This document specifies mechanisms for cross-domain password-based authenticated key exchange, all of which are four-party password-based authenticated key exchange (4PAKE) protocols. Such protocols let two communicating entities establish a shared session key using just the login passwords that they share with their respective domain authentication servers. The authentication servers, assumed to be part of a standard public key infrastructure (PKI), act as ephemeral certification authorities (CAs) that certify key materials that the users can subsequently use to exchange and agree on as a session key. This document does not specify the means to be used to establish a shared password between an entity and its corresponding domain server. This document also does not define the implementation of a PKI and the means for two distinct domain servers to exchange or verify their respective public key certificates.

  • Standard
    26 pages
    English language
    sale 15% off
  • Draft
    26 pages
    English language
    sale 15% off

This document specifies MAC algorithms that use a secret key and a hash-function (or its round-function or sponge function) to calculate an m-bit MAC. These mechanisms can be used as data integrity mechanisms to verify that data has not been altered in an unauthorized manner. NOTE      A general framework for the provision of integrity services is specified in ISO/IEC 10181‑6.

  • Standard
    52 pages
    English language
    sale 15% off
  • Draft
    52 pages
    English language
    sale 15% off
  • Standard
    6 pages
    English language
    sale 15% off
  • Draft
    6 pages
    English language
    sale 15% off

The present document specifies generally applicable policy and security requirements for Trust Service Providers
(TSPs) issuing public key certificates, including trusted web site certificates.
The policy and security requirements are defined in terms of requirements for the issuance, maintenance and life-cycle
management of certificates. These policy and security requirements support several reference certificate policies,
defined in clauses 4 and 5.
A framework for the definition of policy requirements for TSPs issuing certificates in a specific context where
particular requirements apply is defined in clause 7.
The present document covers requirements for CA hierarchies, however this is limited to supporting the policies as
specified in the present document. It does not include requirements for root CAs and intermediate CAs for other
purposes.
The present document is applicable to:
• the general requirements of certification in support of cryptographic mechanisms, including digital signatures
for electronic signatures and seals;
• the general requirements of certification authorities issuing TLS/SSL certificates;
• the general requirements of the use of cryptography for authentication and encryption.
The present document does not specify how the requirements identified can be assessed by an independent party,
including requirements for information to be made available to such independent assessors, or requirements on such
assessors.
NOTE: See ETSI EN 319 403 [i.2] for guidance on assessment of TSP's processes and services. The present
document references ETSI EN 319 401 [8] for general policy requirements common to all classes of
TSP's services.
The present document includes provisions consistent with the requirements from the CA/Browser Forum in EVCG [4]
and BRG [5].

  • Standard
    56 pages
    English language
    sale 15% off
  • Standard
    56 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    56 pages
    English language
    sale 15% off
  • Draft
    56 pages
    English language
    sale 10% off
    e-Library read for
    1 day

The present document specifies policy and security requirements for the issuance, maintenance and life-cycle
management of EU qualified certificates as defined in Regulation (EU) No 910/2014 [i.1]. These policy and security
requirements support reference certificate policies for the issuance, maintenance and life-cycle management of EU
qualified certificates issued to natural persons (including natural persons associated with a legal person or a website)
and to legal persons (including legal persons associated with a website), respectively.
The present document does not specify how the requirements identified can be assessed by an independent party,
including requirements for information to be made available to such independent assessors, or requirements on such
assessors.
NOTE: See ETSI EN 319 403 [i.6] for guidance on assessment of TSP's processes and services. The present
document references ETSI EN 319 411-1 [2] for general requirements on TSP issuing certificates.

  • Standard
    31 pages
    English language
    sale 15% off
  • Standard
    31 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    31 pages
    English language
    sale 15% off
  • Draft
    31 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This document specifies requirements and provides guidance for establishing, implementing,
maintaining and continually improving a Privacy Information Management System (PIMS) in the form
of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the
organization.
This document specifies PIMS-related requirements and provides guidance for PII controllers and PII
processors holding responsibility and accountability for PII processing.
This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which are PII controllers and/or PII
processors processing PII within an ISMS.

