EN-ISO/IEC 27019 provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes in particular the following: - central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices; - digital controllers and automation components such as control and field devices or Programmable Logic Controllers (PLCs), including digital sensor and actuator elements; - all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes; - communication technology used in the process control domain, e.g. networks, telemetry, telecontrol applications and remote control technology; - Advanced Metering Infrastructure (AMI) components, e.g. smart meters; - measurement devices, e.g. for emission values; - digital protection and safety systems, e.g. protection relays, safety PLCs, emergency governor mechanisms; - energy management systems, e.g. of Distributed Energy Resources (DER), electric charging infrastructures, in private households, residential buildings or industrial customer installations; - distributed components of smart grid environments, e.g. in energy grids, in private households, residential buildings or industrial customer installations; - all software, firmware and applications installed on above-mentioned systems, e.g. DMS (Distribution Management System) applications or OMS (Outage Management System); - any premises housing the above-mentioned equipment and systems; - remote maintenance systems for above-mentioned systems.

  • Standard
    46 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    46 pages
    English language
    sale 10% off
    e-Library read for
    1 day

EN-ISO/IEC 15408-3 defines the assurance requirements of ISO/IEC 15408. It includes the evaluation assurance levels (EALs) that define a scale for measuring assurance for component TOEs, the composed assurance packages (CAPs) that define a scale for measuring assurance for composed TOEs, the individual assurance components from which the assurance levels and packages are composed, and the criteria for evaluation of PPs and STs.

  • Standard
    188 pages
    English language
    sale 10% off
    e-Library read for
    1 day

2019-08-21: WI initiated by CEN/CLC/JTC 8 transferred into CEN/CLC/JTC 13 (CEN/BT C122/2019)

  • Standard
    53 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    53 pages
    English language
    sale 10% off
    e-Library read for
    1 day

EN-ISO/IEC 18045 is a companion document to the “Evaluation criteria for IT security”, ISO/IEC 15408. This International Standard defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 evaluation, using the criteria and evaluation evidence defined in ISO/IEC 15408. This International Standard does not define evaluator actions for certain high assurance ISO/IEC 15408 components, where there is as yet no generally agreed guidance.

  • Standard
    302 pages
    English language
    sale 10% off
    e-Library read for
    1 day

EN-ISO/IEC 19790 is a companion document to the “Evaluation criteria for IT security”, ISO/IEC 15408. This International Standard defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 evaluation, using the criteria and evaluation evidence defined in ISO/IEC 15408. This International Standard does not define evaluator actions for certain high assurance ISO/IEC 15408 components, where there is as yet no generally agreed guidance.

  • Standard
    83 pages
    English language
    sale 10% off
    e-Library read for
    1 day

EN-ISO/IEC 15408-2 defines the required structure and content of security functional components for the purpose of security evaluation. It includes a catalogue of functional components that will meet the common security functionality requirements of many IT products.

  • Standard
    241 pages
    English language
    sale 10% off
    e-Library read for
    1 day

EN-ISO/IEC 15408-1 establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of the standard which in its entirety is meant to be used as the basis for evaluation of security properties of IT products. Part one provides an overview of all parts of ISO/IEC 15408 standard. It describes the various parts of the standard; defines the terms and abbreviations to be used in all parts of the standard; establishes the core concept of a Target of Evaluation (TOE); the evaluation context and describes the audience to which the evaluation criteria are addressed. An introduction to the basic security concepts necessary for evaluation of IT products is given. It defines the various operations by which the functional and assurance components given in ISO/IEC 15408-2 and ISO/IEC 15408-3 may be tailored through the use of permitted operations. The key concepts of protection profiles (PP), packages of security requirements and the topic of conformance are specified and the consequences of evaluation, evaluation results are described. This part of ISO/IEC 15408 gives guidelines for the specification of Security Targets (ST) and provides a description of the organization of components throughout the model. General information about the evaluation methodology are given in ISO/IEC 18045 and the scope of evaluation schemes is provided.

