Standards and Frameworks
This compendium of IT and Information Security standards and frameworks is summarised from the original sources for information only. Readers must consult the authoritative sources for the actual guidelines.
Standards relevant to Critical Sector Entities
The table below gives an illustrative list of the IS/ISO/IEC standards that are relevant to critical sectors.
| . | Sector, Sub-Sector, [Regulator], <Ministry> | Generic, across all Sectors | Sector-Specific |
|---|---|---|---|
| A | All entities | Type A MSS (regarding management system requirement, e.g. ISO 9001): ISO 27001 (ISMS), ISO 22301(BCMS), ISO 2000-1 (SMS), ISO 27701 (PIMS) Type B MSS (regarding guidelines, e.g. ISO 9004): ISO 27002, 27003, 27004, 27005, 27010, 27013, 27014, ISO 27017 ISO 27018, ISO 27019, ISO 27032, ISO 20000-2, ISO 22300, ISO 22313, ISO/TS 22317, ISO/TS 22318, ISO/TS 22330, ISO/TS 22331, ISO/TS 22332 | NIL |
| B | Entities using cloud services | ISO 27001, ISO 27002, ISO 27017, ISO 27018, ISO 22301 | NIL |
| C | Entities providing cloud services | ISO 27001, ISO 27002, ISO 27017, ISO 27018, ISO 22301 | NIL |
| D | Power Sub Sector [CEA] | ISO 27001, ISO 27002, ISO 27017, ISO 27018, ISO 22301 | ISO 27019, IEC 62443, IEC 60870 |
| E | Energy Sub Sector [DGH] | ISO 27001, ISO 27002, ISO 27017, ISO 27018, ISO 27019, ISO 22301 | ISO 27019, IEC 62443, IEC 60870 |
| F | Banking Sub Sector [RBI] | ISO 27001, ISO 27002, ISO 27017, ISO 27018, ISO 22301, ISO 27701 | ISO 27015, PCI DSS, SWIFT, ISO 15022, ISO 20022 |
| G | Financial Services Sub Sector [SEBI] | ISO 27001, ISO 27002, ISO 27017, ISO 27018, ISO 22301, ISO 27701 | ISO 27015, PCI DSS, SWIFT, ISO 15022, ISO 20022 |
| H | Insurance Sub Sector [IRDA] | ISO 27001, ISO 27002, ISO 27017, ISO 27018, ISO 22301, ISO 27701 | ISO 27015 |
| I | Pensions Sub Sector [PFRDA] | ISO 27001, ISO 27002, ISO 27017, ISO 27018, ISO 22301, ISO 27701 | ISO 27015 |
| J | Telecom Sector [DOT] | ISO 27001, ISO 27002, ISO 27017, ISO 27018, ISO 22301, ISO 27701 | ISO 27011 |
| K | Transport Sector Airports [DGCA] | ISO 27001, ISO 27002, ISO 27017, ISO 27018, ISO 22301 | NIL |
| L | Transport Sector Ports <MoPSW> | ISO 27001, ISO 27002, ISO 27017, ISO 27018, ISO 22301 | NIL |
| M | Transport Sector Railways <MoR> | ISO 27001, ISO 27002, ISO 22301 | NIL |
| N | Transport Sector Metro Rail <MoHUD> | ISO 27001, ISO 27002, ISO 22301 | NIL |
| O | Transport Sector Roads <MoRTH> | ISO 27001, ISO 27002, ISO 22301 | NIL |
| P | Government Sector <MeitY> | ISO 27001, ISO 27002, ISO 27017, ISO 22301 | NISPG v5.0 |
| Q | S&PE Sector <DAE, DoS, MoES> | ISO 27001, ISO 27002, ISO 22301 | NIL |
| R | Health Sector <MoHFW> | ISO 27001, ISO 27002, ISO 27017, ISO 27018, ISO 22301, ISO 27701, ISO 27799 | ISO 27799 (PHI) |
| S | Defence Sector <MoD> | ISO 27001, ISO 27002, ISO 27017, ISO 27018, ISO 22301, ISO 27701 | NIL |
International IT and Information Security Standards
The table below gives an overview of the international standards and frameworks that are useful to critical sectors.