  • Standard
    76 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    73 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This document addresses the physical security of data centres based upon the criteria and classifications for “availability”, “security” and “energy efficiency enablement” within EN 50600 1.
This document provides designations for the data centres spaces defined in EN 50600 1.
This document specifies requirements and recommendations for those data centre spaces, and the systems employed within those spaces, in relation to protection against:
a)   unauthorized access addressing organizational and technological solutions;
b)   intrusion;
c)   fire events igniting within data centres spaces;
d)   other events within or outside the data centre spaces, which would affect the defined level of protection.
NOTE   Constructional requirements and recommendations are provided by reference to EN 50600 2 1.
Safety and electromagnetic compatibility (EMC) requirements are outside the scope of this document and are covered by other standards and regulations. However, the information given in this document can be of assistance in meeting these standards and regulations.

  • Standard
    40 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    39 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This document specifies requirements, methods of testing and required test results where
standards are needed to provide a basic level of protection against cyber incidents (i.e.
malicious attempts, which actually or potentially result in adverse consequences to equipment,
their networks or the information that they process, store or transmit) for:
a) shipborne radio equipment forming part of the global maritime distress and safety system
(GMDSS) mentioned in the International Convention for Safety of Life at Sea (SOLAS) as
amended, and by the Torremolinos International Convention for the Safety of Fishing
Vessels as amended, and to other shipborne radio equipment, where appropriate;
b) shipborne navigational equipment mentioned in the International Convention for Safety of
Life at Sea (SOLAS) as amended, and by the Torremolinos International Convention for the
Safety of Fishing Vessels as amended,
c) other shipborne navigational aids, and Aids to Navigation (AtoN), where appropriate.
The document is organised as a series of modules dealing with different aspects. The document
considers both normal operation of equipment and the maintenance of equipment. For each
module, a statement is provided indicating whether the module applies during normal operation
or in maintenance mode.
Communication initiated from navigation or radiocommunication equipment outside of items a),
b) and c) above, for example ship side to other ship or shore side, are outside of the scope of
this document.
This document does not address cyber-hygiene checks, for example anti-malware scanning,
etc., performed outside of the cases defined in this document.

  • Standard
    65 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This Recommendation | International Standard gives guidelines for information security controls applicable to the
provision and use of cloud services by providing:
– additional implementation guidance for relevant controls specified in ISO/IEC 27002;
– additional controls with implementation guidance that specifically relate to cloud services.
This Recommendation | International Standard provides controls and implementation guidance for both cloud service
providers and cloud service customers.

  • Standard
    44 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This document provides guidance on the ways an organization can plan and prepare for, and implement, electronic discovery from the perspective of both technology and processes. This document provides guidance on proactive measures that can help enable effective and appropriate electronic discovery and processes. This document is relevant to both non-technical and technical personnel involved in some or all of the electronic discovery activities.

  • Standard
    29 pages
    English language
    sale 15% off
  • Draft
    29 pages
    English language
    sale 15% off

This document specifies properties of cryptographic mechanisms to redact authentic data. In particular, it defines the processes involved in those mechanisms, the participating parties, and the cryptographic properties.

  • Standard
    11 pages
    English language
    sale 15% off
  • Draft
    11 pages
    English language
    sale 15% off

This document defines a process reference model (PRM) for the domain of information security management, which is meeting the criteria defined in ISO/IEC 33004 for process reference models (see Annex A). It is intended to guide users of ISO/IEC 27001 to: — incorporate the process approach as described by ISO/IEC 27000:2018, 4.3, within the ISMS; — be aligned to all the work done within other standards of the ISO/IEC 27000 family from the perspective of the operation of ISMS processes — support users in the operation of an ISMS ? this document is complementing the requirements-oriented perspective of ISO/IEC 27003 with an operational, process-oriented point of view.

