indicators
- ISO/IEC 27018:2019 Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
- ISO/IEC 29100:2011 Information technology – Security techniques – Privacy framework
- ISO/IEC 29101:2018 Information technology – Security techniques – Privacy architecture framework
- ISO/IEC 29134:2017 Information technology – Security techniques – Guidelines for privacy impact assessment
- ISO/IEC 29151:2017 Information technology – Security techniques – Code of practice for personally identifiable information protection
- ISO/IEC 29187-1:2013 Information technology – Identification of privacy protection requirements pertaining to learning, education and training (LET) – Part 1: Framework and reference model
- ISO/IEC 29190:2015 Information technology – Security techniques – Privacy capability assessment model
- ISO/IEC 29191:2012 Information technology – Security techniques – Requirements for partially anonymous, partially unlinkable authentication
Laws and Regulations
- [EU] EU Digital Privacy Legal Framework
- [EU] Data protection in the EU (GDPR)
- [CH] Federal Act on Data Protection
- [BR] LGPD
- [CA] PIPEDA
- [US] HIPPA
- [US] HITECH
- [US] CA 1386
- [UK] Data Protection Act 2018 (GDPR)
- [EU-US, CH-US] Privacy Shield Framework
- [AU] Australian Privacy Act 1988
- [NZ] New Zealand Privacy Act 1993
Supervisory Authorities
Patch and Vulnerability Management
- [EU] ENISA Vulnerability disclosure
- [US] NIST Guide to Enterprise Patch Management Technologies
- [US] NIST NCCoE Patching the Enterprise
- ISO/IEC 29147:2018 - Security techniques - Vulnerability disclosure
- ISO/IEC 30111:2013 - Security techniques - Vulnerability handling processes
Cloud and Virtualization Security
- [EU] ENISA Cloud Computing Risk Assessment
- [EU] ENISA Cloud Security Guide for SMEs
- [EU] ENISA Cloud Computing: Benefits, risks and recommendations for information security
- [EU] ENISA Security Aspects of Virtualization
- [EU] ENISA Security Framework for Governamental Clouds
- [EU] ENISA Exploring Cloud Incidents
- [EU] ENISA Procure Secure: a guide to monitoring of security service levels in cloud contracts
- [US] NIST on Cloud Computing & Virtualization
- [US] NIST SP 800-125 Guide to Security for Full Virtualization Technologies
- [US] NIST SP 800-125A Security Recommendations for Server-based Hypervisor Platforms
- [US] NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection
- [US] NIST SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing
- [US] NIST SP 800-146 Cloud Computing Synopsis and Recommendations
- [US] NIST SP 800-190 Application Container Security Guide
- [US] NIST IR 8176 Security Assurance Requirements for Linux Application Container Deployments
- [US] NIST SP 500-292 Cloud Computing Reference Architecture
- [US] NIST NCCoE Trusted Cloud
- [US] NIST SP 1800-2 Identity and Access Management for Electric Utilities
- [UK] NCSC Cloud Security Collection
- ISO/IEC 27017:2015 Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services
- CSA Cloud Control Matrix (CCM)
- CSA Guideline on Effectively Managing Security Service in the Cloud
Big Data
- [EU] ENISA Big Data Security
- [US] NIST Big Data Information
- ISO/IEC WD 27045 Information technology – Big data security and privacy – Processes
Internet of Things (IoT)
- [EU] ENISA Baseline Security Recommendations for IoT
- [US] NIST Cybersecurity for IoT Program
- [US] NIST SP 800-183 Networks of ‘Things’
- [US] NIST IR 8228 Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks
- [UK] NCSC Code of Practice for consumer IoT security
End User Device and Mobile Security
- [EU] ENISA Mobile Payments Security
- [EU] ENISA Hardware Threat Landscape
- [US] NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices
- [US] NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise
- [US] NIST SP 800-163 Vetting the Security of Mobile Applications
- [US] NIST NCCoE Mobile Device Security: Cloud and Hybrid Builds
- [UK] NCSC End User Device Security Collection
- [NL] NCSC IT Security Guidelines for Mobile Apps
Security best practices
- OWASP Top 10 Web App Security Risks
- OWASP Top 10 Proactive Controls
- OWASP Mobile Top 10