| . | Standard | Overview, Purpose, Audience, Usage of the Standard |
|---|---|---|
| A | Management Standards & Guidance (IS/ ISO/ IEC, Others) | These support governance and leadership functions, at all levels and can be considered as overarching documents for the sound governance of an organization. Using MSS is a practical way of supporting decisions resulting from the implementation of a MS. https://www.iso.org/management-system-standards.html https://www.iso.org/management-system-standards-list.html |
| ISO Family Type A MSS (Certifiable Management System Standards): 9001 (QMS), 14001 (EMS), ISO 27001 (ISMS), 27017, 27019, 19770-1 (ITAM), 20000-1 (ServiceMS), 22301 (BCMS), 27701 (Privacy), 28000 (SecurityMS), 28001 (Supply Chain), 28002 (Supply Chain Resilience), 30301 (Records), 30401 (KMS) | a) Contains requirements against which an organization can claim conformance. MSSs containing a mix of requirements and guidelines are considered as Type A MSSs. b) To claim conformance with a standard, an organization needs evidence that it is meeting the requirements. Such evidence gathering is done by an audit. There are three types of audits: first-party, second-party, and third-party. First-party audits are internal audits. Second and third party audits are external audits. A third party audit by an accredited Certification Body (CB) can result in certification. | |
| ISO 20000-1:2018 Service Management System (SMS) requirements | This document specifies requirements for an organization to establish, implement, maintain and continually improve a service management system (SMS). The requirements specified in this document include planning, design, transition, delivery and improvement of services to meet the service requirements and deliver value. | |
| ISO 27001:2022 Information Security Management System (ISMS) requirements | Specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. Section 6.1.3, Information security risk treatment process requires an organisation to determine all controls that are necessary to implement the chosen information security risk treatment option(s). Sources for the same are: a) Organizations can design controls as required or identify them from any source. b) Regulators and national nodal agencies can define cybersecurity controls, which are adapted from various Technical Standards and mandate that CSEs include the same within their ISMS (by including them as per Section 6.1.3 of ISO 27001). | |
| ISO 27017:2015 Code of practice for information security controls based on ISO/IEC 27002 for cloud services | Provides controls and implementation guidance for both cloud service providers and cloud service customers. Gives guidelines for information security controls applicable to the provision and use of cloud services by providing: a) additional implementation guidance for relevant controls specified in ISO/IEC 27002; b) additional controls with implementation guidance that specifically relate to cloud services. | |
| ISO 27019:2024 Information security controls for the energy utility industry | Provides guidance based on ISO/IEC 27002 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. Also includes a requirement to adapt the risk assessment and treatment processes described in ISO/IEC 27001 to the energy utility industry. | |
| ISO 22301:2019 Business Continuity Management Systems (BCMS) requirements | Specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise. | |
| ISO Family Type B MSS (Guidance Standards): 27002, 27003, 27004, 27005, 27010, 27013 (ISMS+SMS), 27014, 28004-x, 30302, 31000, 38500, 90003 | a) Usually provides guidance on the application of a Type A MSS. However, some Type B MSSs are independent. b) Certification can only take place against a document that contains requirements. Therefore, Type B MSS cannot be certified against. | |
| ISO 27002:2022 Information security controls | Provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organisations: a) within the context of an ISMS based on ISO/IEC27001. b) for implementing information security controls based on internationally recognized best practices c) for developing organisation-specific information security management guidelines. | |
| ISO 27003:2017 ISMS implementation guidelines | Provides guidance on implementation of the standard including project approval, scope, analysis, risk assessment, and ISMS design. | |
| ISO 27004:2016 ISMS monitoring, measurement, analysis and evaluation | Provides guidelines to assist organisations in evaluating the information security performance and the effectiveness of an ISMS. It establishes: a) the monitoring and measurement of information security performance. b) the monitoring and measurement of the effectiveness of an ISMS including its processes and controls. c) the analysis and evaluation of the results of monitoring and measurement. | |
| ISO 27005:2022 Information security risk management | Provides guidelines for information security risk management to assist the satisfactory implementation of information security based on a risk management approach. | |
| ISO 27006:2024 Requirements for certification bodies providing audit and certification of ISMS | Specifies requirements and provides guidance for bodies providing audit and certification of an ISMS. It is primarily intended to support the accreditation of certification bodies providing ISMS certification. This International Standard can be used as a criteria document for accreditation, peer assessment or other audit processes. | |
| ISO 27007:2020 Guidelines for information security management systems auditing | Provides guidance on managing an ISMS audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. | |
| ISO 27008:2019 Guidelines for the assessment of information security controls | Provides guidance on reviewing and assessing the implementation and operation of information security controls, including the technical assessment of information system controls, in compliance with an organisation’s established information security requirements including technical compliance against assessment criteria based on the information security requirements established by the organisation. | |