  • Technical specification
    43 pages
    English language
    sale 15% off
  • Draft
    43 pages
    English language
    sale 15% off
  • Standard
    1 page
    English language
    sale 15% off
  • Draft
    1 page
    English language
    sale 15% off

IEC 63154:2021 specifies requirements, methods of testing and required test results where standards are needed to provide a basic level of protection against cyber incidents (i.e. malicious attempts, which actually or potentially result in adverse consequences to equipment, their networks or the information that they process, store or transmit) for:
a) shipborne radio equipment forming part of the global maritime distress and safety system (GMDSS) mentioned in the International Convention for Safety of Life at Sea (SOLAS) as amended, and by the Torremolinos International Convention for the Safety of Fishing Vessels as amended, and to other shipborne radio equipment, where appropriate;
b) shipborne navigational equipment mentioned in the International Convention for Safety of Life at Sea (SOLAS) as amended, and by the Torremolinos International Convention for the Safety of Fishing Vessels as amended,
c) other shipborne navigational aids, and Aids to Navigation (AtoN), where appropriate.

  • Standard
    130 pages
    English and French language
    sale 15% off

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification. The requirements contained in this document need to be demonstrated in terms of competence and reliability by anybody providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification. NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

  • Technical specification
    9 pages
    English language
    sale 15% off
  • Draft
    9 pages
    English language
    sale 15% off
  • Standard
    8 pages
    English language
    sale 15% off
  • Draft
    8 pages
    English language
    sale 15% off
  • Standard
    13 pages
    English language
    sale 15% off
  • Draft
    14 pages
    English language
    sale 15% off

This document specifies guidelines for developing a cybersecurity framework. It is applicable to cybersecurity framework creators regardless of their organizations' type, size or nature.

  • Technical specification
    24 pages
    English language
    sale 15% off
  • Draft
    24 pages
    English language
    sale 15% off
  • Standard
    1 page
    English language
    sale 15% off
  • Draft
    1 page
    English language
    sale 15% off
  • Standard
    39 pages
    English language
    sale 15% off
  • Draft
    39 pages
    English language
    sale 15% off

The document takes a multiple agency as well as a citizen-centric viewpoint. It provides guidance on: — smart city ecosystem privacy protection; — how standards can be used at a global level and at an organizational level for the benefit of citizens; and — processes for smart city ecosystem privacy protection. This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that provide services in smart city environments.

  • Technical specification
    37 pages
    English language
    sale 15% off
  • Draft
    37 pages
    English language
    sale 15% off

This International Standard specifies requirements and provides guidance for bodies providing
audit and certification of an information security management system (ISMS), in addition to the
requirements contained within ISO/IEC 17021-1 and ISO/IEC 27001. It is primarily intended to support
the accreditation of certification bodies providing ISMS certification.
The requirements contained in this International Standard need to be demonstrated in terms of
competence and reliability by any body providing ISMS certification, and the guidance contained in
this International Standard provides additional interpretation of these requirements for any body
providing ISMS certification.
NOTE This International Standard can be used as a criteria document for accreditation, peer assessment or
other audit processes.

  • Standard
    49 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This document provides an overview of cybersecurity. This document: — describes cybersecurity and relevant concepts, including how it is related to and different from information security; — establishes the context of cybersecurity; — does not cover all terms and definitions applicable to cybersecurity; and — does not limit other standards in defining new cybersecurity-related terms for use. This document is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-for-profit organizations).

  • Technical specification
    17 pages
    English language
    sale 15% off
  • Draft
    17 pages
    English language
    sale 15% off

This document provides guidance on concepts, objectives and processes for the governance of information security, by which organizations can evaluate, direct, monitor and communicate the information security-related processes within the organization. The intended audience for this document is: — governing body and top management; — those who are responsible for evaluating, directing and monitoring an information security management system (ISMS) based on ISO/IEC 27001; — those responsible for information security management that takes place outside the scope of an ISMS based on ISO/IEC 27001, but within the scope of governance. This document is applicable to all types and sizes of organizations. All references to an ISMS in this document apply to an ISMS based on ISO/IEC 27001. This document focuses on the three types of ISMS organizations given in Annex B. However, this document can also be used by other types of organizations.