  • Standard
    74 pages
    English language
    sale 10% off
    e-Library read for
    1 day

EN ISO/IEC 27000 provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards.

  • Standard
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This International Standard specifies the requirements for establishing, implementing, maintaining
and continually improving an information security management system within the context of the
organization. This International Standard also includes requirements for the assessment and treatment
of information security risks tailored to the needs of the organization. The requirements set out in this
International Standard are generic and are intended to be applicable to all organizations, regardless
of type, size or nature. Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable
when an organization claims conformity to this International Standard.

  • Standard
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    31 pages
    German language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    35 pages
    French language
    sale 10% off
    e-Library read for
    1 day
  • Standard – translation
    31 pages
    Slovenian language
    sale 10% off
    e-Library read for
    1 day

This International Standard gives guidelines for organizational information security standards and
information security management practices including the selection, implementation and management
of controls taking into consideration the organization’s information security risk environment(s).
This International Standard is designed to be used by organizations that intend to:
a) select controls within the process of implementing an Information Security Management System
based on ISO/IEC 27001;[10]
b) implement commonly accepted information security controls;
c) develop their own information security management guidelines.

  • Standard
    95 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard – translation
    89 pages
    Slovenian language
    sale 10% off
    e-Library read for
    1 day

This International Standard specifies characteristics of techniques for performing digital redaction on
digital documents. This International Standard also specifies requirements for software redaction tools
and methods of testing that digital redaction has been securely completed.
This International Standard does not include the redaction of information from databases.
2 Terms

  • Standard
    17 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This International Standard provides guidelines for specific activities in handling digital evidence, which are
identification, collection, acquisition and preservation of digital evidence that may be of evidential value. This
International Standard provides guidance to individuals with respect to common situations encountered
throughout the digital evidence handling process and assists organizations in their disciplinary procedures and
in facilitating the exchange of potential digital evidence between jurisdictions.
This International Standard gives guidance for the following devices and/or functions that are used in various
circumstances:
 Digital storage media used in standard computers like hard drives, floppy disks, optical and magneto
optical disks, data devices with similar functions,
 Mobile phones, Personal Digital Assistants (PDAs), Personal Electronic Devices (PEDs), memory cards,
 Mobile navigation systems,
 Digital still and video cameras (including CCTV),
 Standard computer with network connections,
 Networks based on TCP/IP and other digital protocols, and
 Devices with similar functions as above.
NOTE 1 The above list of devices is an indicative list and not exhaustive.
NOTE 2 Circumstances include the above devices that exist in various forms. For example, an automotive system may
include mobile navigation system, data storage and sensory system.

  • Standard
    48 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This International Standard provides guidelines based on idealized models for common incident
investigation processes across various incident investigation scenarios involving digital evidence. This
includes processes from pre-incident preparation through investigation closure, as well as any general
advice and caveats on such processes. The guidelines describe processes and principles applicable to
various kinds of investigations, including, but not limited to, unauthorized access, data corruption,
system crashes, or corporate breaches of information security, as well as any other digital investigation.
In summary, this International Standard provides a general overview of all incident investigation
principles and processes without prescribing particular details within each of the investigation
principles and processes covered in this International Standard. Many other relevant International
Standards, where referenced in this International Standard, provide more detailed content of specific
investigation principles and processes.

  • Standard
    42 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This International Standard provides guidance on mechanisms for ensuring that methods and processes
used in the investigation of information security incidents are “fit for purpose”. It encapsulates best
practice on defining requirements, describing methods, and providing evidence that implementations of
methods can be shown to satisfy requirements. It includes consideration of how vendor and third-party
testing can be used to assist this assurance process.
This document aims to
— provide guidance on the capture and analysis of functional and non-functional requirements
relating to an Information Security (IS) incident investigation,
— give guidance on the use of validation as a means of assuring suitability of processes involved in the
investigation,
— provide guidance on assessing the levels of validation required and the evidence required from a
validation exercise,
— give guidance on how external testing and documentation can be incorporated in the validation
process.