| ISO 27010:2015 Information security management for inter-sector and inter-organizational communications | Provides controls and guidance relating to initiating, implementing, maintaining, and improving information security in inter-organizational and inter-sector communications, using established messaging and other technical methods. This is applicable to all forms of exchange and sharing of sensitive information, both public and private, nationally and internationally, within the same industry or market sector or between sectors. In particular, it may be applicable to information exchanges and sharing relating to the provision, maintenance and protection of an organization’s or nation state’s critical infrastructure. It is designed to support the creation of trust when exchanging and sharing sensitive information, thereby encouraging the international growth of information sharing communities. | |
| ISO 27011:2024 Information security controls based on ISO/IEC 27002 for telecommunications organizations | Provides guidelines supporting the implementation of information security controls in telecommunications organizations. | |
| ISO 27013:2021 Integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 | Gives guidance on the integrated implementation of ISO/IEC 27001 (ISMS) and ISO/IEC 20000-1 (SMS) for organizations intending to: a) implement ISO/IEC27001 when ISO/IEC 20000-1 is already implemented, or vice versa; b) implement both ISO/IEC27001 and ISO/IEC 20000-1 together; or c) integrate existing management systems based on ISO/IEC27001 and ISO/IEC 20000-1. | |
| ISO 27014:2020 Governance of information security | Provides guidance on concepts, objectives and processes for the governance of information security. Intended audience are i) governing body and top management; ii) those responsible for evaluating, directing and monitoring an ISMS based on ISO/IEC 27001; iii) those responsible for information security management that takes place outside the scope of an ISMS based on ISO/IEC 27001, but within the scope of governance. | |
| ISO/IEC 27035-1:2023 Information security incident management — Part 1 | Principles of incident management | |
| ISO/IEC 27035-2:2023 Information security incident management — Part 2 | Guidelines to plan and prepare for incident response | |
| ISO/IEC 27035-3:2020 Information security incident management — Part 3 | Guidelines for ICT incident response operations | |
| ISO/IEC 27035-4:2024 Information security incident management — Part 4 | Coordination | |
| ISO/IEC 27036-1:2021 Supplier relationships — Part 1 Overview and concepts | Provides an overview of the guidance intended to assist organizations in securing their information and information systems within the context of supplier relationships. Addresses perspectives of both acquirers and suppliers. | |
| ISO/IEC 27036-2:2022 Supplier relationships — Part 2: Requirements | Specifies fundamental information security requirements for defining, implementing, operating, monitoring, reviewing, maintaining and improving supplier and acquirer relationships. These requirements cover any procurement and supply of products and services, such as manufacturing or assembly, business process procurement, software and hardware components, knowledge process procurement, build-operate-transfer and cloud computing services. To meet the requirements, it is expected that an organization has internally implemented a number of foundational processes or is actively planning to do so. These processes include, but are not limited to: business management, risk management, operational and human resources management, and information security. | |
| ISO/IEC 27036-3:2023 Information security for supplier relationships — Part 3: Guidelines for information and communication technology supply chain security | Provides product and service acquirers and suppliers in the information and communication technology (ICT) supply chain with guidance on: a) Gaining visibility into and managing the information security risks caused by physically dispersed and multi-layered ICT supply chains; b) Responding to risks stemming from the global ICT supply chain to ICT products and services that can have an information security impact on the organizations using these products and services. These risks can be related to organizational as well as technical aspects (e.g. insertion of malicious code or presence of the counterfeit information technology (IT) products); c) Integrating information security processes and practices into the system and software lifecycle processes, described in ISO/IEC 15288 and ISO/IEC 12207, while supporting information security controls, described in ISO/IEC 27002. | |
| ISO/IEC 27036-4:2016 Information security for supplier relationships — Part 4: Guidelines for security of cloud services | Provides cloud service customers and cloud service providers with guidance on a) gaining visibility into the information security risks associated with the use of cloud services and managing those risks effectively, and b) responding to risks specific to the acquisition or provision of cloud services that can have an information security impact on organizations using these services. | |
| ISO 31000:2018 Risk management — Guidelines | Enterprise Risk Management (ERM), whose subset is Information Security Risk Management. Provides a common approach to managing any type of risk and is not industry or sector specific. | |
| ISO 38500:2015 Governance of IT for the organization | Defines the governance of IT as a subset of organizational/ corporate governance. Its purpose is to promote effective, efficient, and acceptable use of IT in all organizations. Applies to the governance of the organization’s current and future use of IT including management processes and decisions related to the current and future use of IT. These processes can be controlled by IT specialists within the organization, external service providers, or business units within the organization. The purpose is to promote effective, efficient, and acceptable use of IT in all organizations by: a) Assuring stakeholders that, if the principles and practices proposed by the standard are followed, they can have confidence in the organization’s governance of IT, b) Informing and guiding governing bodies in governing the use of IT in their organization, and c) Establishing vocabulary for the governance of IT. | |
