Which cyber security standard should you use?

There are various cyber security standards available – some well known, others not so. But what makes them different and what should they be used for?

Well, ISO/IEC 27001 is often referred to as the standard for cyber security. It lays out the requirements for implementing an information security management system (ISMS).

ISO/IEC 27001 within itself is fairly generic, as you would expect from a standard that can be employed by any organisation. But used in conjunction with ISO/IEC 27032, the standard seeks to address many of the issues posed by cyber risks.

Traditionally, ISO/IEC 27001 has been seen as only a standard large organisations can look to certify against. This is in fact far from the truth.

‘Standards are vital so that IT professionals can provide systems that last.’
Tim Berners-Lee

PAS 555 is a new document from BSI which clouds the situation slightly, yet it really shouldn’t. Both ISO/IEC 27001 and PAS 555 are meant for different audiences. PAS 555 is targeted at organisations that wouldn’t normally touch standards and that don’t want to go about implementing an ISMS.

It details what effective cyber security looks like (the what) rather than focusing on how to implement processes and procedures (the how). With this focus, PAS 555 enables you to utilise your own best practices and ways of working to achieve effective cyber security.

The IEC 62443 family of standards on the other has been created to address a specific need – the cyber security of industrial control systems. Post Stuxnet, the security of these systems has become ever more important.

Many organisations make use of industrial control systems, power companies, water companies, etc. which could fall vulnerable to cyber attack. What IEC 62443 does is lay out the requirements for a cyber security management system (CSMS).

Organisations making use of industrial control systems should look to address the cyber security of these systems using a CSMS that meets the requirements laid out in IEC 62443.

ISACA are now offering COBIT 5 as a way of enhancing the cyber security of an organisation. In their latest book, Transforming Cybersecurity Using COBIT 5, ISACA provide guidance on a framework based on COBIT 5 that can be employed to boost the cyber security of an organisation.

Though not a standard as such, COBIT does offer a source of best practice that many organisations do follow.

Whichever standard you use, whatever your industry and the size or type of your organisation, there are a plethora of standards to choose from to boost the cyber security of your organisation!


  1. Todd 14th August 2013
  2. Colin Robbins 16th August 2013