  • Standard
    29 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This International Standard provides guidance on the analysis and interpretation of digital evidence
in a manner which addresses issues of continuity, validity, reproducibility, and repeatability. It
encapsulates best practice for selection, design, and implementation of analytical processes and
recording sufficient information to allow such processes to be subjected to independent scrutiny
when required. It provides guidance on appropriate mechanisms for demonstrating proficiency and
competence of the investigative team.
Analysis and interpretation of digital evidence can be a complex process. In some circumstances, there
can be several methods which could be applied and members of the investigative team will be required
to justify their selection of a particular process and show how it is equivalent to another process used
by other investigators. In other circumstances, investigators may have to devise new methods for
examining digital evidence which has not previously been considered and should be able to show that
the method produced is “fit for purpose”.
Application of a particular method can influence the interpretation of digital evidence processed by
that method. The available digital evidence can influence the selection of methods for further analysis
of digital evidence which has already been acquired.
This International Standard provides a common framework, for the analytical and interpretational
elements of information systems security incident handling, which can be used to assist in the
implementation of new methods and provide a minimum common standard for digital evidence
produced from such activities.

  • Standard
    25 pages
    English language
    sale 10% off
    e-Library read for
    1 day

The scope of this Recommendation | International Standard is to define guidelines supporting the implementation of
information security controls in telecommunications organizations.
The adoption of this Recommendation | International Standard will allow telecommunications organizations to meet
baseline information security management requirements of confidentiality, integrity, availability and any other relevant
security property.

  • Standard
    41 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This International Standard specifies requirements and provides guidance for bodies providing
audit and certification of an information security management system (ISMS), in addition to the
requirements contained within ISO/IEC 17021-1 and ISO/IEC 27001. It is primarily intended to support
the accreditation of certification bodies providing ISMS certification.
The requirements contained in this International Standard need to be demonstrated in terms of
competence and reliability by any body providing ISMS certification, and the guidance contained in
this International Standard provides additional interpretation of these requirements for any body
providing ISMS certification.
NOTE This International Standard can be used as a criteria document for accreditation, peer assessment or
other audit processes.

  • Standard
    49 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This International Standard provides a privacy framework which
- specifies a common privacy terminology;
- defines the actors and their roles in processing personally identifiable information (PII);
- describes privacy safeguarding considerations; and
- provides references to known privacy principles for information technology.
This International Standard is applicable to natural persons and organizations involved in specifying,
procuring, architecting, designing, developing, testing, maintaining, administering, and operating
information and communication technology systems or services where privacy controls are required
for the processing of PII.

  • Standard
    37 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    37 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This document establishes commonly accepted control objectives, controls and guidelines for
implementing measures to protect Personally Identifiable Information (PII) in line with the privacy
principles in ISO/IEC 29100 for the public cloud computing environment.
In particular, this document specifies guidelines based on ISO/IEC 27002, taking into consideration
the regulatory requirements for the protection of PII which can be applicable within the context of the
information security risk environment(s) of a provider of public cloud services.
This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which provide information processing
services as PII processors via cloud computing under contract to other organizations.
The guidelines in this document can also be relevant to organizations acting as PII controllers. However,
PII controllers can be subject to additional PII protection legislation, regulations and obligations, not
applying to PII processors. This document is not intended to cover such additional obligations.