| ISO 38501:2015 Governance of IT — Implementation guide | Provides guidance on implementation of governance of IT. | |
| ISO 38505-1:2017 Governance of IT — Governance of data — Part 1 | Defines the governance of data as a subset or domain of the governance of IT. | |
| ISACA COBIT 2019 | COBIT is a framework for enterprise governance of information and technology. | |
| NCIIPC-QCI Conformity Assessment Framework for CSEs (2024) | A set of Schemes for Cyber Security Management System (CSMS) for CSEs (CSMS Levels 1, 2 and 3), Certification of Cybersecurity Professionals, Accreditation of Consultancy Organisations and Training Bodies. | |
| B | Technical Standards & Guidance (NIST, CIS, Others) | a) Provide information about various technical controls to achieve cyber resilience in systems, networks etc. Also provide guidance and best practices for their implementation. b) Usually, no processes are defined in these standards as to how the controls should be managed by an organisation. c) The technical controls by themselves are descriptive in nature, describing the Control Objective and the Control itself. They correspond to Type B MSS (guidance documents). d) Mandatory application of technical controls is usually prescribed by regulators like RBI, CEA etc, as well as nodal agencies like NCIIPC, CERT-In, NSCS. There are similar/ equivalent regulators and nodal agencies in other countries. e) Technical controls are useful to establish the trustworthiness of systems, viz functionality and assurance. |
| ISO/IEC/IEEE 42010:2011 Systems and software engineering — Architecture description | This International Standard addresses the creation, analysis and sustainment of architectures of systems through architecture descriptions. It provides a basis on which to compare and integrate architecture frameworks by providing a common ontology for specifying their contents. | |
| ISO/IEC/IEEE 24748-1:2024 Systems and software engineering Part 1Guidelines for life cycle management, available as a no-cost download.1,2 | This document facilitates the joint usage of the process content of the latest revisions of both ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207, by providing unified and consolidated guidance on life cycle management of systems and software. This is to help ensure consistency in system concepts and life cycle concepts, models, stages, processes, process application, key points of view, adaptation and use in various domains that will help project teams design a life cycle model for managing the progress of their project. ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207 are the documents that apply the concepts found in this document to specific processes. | |
| ISO/IEC/IEEE 15288:2023 Systems and software engineering — System life cycle processes | Establishes a common framework of process descriptions for describing the life cycle of systems created by humans. It defines a set of processes and associated terminology from an engineering viewpoint. These processes can be applied at any level in the hierarchy of a system’s structure. Selected sets of these processes can be applied throughout the life cycle for managing and performing the stages of a system’s life cycle. This is accomplished through the involvement of all stakeholders. Provides processes that support the definition, control and improvement of the system life cycle processes used within an organization or a project. Organizations and projects can use these processes when acquiring and supplying systems. | |
| ISO/IEC/IEEE 12207:2017 Systems and software engineering — Software life cycle processes | Provides processes that can be employed for defining, controlling, and improving software life cycle processes within an organization or a project. The processes, activities, and tasks can also be applied during the acquisition of a system that contains software. The choice of whether to apply ISO/IEC/IEEE 12207 for the software life cycle processes, or ISO/IEC/IEEE 15288, System life cycle processes, depends on the system-of-interest. Processes in both documents have the same process purpose and process outcomes but differ in activities and tasks to perform software engineering or systems engineering respectively. | |
| NIST SP 800-160 Vol. 1 Rev. 1, 16 Nov 22: Engineering Trustworthy Secure Systems is available as a no-cost download.3 | This publication describes a basis for establishing principles, concepts, activities, and tasks for engineering trustworthy secure systems. Such principles, concepts, activities, and tasks can be effectively applied within systems engineering efforts to foster a common mindset to deliver security for any system, regardless of the system’s purpose, type, scope, size, complexity, or the stage of its system life cycle. The intent of this publication is to advance systems engineering in developing trustworthy systems for contested operational environments (generally referred to as systems security engineering). | |
| NIST SP 800-160 Vol. 2 Rev. 1, 09 Dec 21: Developing Cyber-Resilient Systems - A Systems Security Engineering Approach is available as a no-cost download.4 | This document focuses on cyber resiliency engineering—an emerging specialty system engineering discipline applied in conjunction with systems security engineering and resilience engineering to develop survivable, trustworthy secure systems. Cyber resiliency engineering intends to architect, design, develop, implement, maintain, and sustain the trustworthiness of systems with the capability to anticipate, withstand, recover from, and adapt to adverse conditions, stress, attacks, or compromises that use or are enabled by cyber resources. From a risk management perspective, cyber resiliency is intended to help reduce the mission, business, organizational, enterprise, or sector risk of depending on cyber resources. | |