  • Standard
    16 pages
    English language
    sale 15% off
  • Draft
    16 pages
    English language
    sale 15% off

This document discusses the threats, risks, and controls related to: — systems that provide digital asset custodian services and/or exchange services to their customers (consumers and businesses) and management of security when an incident occurs; — asset information (including the signature key of the digital asset) that a custodian of digital assets manages. This document is addressed to digital asset custodians that manage signature keys associated with digital asset accounts. In such a case, certain specific recommendations apply. The following is out of scope of this document: — core security controls of blockchain and DLT systems; — business risks of digital asset custodians; — segregation of customer's assets; — governance and management issues.

  • Technical report
    35 pages
    English language
    sale 15% off
  • Draft
    35 pages
    English language
    sale 15% off

This document specifies the security requirements for physically unclonable functions (PUFs). Specified security requirements concern the output properties, tamper-resistance and unclonability of a single and a batch of PUFs. Since it depends on the application which security requirements a PUF needs to meet, this documents also describes the typical use cases of a PUF. Amongst PUF use cases, random number generation is out of scope in this document.

  • Standard
    16 pages
    English language
    sale 15% off
  • Draft
    16 pages
    English language
    sale 15% off

This document specifies methods for generating and testing prime numbers as required in cryptographic protocols and algorithms. Firstly, this document specifies methods for testing whether a given number is prime. The testing methods included in this document are divided into two groups: — probabilistic primality tests, which have a small error probability. All probabilistic tests described here can declare a composite to be a prime; — deterministic methods, which are guaranteed to give the right verdict. These methods use so-called primality certificates. Secondly, this document specifies methods to generate prime numbers. Again, both probabilistic and deterministic methods are presented. NOTE It is possible that readers with a background in algorithm theory have already had previous encounters with probabilistic and deterministic algorithms. The deterministic methods in this document internally still make use of random bits (to be generated via methods described in ISO/IEC 18031), and "deterministic" only refers to the fact that the output is correct with probability one. Annex A provides error probabilities that are utilized by the Miller-Rabin primality test. Annex B describes variants of the methods for generating primes so that particular cryptographic requirements can be met. Annex C defines primitives utilized by the prime generation and verification methods.

  • Standard
    33 pages
    English language
    sale 15% off
  • Draft
    33 pages
    English language
    sale 15% off

This document specifies five methods for authenticated encryption, i.e. defined ways of processing a data string with the following security objectives: — data confidentiality, i.e. protection against unauthorized disclosure of data; — data integrity, i.e. protection that enables the recipient of data to verify that it has not been modified; — data origin authentication, i.e. protection that enables the recipient of data to verify the identity of the data originator. All five methods specified in this document are based on a block cipher algorithm, and require the originator and the recipient of the protected data to share a secret key for this block cipher. Key management is outside the scope of this document. Key management techniques are defined in ISO/IEC 11770 (all parts). Four of the mechanisms in this document, namely mechanisms 3, 4, 5 (AAD variant only) and 6, allow data to be authenticated which is not encrypted. That is, these mechanisms allow a data string that is to be protected to be divided into two parts, D, the data string that is to be encrypted and integrity-protected, and A (the additional authenticated data) that is integrity-protected but not encrypted. In all cases, the string A can be empty. NOTE Examples of types of data that can need to be sent in unencrypted form, but whose integrity is to be protected, include addresses, port numbers, sequence numbers, protocol version numbers and other network protocol fields that indicate how the plaintext is to be handled, forwarded or processed.