- ISO 27033-1:2015 Information technology – Security techniques – Network security – Part 1: Overview and concepts
- ISO/IEC 27033-2:2012 Information technology – Security techniques – Network security – Part 2: Guidelines for the design and implementation of network security
- ISO/IEC 27033-3:2010 Information technology – Security techniques – Network security – Part 3: Reference networking scenarios – Threats, design techniques and control issues
- ISO/IEC 27033-4:2014 Information technology – Security techniques – Network security – Part 4: Securing communications between networks using security gateways
- ISO/IEC 27033-5:2013 Information technology – Security techniques – Network security – Part 5: Securing communications across networks using Virtual Private Networks (VPNs)
- ISO/IEC 27033-6:2016 Information technology – Security techniques – Network security – Part 6: Securing wireless IP network access
- ISO/IEC 27034-1:2011 Information technology – Security techniques – Application security – Part 1: Overview and concepts
- ISO/IEC 27034-2:2015 Information technology – Security techniques – Application security – Part 2: Organization normative framework
- ISO/IEC 27034-3:2018 Information technology – Security techniques – Application security – Part 3: Application security management process
- ISO/IEC CD 27034-4 Information technology – Security techniques – Application security – Part 4: Validation and verification
- ISO/IEC 27034-5:2017 Information technology – Security techniques – Application security – Part 5: Protocols and application security controls data structure
- ISO/IEC 27034-6:2016 Information technology – Security techniques – Application security – Part 6: Case studies
- ISO/IEC 27034-7:2018 Information technology – Security techniques – Application security – Part 7: Assurance prediction framework
- ISO/IEC 27039:2015 Information technology – Security techniques – Selection, deployment and operations of intrusion detection and prevention systems (IDPS)
- ISO/IEC 27040:2015 Information technology – Security techniques – Storage security
- CREST Cyber Essentials Implementation Guide
Cryptography
- Bluekrypt Cryptographic Key Length Recommendation
- [EU] ENISA Study on cryptographic protocols
- [EU] ENISA Algorithms, key size and parameters report 2014
- [EU] ENISA Security guidelines on the appropriate use of qualified electronic signatures
- [EU] ENISA Security guidelines on the appropriate use of qualified electronic seals
- [EU] ECRYPT CSA Publications
- [DE] BSI TR-02102-1 Kryptographische Verfahren: Empfehlungen und Schlussellängen
- [US] NIST Block Cipher Techniques
- [US] NIST SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure
- [US] NIST SP 800-52 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
- [US] NIST SP 800-57 Recommendation for Key Management, Part 1: General
- [US] NIST SP 800-57 Recommendation for Key Management, Part 2: Best Practices for Key Management Organization
- [US] NIST SP 800-57 Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance
- [US] NIST SP 800-106 Randomized Hashing for Digital Signatures
- [US] NIST SP 800-107 Recommendation for Applications Using Approved Hash Algorithms
- [US] NIST SP 800-108 Recommendation for Key Derivation Using Pseudorandom Functions
- [US] NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices
- [US] NIST SP 800-130 A Framework for Designing Cryptographic Key Management Systems
- [US] NIST SP 800-131A Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
- [US] NIST SP 800-132 Recommendation for Password-Based Key Derivation: Part 1: Storage Applications
- [US] NIST SP 800-133 Recommendation for Cryptographic Key Generation
- [US] NIST SP 800-135 Recommendation for Existing Application-Specific Key Derivation Functions
- [US] NIST SP 800-185 SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash
- ISO/IEC 29128:2011 Information technology – Security techniques – Verification of cryptographic protocols
- ISO/IEC 29150:2011 Information technology – Security techniques – Signcryption
- ISO/IEC 29192-1:2012 Information technology – Security techniques – Lightweight cryptography – Part 1: General