| NIST SP 800-53rev5 The control catalog addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms provided by the controls) and from an assurance perspective (i.e., the measure of confidence in the security or privacy capability provided by the controls). Controls are organized into 20 families and over 1000 controls. | Significant changes in SP 800-53rev5: a) Making the controls more outcome-based by removing the entity responsible for satisfying the control (i.e., information system, organization) from the control statement; b) Separating control selection processes from the controls, thereby allowing the controls to be used by different communities of interest; c) Removing control baselines and tailoring guidance from the publication and transferring the content to SP 800-53B; d) Clarifying the relationship between requirements and controls; e) Incorporating new, state-of-the-practice controls (e.g., controls to support cyber resiliency, support secure systems design, and strengthen security and privacy governance and accountability) based on the latest threat intelligence and cyber-attack data. | |
| NIST SP 800-53A Provides guidance on assessing the effectiveness of controls. | a) Security and privacy control assessments are the principal vehicle used to verify that selected security and privacy controls are implemented and meet the stated goals and objectives. They are not about checklists, simple pass/fail results, or paperwork to pass inspections or audits. b) SP 800-53A facilitates security control assessments and privacy control assessments conducted within an effective risk management framework. A major design objective for SP 800-53A is to provide an assessment framework and initial starting point for assessment procedures that are flexible enough to meet the needs of different organizations while providing consistency in conducting control assessments. | |
| NIST SP 800-53B Security and privacy control baselines, guidance for tailoring control baselines and for developing overlays to support the security and privacy requirements of stakeholders and their organizations. | a) Organizations select a security control baseline (low-impact, moderate-impact, high-impact baseline) and privacy control baseline as described in Chapter Three. b) Once the control baseline is selected, organizations apply the tailoring guidance provided in Chapter Two to help ensure that the resulting controls are necessary and sufficient to manage security risk and privacy risk. | |
| NIST SP 800-53 Appendix C | Two fundamental concepts that affect the trustworthiness of systems are functionality and assurance. a) Functionality is defined in terms of the security and privacy features, functions, mechanisms, services, procedures, and architectures implemented within organizational systems and programs and the environments in which those systems and programs operate. b) Assurance is the measure of confidence that the system functionality is implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system—thus possessing the capability to accurately mediate and enforce established security and privacy policies. | |
| NIST CSF v2.0 (2024) CSF is a risk-based approach to managing cybersecurity risk. It is composed of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. | Provides a common taxonomy and mechanism for organizations to: 1) Describe their current cybersecurity posture; 2) Describe their target state for cybersecurity; 3) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; 4) Assess progress toward the target state; 5) Communicate among internal and external stakeholders about cybersecurity risk. | |
| CNSSI No. 1253, 27 Mar 2014 Companion document to the NIST publications relevant to categorization and security control selection | Identify applicability of security controls in SP 800-53 based on impact values. The 3-by-3 matrix has nine columns showing three possible impact values (low, moderate, or high) for each of the three security objectives (confidentiality, integrity, or availability). | |
| NIST SP 800-37rev2, 20 Dec 2018 Provides a comprehensive risk management process. | NIST SP 800-37 defines two approaches for the selection of security and privacy controls: a) Baseline control selection approach uses control baselines, which are predefined sets of controls specifically assembled to meet the protection needs of a group, organization, or community of interest. The control baselines serve as a starting point for the protection of individuals’ privacy, information, and information systems. b) Organization-generated control selection approach. | |
| NIST SP 800-39, 01 Mar 2011 Provides guidance on risk management processes and strategies. | Provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems. | |
| NIST SP 800-30rev1, 17 Sep 2012 Provides guidance on the risk assessment process. | Provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part of an overall risk management process—providing senior leaders and executives with information to determine appropriate courses of action in response to identified risks. | |
| CIS Critical Security Controls V8 CIS Controls V8 combines and consolidates the CIS Controls by activities, rather than by who manages the devices. | CIS CSC V8 has 18 Controls, 153 Safeguards and 3 Implementation Groups | |
| NERC CIP Standards maintained by the North American Electric Reliability Corp (NERC), an International Regulatory Authority under oversight of the Federal Energy Regulation Commission (FERC). | The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) plan is a set of standards aimed at regulating, enforcing, monitoring and managing the security of the Bulk Electric System (BES) in North America. These standards apply specifically to the cybersecurity aspects of BES. The CIP standards provide a cybersecurity framework to identify and secure critical assets that can impact the efficient and reliable supply of electricity of North America’s BES. | |
| ISA/IEC 62443 Family | The ISA/IEC 62443 series of standards define requirements and processes for implementing and maintaining electronically secure industrial automation and control systems (IACS). https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards https://www.iec.ch/understanding-standards | |