  • Standard
    26 pages
    English language
    sale 15% off
  • Draft
    25 pages
    English language
    sale 15% off

This document specifies mechanisms to establish shared symmetric keys between groups of entities. It defines: — symmetric key-based key establishment mechanisms for multiple entities with a key distribution centre (KDC); and — symmetric key establishment mechanisms based on a general tree-based logical key structure with both individual rekeying and batch rekeying. It also defines key establishment mechanisms based on a key chain with group forward secrecy, group backward secrecy or both group forward and backward secrecy. This document also describes the required content of messages which carry keying material or are necessary to set up the conditions under which the keying material can be established. This document does not specify information that has no relation with key establishment mechanisms, nor does it specify other messages such as error messages. The explicit format of messages is not within the scope of this document. This document does not specify the means to be used to establish the initial secret keys required to be shared between each entity and the KDC, nor key lifecycle management. This document also does not explicitly address the issue of interdomain key management.

  • Standard
    18 pages
    English language
    sale 15% off
  • Draft
    18 pages
    English language
    sale 15% off

This part of IEC 62443 establishes requirements for:
• defining a system under consideration (SUC) for an industrial automation and control
system (IACS);
• partitioning the SUC into zones and conduits;
• assessing risk for each zone and conduit;
• establishing the target security level (SL-T) for each zone and conduit; and
• documenting the security requirements.

  • Standard
    34 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This document describes test methods for determining the conformance of security crypto suites defined in ISO/IEC 29167-16. This document contains conformance tests for all mandatory and applicable optional functions. The conformance parameters are the following: — parameters that apply directly affecting system functionality and inter-operability; — protocol including commands and replies; — nominal values and tolerances. Unless otherwise specified, the tests in this document are to be applied exclusively to RFID tags and interrogators defined in the ISO/IEC 18000 series using ISO/IEC 29167-16.

  • Standard
    21 pages
    English language
    sale 15% off
  • Draft
    21 pages
    English language
    sale 15% off

For security evaluation of biometric verification systems and biometric identification systems, this document is dedicated to the security evaluation of biometric recognition performance applying the ISO/IEC 15408 series. It provides requirements and recommendations to the developer and the evaluator for the supplementary activities on biometric recognition performance specified in ISO/IEC 19989-1. The evaluation of presentation attack detection techniques is out of the scope of this document except for presentation from impostor attempts under the policy of the intended use following the TOE guidance documentation.

  • Standard
    33 pages
    English language
    sale 15% off

For security evaluation of biometric recognition performance and presentation attack detection for biometric verification systems and biometric identification systemsthis document specifies: — extended security functional components to SFR Classes in ISO/IEC 15408-2; — supplementary activities to methodology specified in ISO/IEC 18045 for SAR Classes of ISO/IEC 15408-3. This document introduces the general framework for the security evaluation of biometric systems, including extended security functional components, and supplementary activities to methodology, which is additional evaluation activities and guidance/recommendations for an evaluator to handle those activities. The supplementary evaluation activities are developed in this document while the detailed recommendations are developed in ISO/IEC 19989-2 (for biometric recognition aspects) and in ISO/IEC 19989-3 (for presentation attack detection aspects). This document is applicable only to TOEs for single biometric characteristic type. However, the selection of a characteristic from multiple characteristics in SFRs is allowed.

  • Standard
    62 pages
    English language
    sale 15% off

For security evaluation of biometric verification systems and biometric identification systems, this document is dedicated to security evaluation of presentation attack detection applying the ISO/IEC 15408 series. It provides recommendations and requirements to the developer and the evaluator for the supplementary activities on presentation attack detection specified in ISO/IEC 19989-1. This document is applicable only to TOEs for single biometric characteristic type but for the selection of a characteristic from multiple characteristics.