- ISO/IEC 29192-2:2012 Information technology – Security techniques – Lightweight cryptography – Part 2: Block ciphers
- ISO/IEC 29192-3:2012 Information technology – Security techniques – Lightweight cryptography – Part 3: Stream ciphers
- ISO/IEC 29192-4:2013 Information technology – Security techniques – Lightweight cryptography – Part 4: Mechanisms using asymmetric techniques
- ISO/IEC 29192-5:2016 Information technology – Security techniques – Lightweight cryptography – Part 5: Hash-functions
- ISO/IEC DIS 29192-6 Information technology – Security techniques – Lightweight cryptography – Part 6: Message authentication codes (MACs)
- ISO/IEC DIS 29192-7 Information technology – Security techniques – Lightweight cryptography – Part 7: Broadcast authentication protocols
Timestamping
- [EU] ENISA Security guidelines on the appropriate use of qualified electronic time stamps
- [US] NIST Recommendation for Digital Signature Timeliness
- ISO/IEC TR 29149:2012 Information technology – Security techniques – Best practices for the provision and use of time-stamping services
Identity Management and Biometrics
- [EU] ENISA Mobile Identity Management
- [US] NIST SP 1800-17 (DRAFT) Multifactor Authentication for E-Commerce
- [US] NIST SP 1800-12 (DRAFT) Derived Personal Identity Verification (PIV) Credentials
- [US] NIST SP 1800-2 Identity and Access Management for Electric Utilities
- [US] NIST SP 800-63-3 Digital Identity Guidelines
- [US] NIST NISTIR 8149 Developing Trust Frameworks to Support Identity Federations
- ISO/IEC 29146:2016 Information technology – Security techniques – A framework for access management
- ISO/IEC 29115:2013 Information technology – Security techniques – Entity authentication assurance framework
Biometrics
- [US] NIST SP 800-76-2 Biometric Specifications for Personal Identity Verification
- ISO/IEC TR 24714-1:2008 Information technology – Biometrics – Jurisdictional and societal considerations for commercial applications – Part 1: General guidance
- ISO/IEC TR 30110:2015 Information technology – Cross jurisdictional and societal aspects of implementation of biometric technologies – Biometrics and children
- ISO/IEC TR 29144:2014 Information technology – Biometrics – The use of biometric technology in commercial Identity Management applications and processes
- ISO/IEC TR 29156:2015 Information technology – Guidance for specifying performance requirements to meet security and usability needs in applications using biometrics
- ISO/IEC TR 29196:2018 Information technology – Guidance for biometric enrolment
- ISO/IEC 30107-1:2016 Information technology – Biometric presentation attack detection – Part 1: Framework
- ISO/IEC 30107-2:2017 Information technology – Biometric presentation attack detection – Part 2: Data formats
- ISO/IEC 30107-3:2017 Information technology – Biometric presentation attack detection – Part 3: Testing and reporting
- ISO/IEC DIS 30107-4 Information technology – Biometric presentation attack detection – Part 4: Profile for testing of mobile devices
- ISO/IEC JTC 1/SC 37 Biometrics
Finance sector
- [EU] ENISA Critical Infrastructure and Services - Finance
- [EU] ENISA Network and Information Security in the Finance sector
- [US] NIST Financial Services Sector Use Cases
- BIS Basel Committee
- PCI DSS
- ISO/IEC TR 27015:2012 Information technology – Security techniques – Information security management guidelines for financial services
- Worldbank Cybersecurity, Cyber Risk and Financial Sector Regulation and Supervision
Blockchain Security
CSIRTs
- [EU] ENISA CSIRTs in Europe
- [EU] ENISA Setting up a CSIRT
- [US] US CERT
- [BR] BR CERT
- [AU] AU CERT
- [NZ] NZ CERT
- CMU SEI - CSIRT Resources
Incident Management and Business Continuity Management
Incident Management
- [EU] ENISA Good Practice Guide for Incident Management
- [EU] ENISA Security incident indicators
- [EU] ENISA Mobile Incident Handling Handbook
- [US] NIST SP 800-61 Computer Security Incident Handling Guide
- [US] NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response