| ISA-62443-1-1-2007 Security for Industrial Automation and Control Systems Part 1-1: Terminology, Concepts, and Models | Formerly designated ANSI/ISA-99.00.01-2007, this is the first in a series of ISA standards that addresses the subject of security for industrial automation and control systems. The focus is on the electronic security of these systems, commonly referred to as cyber security. This Part 1 standard describes the basic concepts and models related to cyber security. ISA-62443-1-1 defines seven Foundational Requirements (FRs): Identification and authentication control (IAC), Use control (UC), System integrity (SI), Data confidentiality (DC), Restricted data flow (RDF), Timely response to events (TRE) and Resource availability (RA). These seven FRs are the foundation for defining control system security capability levels. | |
| ISA-62443-2-1-2024, Security for Industrial Automation and Control Systems Part 2-1: Establishing an Industrial Automation and Control Systems Security Program | Describes the elements contained in a cyber security management system for use in the industrial automation and control systems environment and provides guidance on how to meet the requirements described for each element. | |
| ISA-TR62443-2-3-2015, Security for industrial automation and control systems Part 2-3: Patch management in the IACS environment | Describes requirements for asset owners and industrial automation and control system (IACS) product suppliers that have established and are now maintaining an IACS patch management program. Recommends a defined format for the distribution of information about security patches from asset owners to IACS product suppliers, a definition of some of the activities associated with the development of the patch information by IACS product suppliers and deployment and installation of the patches by asset owners. | |
| ANSI/ISA-62443-2-4-2018 / IEC 62443-2-4:2015 Security for industrial automation and control systems, Part 2-4: Security program requirements for IACS service providers | Specifies a comprehensive set of requirements for security capabilities for IACS service providers that they can offer to the asset owner during integration and maintenance activities of an Automation Solution. | |
| IEC/TR 62443-3-1-2009 Industrial communication networks – Network and system security – Part 3-1: Security technologies for industrial automation and control systems | Provides a current assessment of various cybersecurity tools, mitigation counter-measures, and technologies that may effectively apply to the modern electronically based IACSs regulating and monitoring numerous industries and critical infrastructures. It describes several categories of control system-centric cybersecurity technologies, the types of products available in those categories, the pros and cons of using those products in the automated IACS environments, relative to the expected threats and known cyber vulnerabilities, and, most important, the preliminary recommendations and guidance for using these cybersecurity technology products and/or countermeasures. https://standards.globalspec.com/std/1183300/IEC/TR%2062443-3-1 | |
| ANSI/ISA-62443-3-2-2020, Security for industrial automation and control systems, Part 3-2: Security risk assessment for system design | Establishes requirements for defining a system under consideration (SUC) for an industrial automation and control system (IACS); partitioning the SUC into zones and conduits; assessing risk for each zone and conduit; establishing the target security level (SL-T) for each zone and conduit; and documenting the security requirements. | |
| ANSI/ISA-62443-3-3-2013 Security for industrial automation and control systems Part 3-3: System security requirements and security levels | a) Provides detailed technical control system requirements (SRs) associated with the seven foundational requirements (FRs) described in ISA-62443-1-1. b) Defines the requirements for control system security levels, SL C (control system). These requirements would be used by various members of the industrial automation and control system (IACS) community along with the defined zones and conduits for the system under consideration (SuC) while developing the appropriate control system target SL, SL-T (control system), for a specific asset. | |
| ANSI/ISA-62443-4-1-2018, Security for industrial automation and control systems - Part 4-1: Secure product development lifecycle requirements | Specifies process requirements for the secure development of products used in industrial automation and control systems. It defines a secure development life-cycle (SDL) for the purpose of developing and maintaining secure products. This life-cycle includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management and product end-of-life. These requirements can be applied to new or existing processes for developing, maintaining and retiring hardware, software or firmware for new or existing products. These requirements apply to the developer and maintainer of the product, but not to the integrator or user of the product. | |
| ANSI/ISA-62443-4-2-2018, Security for industrial automation and control systems, Part 4-2: Technical security requirements for IACS components | a) Provides detailed technical control system component requirements (CRs) associated with the seven foundational requirements (FRs) described in ISA-62443-1-1. b) Defining security capability levels for the control system component, including defining the requirements for control system capability security levels and their components, SL C (component) is the goal and objective of this document. c) SL T or achieved SLs (SL A) are out of scope. | |
| AICPA SOC (System and Organization Controls) 1, 2, 3 https://www.aicpa-cima.com/search/soc | System and Organization Controls, better known as the SOC framework, was developed by the American Institute of Certified Professional Accountants (AICPA). It is a suite of service offerings CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations. There are three types of SOC for Service Organization engagements: SOC 1, SOC 2 and SOC 3. https://ssae-18.org/ | |
| PCI Data Security Standard (PCI DSS) by Payment Card Industry Security Standards Council (PCI SSC) https://www.pcisecuritystandards.org/ | The PCI SSC is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide. PCI DSS was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect payment account data. https://www.pcisecuritystandards.org/standards/pci-dss/ | |