  • Standard
    18 pages
    English language
    sale 15% off

This document gives guidelines for information security incident response in ICT security operations. This document does this by firstly covering the operational aspects in ICT security operations from a people, processes and technology perspective. It then further focuses on information security incident response in ICT security operations including information security incident detection, reporting, triage, analysis, response, containment, eradication, recovery and conclusion. This document is not concerned with non-ICT incident response operations such as loss of paper-based documents. This document is based on the "Detection and reporting" phase, the "Assessment and decision" phase and the "Responses" phase of the "Information security incident management phases" model presented in ISO/IEC 27035‑1:2016. The principles given in this document are generic and intended to be applicable to all organizations, regardless of type, size or nature. Organizations can adjust the provisions given in this document according to their type, size and nature of business in relation to the information security risk situation. This document is also applicable to external organizations providing information security incident management services.

  • Standard
    31 pages
    English language
    sale 15% off

This document specifies mechanisms for the provision of specific, communication-related, non‑repudiation services using asymmetric cryptographic techniques.

  • Standard
    13 pages
    English language
    sale 15% off

This document serves as a general model for subsequent parts specifying non-repudiation mechanisms using cryptographic techniques. The ISO/IEC 13888 series provides non-repudiation mechanisms for the following phases of non-repudiation: — evidence generation; — evidence transfer, storage and retrieval; and — evidence verification. Dispute arbitration is outside the scope of the ISO/IEC 13888 series.

  • Standard
    20 pages
    English language
    sale 15% off
  • Standard
    12 pages
    English language
    sale 15% off

The scope of this Recommendation | International Standard is to define guidelines supporting the implementation of
information security controls in telecommunications organizations.
The adoption of this Recommendation | International Standard will allow telecommunications organizations to meet
baseline information security management requirements of confidentiality, integrity, availability and any other relevant
security property.

  • Standard
    41 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This document provides requirements and recommendations to vendors on the disclosure of
vulnerabilities in products and services. Vulnerability disclosure enables users to perform technical
vulnerability management as specified in ISO/IEC 27002:2013, 12.6.1[1]. Vulnerability disclosure helps
users protect their systems and data, prioritize defensive investments, and better assess risk. The goal
of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. Coordinated
vulnerability disclosure is especially important when multiple vendors are affected. This document
provides:
— guidelines on receiving reports about potential vulnerabilities;
— guidelines on disclosing vulnerability remediation information;
— terms and definitions that are specific to vulnerability disclosure;
— an overview of vulnerability disclosure concepts;
— techniques and policy considerations for vulnerability disclosure;
— examples of techniques, policies (Annex A), and communications (Annex B).
Other related activities that take place between receiving and disclosing vulnerability reports are
described in ISO/IEC 30111.
This document is applicable to vendors who choose to practice vulnerability disclosure to reduce risk
to users of vendors’ products and services.

  • Standard
    42 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This document provides requirements and recommendations for how to process and remediate reported potential vulnerabilities in a product or service.
This document is applicable to vendors involved in handling vulnerabilities.

  • Standard
    21 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This International Standard provides a privacy framework which
- specifies a common privacy terminology;
- defines the actors and their roles in processing personally identifiable information (PII);
- describes privacy safeguarding considerations; and
- provides references to known privacy principles for information technology.
This International Standard is applicable to natural persons and organizations involved in specifying,
procuring, architecting, designing, developing, testing, maintaining, administering, and operating
information and communication technology systems or services where privacy controls are required
for the processing of PII.

  • Standard
    37 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    37 pages
    English language
    sale 10% off
    e-Library read for
    1 day