- [US] NIST SP 800-83 Guide to Malware Incident Prevention and Handling for Desktops and Laptops
- ISO/IEC 27035-1:2016 Information technology – Security techniques – Information security incident management – Part 1: Principles of incident management
- ISO/IEC 27035-2:2016 Information technology – Security techniques – Information security incident management – Part 2: Guidelines to plan and prepare for incident response
- CREST Cyber Security Incident Response Procurement Guide
Business Continuity Management
- [EU] ENISA BCM & Resilience
- [EU] ENISA Business Continuity for SMEs
- [US] NIST SP 1800-11 Data Integrity: Recovering from Ransomware and Other Destructive Events
- [UK] GOV.UK Business continuity planning
- ISO/IEC 27031:2011 Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity
- ISO 22301:2012 Societal security – Business continuity management systems – Requirements
- ISO 22313:2012 Societal security – Business continuity management systems – Guidance
- ISO/TS 22317:2015 Societal security – Business continuity management systems – Guidelines for business impact analysis (BIA)
- ISO/TS 22318:2015 Societal security – Business continuity management systems – Guidelines for supply chain continuity
- ISO/TS 22330:2018 Security and resilience – Business continuity management systems – Guidelines for people aspects of business continuity
- ISO/TS 22331:2018 Security and resilience – Business continuity management systems – Guidelines for business continuity strategy
Cyber Crisis Management
- [EU] ENISA Report on Cyber Crisis Cooperation and Management
- [US] NIST Guide for Cybersecurity Event Recovery
Digital Forensics
- [EU] ENISA Network Forensics Handbook
- [US] NIST Digital Forensics
- [US] NIST SP 800-101 Guidelines on Mobile Device Forensics
- [US] NIST IR 8221 A Methodology for Determining Forensic Data Requirements for Detecting Hypervisor Attacks
- ISO/IEC 27037:2012 Information technology – Security techniques – Guidelines for identification, collection, acquisition and preservation of digital evidence
- ISO/IEC 27041:2015 Information technology – Security techniques – Guidance on assuring suitability and adequacy of incident investigative method
- ISO/IEC 27042:2015 Information technology – Security techniques – Guidelines for the analysis and interpretation of digital evidence
- ISO/IEC 27043:2015 Information technology – Security techniques – Incident investigation principles and processes
- ISO/IEC 27050-1:2016 Information technology – Security techniques – Electronic discovery – Part 1: Overview and concepts
- ISO/IEC 27050-2:2018 Information technology – Electronic discovery – Part 2: Guidance for governance and management of electronic discovery
Security Guides and Checklists
- [US] NIST National Checklist Program Repository
- [US] NIST SP 800-193 Platform Firmware Resiliency Guidelines
- [US] NIST SP 800-190 Application Container Security Guide
- [US] NIST SP 800-187 Guide to LTE Security
- [US] NIST SP 800-179 Guide to Securing Apple macOS 10.12 Systems for IT Professionals
- [US] NIST SP 800-177 Trustworthy Email
- [US] NIST SP 800-164 Guidelines on Hardware-Rooted Security in Mobile Devices
- [US] NIST SP 800-153 Guidelines for Securing Wireless Local Area Networks (WLANs)
- [US] NIST SP 800-147B BIOS Protection Guidelines for Servers
- [US] NIST SP 800-123 Guide to General Server Security
- [US] NIST SP 800-121 Guide to Bluetooth Security
- [US] NIST SP 800-113 Guide to SSL VPNs
- [US] NIST SP 800-95 Guide to Secure Web Services
- [US] NIST SP 800-88 Guidelines for Media Sanitization
- [UK] NCSC Published Guidance
- [UK] NCSC Design and Configuration
Security Awareness
- [EU] ENISA Cyber Security Culture in Organisations
- [EU] ENISA Information Security Awareness Material
- [US] NIST SP 800-50 Building an Information Technology Security Awareness and Training Program
Frameworks
- ISACA CobiT 5
- COSO Guidance on Internal Control
- AICPA CICA Generally accepted privacy principles (GAPP) in privacy policy development
- Microsoft Cybersecurity Framework
- CIS Security Controls
- TOGAF
- SABSA
Glossaries
- [EU] ENISA Risk Management Glossary
- [US] NIST Glossary