| SWIFT https://www.swift.com/ | SWIFT is a global member-owned cooperative and provider of secure financial messaging services. It operates a globally inclusive, trusted and reliable infrastructure to send and receive financial transactions. Swift Standards works with the user community to specify and publish Market Practice - rules and best-practice advice on how standards should be deployed to meet business needs or to comply with regulation. The Swift Standards group maintains several important message standards. The Swift MT standard is used for international payments, cash management, trade finance and treasury business. Swift Standards, under contract to ISO, also maintains two open messaging standards: ISO 15022 used for securities settlement and asset servicing, and ISO 20022 scoped to all financial industry processes. | |
| Cloud Security Alliance (CSA) https://cloudsecurityalliance.org/ | CSA is one of the world’s leading organizations committed to awareness, practical implementation, and certification for the future of cloud and cybersecurity. The CSA has a Security, Trust, Assurance and Risk (STAR) program for security assurance in the cloud. The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing. It is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for systematic assessment of cloud implementation, providing guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing. https://cloudsecurityalliance.org/research/guidance | |
| HITRUST https://hitrustalliance.net/ | HITRUST offers a portfolio of assessments and certifications to validate the security of systems, data, and environments. The HITRUST CSF is a comprehensive, threat-adaptive control library harmonizing 60+ frameworks and standards. It enables tailored, risk-based assessments and supports consistent, efficient cybersecurity and compliance across varied industry needs. | |
| Health Insurance Portability and Accountability Act (HIPAA) https://www.hhs.gov/hipaa/index.html | USA’s Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes federal standards protecting sensitive health information from disclosure without patient’s consent. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement HIPAA requirements. Indian entities use HIPAA primarily when dealing with US healthcare data or clients. They also implement HIPAA-like safeguards to meet global data security standards. | |
| Secure Controls Framework (SCF) https://www.securecontrolsframework.com/ | SCF is a volunteer-driven meta framework with a catalog of controls from over 100 cybersecurity and data privacy laws, regulations and frameworks. The SCF control catalog contains over 1200 controls and is logically organised into 33 domains. The SCF normalises disparate control language into something that is usable across technology, cybersecurity, privacy and other departments where they can share the same control language. Thus, the SCF enables both intra- and inter-organisation standardisation. SCF is useful for entities that must comply with multiple standards (e.g., ISO 27001, SOC 2, PCI DSS, NIST CSF). The Indian Digital Personal Data Protection Act 2023 and Information Technology Rules (Privacy Rules) are already added into the SCF control catalog. Other authoritative sources of Law, Regulation or Framework (LRF) prescribed by Indian regulators, QCI etc can also be added. | |
| MITRE Frameworks | ||
| MITRE ATT&CK https://attack.mitre.org/ | MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. | |
| MITRE D3FEND https://d3fend.mitre.org/ | MITRE D3FEND is a framework of defensive countermeasures that help in assessing, planning and tailoring the defences for generally known ATT&CK tactics. The countermeasures address every stage of the attack-cycle. The five main defensive techniques are Harden, Detect, Isolate, Deceive, and Evict. D3FEND can assist organisations in creating standard vocabulary for the specific functions of countermeasures. The defensive functions of the organisation can be validated against a corresponding ATT&CK offensive technique to help identify gaps and weaknesses. | |
| MITRE Engage https://engage.mitre.org/ | MITRE Engage is a framework for planning and discussing adversary engagement operations. It provides defenders with goal-driven approaches to evolve their defenses and remain in control. The adversary engagement approach helps defenders craft internal deception infrastructure to expose, manipulate, and understand your adversaries. | |
| MISP https://www.misp-project.org/ | MISP is an open-source threat intelligence sharing platform. The documentation is maintained in https://github.com/MISP/misp-book. CIRCL operates several MISP instances (for different types of constituents) to improve automated detection and responsiveness to targeted and cybersecurity attacks in Luxembourg and outside. https://www.circl.lu/services/misp-malware-information-sharing-platform/. | |
| ITIL Service Management Framework | ITIL 4.0 comprises of 34 practices grouped in four areas of management - General Management Practices, adopted and adapted for service management from general business management domains (14 domains); Service Management Practices developed in service management and ITSM industries (17 domains); and Technical Management Practices, adapted from technology management domains for service management purposes by expanding or shifting their focus from technology solutions to IT services (3 domains). | |
| ISO/ IEC Service Management Framework | ISO/IEC 20000 series of standards are a set of documents that detail what needs to be done to build an IT Service Management System (ITSM). Though very similar to each other, ISO/IEC 20000 gives a framework and methodology for ITSM, while ITIL gives the best practices for it. |
Explanatory Notes
Many of the IS, ISO, IEC and ITU-T standards are mandated by the regulatory bodies and national nodal agencies. Any guidance that is based on IS, ISO, IEC, ITU-T standards provides the following advantages:
These standards are maintained and regularly updated by an international panel of experts, which also has Indian participation.