The present document specifies high-level security and data protection provisions for consumer IoT devices that are
connected to network infrastructure (such as the Internet or home network) and their interactions with associated
services. The associated services are out of scope. A non-exhaustive list of examples of consumer IoT devices includes:
• connected children's toys and baby monitors;
• connected smoke detectors, door locks and window sensors;
• IoT gateways, base stations and hubs to which multiple devices connect;
• smart cameras, TVs and speakers;
• wearable health trackers;
• connected home automation and alarm systems, especially their gateways and hubs;
• connected appliances, such as washing machines and fridges; and
• smart home assistants.
Moreover, the present document addresses security considerations specific to constrained devices.
EXAMPLE: Window contact sensors, flood sensors and energy switches are typically constrained devices.
The present document provides basic guidance through examples and explanatory text for organizations involved in the
development and manufacturing of consumer IoT on how to implement those provisions. Table B.1 provides a schema
for the reader to give information about the implementation of the provisions.
Devices that are not consumer IoT devices, for example those that are primarily intended to be used in manufacturing,
healthcare or other industrial applications, are not in scope of the present document.
The present document has been developed primarily to help protect consumers, however, other users of consumer IoT
equally benefit from the implementation of the provisions set out here.
Annex A (informative) of the present document has been included to provide context to clauses 4, 5 and 6 (normative).
Annex A contains examples of device and reference architectures and an example model of device states including data
storage for each state.

  • Standard
    34 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    34 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    34 pages
    English language
    sale 15% off
  • Standard
    32 pages
    English language
    sale 15% off
  • Standard
    30 pages
    English language
    sale 15% off

This document provides fundamental terminology for blockchain and distributed ledger technologies.

  • Standard
    10 pages
    English language
    sale 15% off
  • Draft
    10 pages
    English language
    sale 15% off

IEC 62443-3-2:2020 establishes requirements for:
• defining a system under consideration (SUC) for an industrial automation and control system (IACS);
• partitioning the SUC into zones and conduits;
• assessing risk for each zone and conduit;
• establishing the target security level (SL-T) for each zone and conduit; and
• documenting the security requirements.

  • Standard
    31 pages
    English language
    sale 15% off
  • Standard
    63 pages
    English and French language
    sale 15% off

This document establishes commonly accepted control objectives, controls and guidelines for
implementing measures to protect Personally Identifiable Information (PII) in line with the privacy
principles in ISO/IEC 29100 for the public cloud computing environment.
In particular, this document specifies guidelines based on ISO/IEC 27002, taking into consideration
the regulatory requirements for the protection of PII which can be applicable within the context of the
information security risk environment(s) of a provider of public cloud services.
This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.
The guidelines in this document can also be relevant to organizations acting as PII controllers. However,
PII controllers can be subject to additional PII protection legislation, regulations and obligations, not
applying to PII processors. This document is not intended to cover such additional obligations.

  • Standard
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This document specifies controls which shape the content and the structure of online privacy notices as well as the process of asking for consent to collect and process personally identifiable information (PII) from PII principals. This document is applicable in any online context where a PII controller or any other entity processing PII informs PII principals of processing.

  • Standard
    25 pages
    English language
    sale 15% off
  • Draft
    25 pages
    English language
    sale 15% off

This document provides an overview of privacy and personally identifiable information (PII) protection as applied to blockchain and distributed ledger technologies (DLT) systems.

  • Technical report
    17 pages
    English language
    sale 15% off

This International Standard specifies the requirements for establishing, implementing, maintaining
and continually improving an information security management system within the context of the
organization. This International Standard also includes requirements for the assessment and treatment
of information security risks tailored to the needs of the organization. The requirements set out in this
International Standard are generic and are intended to be applicable to all organizations, regardless
of type, size or nature. Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable
when an organization claims conformity to this International Standard.

  • Corrigendum
    1 page
    Slovenian language
    sale 10% off
    e-Library read for
    1 day

This document specifies the requirements for creating sector-specific standards that extend ISO/IEC 27001, and complement or amend ISO/IEC 27002 to support a specific sector (domain, application area or market). This document explains how to: — include requirements in addition to those in ISO/IEC 27001, — refine or interpret any of the ISO/IEC 27001 requirements, — include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002, — modify any of the controls of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002, — add guidance to or modify the guidance of ISO/IEC 27002. This document specifies that additional or refined requirements do not invalidate the requirements in ISO/IEC 27001. This document is applicable to those involved in producing sector-specific standards.

  • Standard
    18 pages
    English language
    sale 15% off
  • Draft
    24 pages
    English language
    sale 10% off
    e-Library read for
    1 day