  • Standard
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This document provides requirements and recommendations to vendors on the disclosure of
vulnerabilities in products and services. Vulnerability disclosure enables users to perform technical
vulnerability management as specified in ISO/IEC 27002:2013, 12.6.1[1]. Vulnerability disclosure helps
users protect their systems and data, prioritize defensive investments, and better assess risk. The goal
of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. Coordinated
vulnerability disclosure is especially important when multiple vendors are affected. This document
provides:
— guidelines on receiving reports about potential vulnerabilities;
— guidelines on disclosing vulnerability remediation information;
— terms and definitions that are specific to vulnerability disclosure;
— an overview of vulnerability disclosure concepts;
— techniques and policy considerations for vulnerability disclosure;
— examples of techniques, policies (Annex A), and communications (Annex B).
Other related activities that take place between receiving and disclosing vulnerability reports are
described in ISO/IEC 30111.
This document is applicable to vendors who choose to practice vulnerability disclosure to reduce risk
to users of vendors’ products and services.

  • Standard
    42 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This Recommendation | International Standard gives guidelines for information security controls applicable to the
provision and use of cloud services by providing:
– additional implementation guidance for relevant controls specified in ISO/IEC 27002;
– additional controls with implementation guidance that specifically relate to cloud services.
This Recommendation | International Standard provides controls and implementation guidance for both cloud service
providers and cloud service customers.

  • Standard
    44 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This document provides requirements and recommendations for how to process and remediate reported potential vulnerabilities in a product or service.
This document is applicable to vendors involved in handling vulnerabilities.

  • Standard
    21 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This document defines a privacy architecture framework that:
— specifies concerns for ICT systems that process PII;
— lists components for the implementation of such systems; and
— provides architectural views contextualizing these components.
This document is applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining,
administering and operating ICT systems that process PII.
It focuses primarily on ICT systems that are designed to interact with PII principals.

  • Standard
    50 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    47 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This document specifies requirements and provides guidance for establishing, implementing,
maintaining and continually improving a Privacy Information Management System (PIMS) in the form
of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the
organization.
This document specifies PIMS-related requirements and provides guidance for PII controllers and PII
processors holding responsibility and accountability for PII processing.
This document is applicable to all types and sizes of organizations, including public and private
companies, government entities and not-for-profit organizations, which are PII controllers and/or PII
processors processing PII within an ISMS.

  • Standard
    76 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    82 pages
    French language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    73 pages
    English language
    sale 10% off
    e-Library read for
    1 day

The standard defines the requirements related to the professional activity of subjects active in the processing and protection of
personal data, namely the intellectual profession that is pursued at different levels of complexity and in different organizational
contexts, both public and private.
These requirements are specified, starting from the specific tasks and activities identified, in terms of knowledge, skills and
competence, in accordance with the European Qualifications Framework - EQF and are expressed in such a way as to facilitate and
contribute to harmonize, as far as possible, evaluation and validation processes of learning outcomes.

  • Draft
    52 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This document describes the cybersecurity evaluation methodology for ICT products. It is intended for use for all three assurance levels as defined in the Cybersecurity Act (i.e. basic, substantial and high).
The methodology is comprised of different evaluation blocks including assessment activities that comply with the evaluation requirements of the CSA for the three levels.
Where appropriate, it can be applied both to 3rd party evaluation and self-assessment.
It is expected that this methodology may be used by different candidate schemes and verticals providing a common framework to evaluate ICT products.

  • Draft
    56 pages
    English language
    sale 10% off
    e-Library read for
    1 day

ISO/IEC 27007 provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011:2011.
ISO/IEC 27007 is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.

  • Draft
    45 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This document provides requirements for manufacturers and/or service providers to implement Data protection and Privacy by Design and by Default (DPbDD) early in their development of their products and services, i.e. before (or independently of) any specific application integration, to make sure that they are as privacy ready as possible. The document will be applicable to all business sectors, including the security industry.

  • Draft
    58 pages
    English language
    sale 10% off
    e-Library read for
    1 day

This International Standard provides the overview of information security management systems, and
terms and definitions commonly used in the ISMS family of standards. This International Standard is
applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, notfor-
profit organizations).

  • Standard
    42 pages
    English language
    sale 10% off
    e-Library read for
    1 day