The ISO standards can be easily extended to include any additional requirements, especially those that are defined under the Indian law and regulation, or available in global frameworks like NIST, CIS, CSA etc.
The standards can provide a common baseline reference amongst all the NCRF stakeholders, especially in the i) definition and usage of various terms, ii) governance, management, risk, compliance and audit frameworks, iii) implementation and continual improvement approaches, and iv) standardisation of processes related to verification, validation, measurement and audit. The common baseline reference will ensure that the possibility of misunderstanding amongst the stakeholders is minimal.
Entities can get their organisations certified against specific management standards. The entities can also procure and use the other guidance and technical standards to help them in maximising the effectiveness during implementation.
There will be synergy between the entities and their internal/ external experts, consultants, implementers and auditors, since everyone refers to the same set of standards. In practice, this is already being done with regard to popular standards such as ISO 9000, ISO 27000 and IEC 62443 series.
The oversight mechanism of Government bodies, regulators and national nodal agencies is easily harmonised when all bodies adopt a commonly accepted set of standards.
There is already a large pool of consultants, implementers and auditors in India, who have the knowledge, expertise and experience in implementing and auditing entities based on these standards. Capacity building of this pool, both in terms of quantity of personnel and quality of expertise, can be taken up through various national and international forums. Both ISO and IEC invest in strengthening the skills of its members, both at the human and the organisational level, through extensive training and technical assistance programmes. The capacity building programmes of ISO and IEC may be explored further.
BIS, a member of ISO and IEC, has a mechanism in place for standardisation and supply of standards at reasonable prices within the Indian ecosystem. Similarly, Department of Telecom (DoT) represents India at the ITU-T and QCI is a member of the International Accreditation Forum (IAF), a worldwide association of accreditation bodies and other bodies interested in conformity assessment. Through these organisations, the Indian Government and ecosystem can maximise the effectiveness of use of globally recognised standards and frameworks.
The ISO and IEC are exploring new ways to provide dynamic deliverables that adapt to the needs of users in a much more flexible way. Together, they are developing a common vision for Standards that are Machine Applicable Readable and Transferable (SMART)5,6. The SMART standards will be modular, machine readable, and eventually, machine interpretable and executable. The corresponding Indian Standards can hugely benefit from this initiative.
In view of the advantages listed above, the concepts and guidance have been built upon and aligned with a selected set of IS, ISO, IEC and ITU-T reference standards that are relevant and applicable to the Indian ecosystem. All the stakeholders are encouraged to develop their understanding of the core principles, approaches, methods and processes described in these base set of standards, so that the concepts and guidance can be used effectively.
The regulated and critical sector entities will benefit significantly if they obtain further guidance from the IS/ISO/IEC and other standards listed below:
Governance of IT and information security, based on ISO/IEC 38500, 27014, COBIT etc
Service Management System (SMS) that are typically based on IS/ISO/IEC 20000 family.
Information Security Management System (ISMS) that are typically based on IS/ISO/IEC 27000 family, including sector specific standards.
ISO 27013 standard that assists organisations in implementing both ISO 27001 and ISO 20000-1 concurrently or in implementing one where another is already in place.
OT Security that are typically based on IEC 62443 series.
Other standards related to IT asset management, audit etc.
Other frameworks such as NIST, CIS, CSA etc.
https://standards.iso.org/ittf/PubliclyAvailableStandards/index.html ↩︎
https://csrc.nist.gov/publications/detail/sp/800-160/vol-1-rev-1/final ↩︎
https://csrc.nist.gov/publications/detail/sp/800-160/vol-2-rev-1/final ↩︎
https://etech.iec.ch/issue/2022-04/alongside-iec-standards-certification-is-becoming-smart ↩︎