APPENDIX A

INFORMATION SECURITY STANDARDS RELEVANT TO CISMP, PCIIRM AND PCIBCM EXAMINATIONS

Business continuity standards (BS), published documents (PD) and business information publications (BIP)

BS 25777:2008 – Information and communications technology continuity management. Code of practice (replaced by ISO/IEC 27031:2011 (below)).

ISO/IEC 27031:2011 Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity.

BS 25999-1:2006 Business continuity management. Code of practice.

BS 25999-2:2007 Business continuity management. Specification (being replaced by ISO 22301:2012).

PD 25111:2010 Business continuity management. Guidance on human aspects of business continuity.

PD 25222:2011 Business continuity management. Guidance on supply chain continuity.

PD 25666:2010 Business continuity management. Guidance on exercising and testing for continuity and contingency programmes.

ISO 22301:2012 Societal security – Business continuity management systems –Requirements.

BIP 2142:2012 The route map to business continuity management. Meeting the requirements of ISO 22301.

BIP 2143:2012 Business continuity exercises and tests. Delivering successful exercise programmes with ISO 22301.

BIP 2151:2012 Auditing business continuity management plans. Assess and improve your performance against ISO 22301.

BIP 2185:2012 Business continuity communications. Successful incident communication planning with ISO 22301.

BIP 2214:2011 A practical approach to business impact analysis. Understanding the organization through business continuity management.

ISO PAS 22399:2007 Societal security – Guideline for incident preparedness and operational continuity management.

ISO 22313:2012 Societal security – Business continuity management systems – Guidance.

The Business Continuity Institute Good Practice Guidelines 2010 Global Edition – A Management Guide to Implementing Global Good Practice in Business Continuity Management. www.thebci.org

Data protection standards

BS 10012:2009 Data Protection. Specification for a personal information management system.

UK Data Protection Act 1998 (www.opsi.gov.uk/acts/acts1998/ukpga19980029en1)

European Union Directive 95/46/EC.

(http://ec.europa.eu/justicehome/fsj/privacy/docs/95-46-ce/dir1995-46part1en.pdf)

Risk management standards

Institute of Risk Management’s ‘Risk Management Standard’ (www.theirm.org/publications/documents/RiskManagementStandard030820.pdf)

BS 7799-3:2005 Information security management systems – Guidelines for information security risk management.

BS 31100:2011- Risk management. Code of practice and guidance for the implementation of BS ISO 31000.

ISO/IEC 27001:2005 ISMS – Information technology – Security techniques – Specification for an information security management system (this replaces BS7799 Part 2).

ISO/IEC 27005:2011 Information technology – Security techniques – Information security risk management.

ISO/IEC Guide 73:2009 Risk management – Vocabulary – Guidelines for use in standards.

ISO 31000:2009 Risk management – Principles and guidelines.

ISO/IEC 31010:2009 Risk management – Risk assessment techniques.

UK Primary Legislation

The Police and Criminal Evidence Act 1984 (Codes of Practice) Order 2008.

Computer Misuse Act 1990.

Official Secrets Act 1989.

Freedom of Information Act 2000.

Regulation of Investigatory Powers Act (RIPA) 2000.

Information security standards

ISO/IEC 13335-5:2004 Information technology – Security techniques – Management of information and communications technology security – Part 5: Management guidance of network security.

ISO/IEC 15408-1:2009 Information technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general model.

ISO/IEC 15408-2:2008 Information technology – Security techniques – Evaluation criteria for IT security – Part 2: Security functional components.

ISO/IEC 15408-3:2008 Information technology – Security techniques – Evaluation criteria for IT security – Part 3: Security assurance components.

ISO 15489-1:2001 – Information and documentation – Records management – Part 1: General.

ISO/IEC 27000:2009 – Information technology – Security techniques – Information security management systems – Fundamentals and vocabulary.

ISO/IEC 27001:2005 ISMS – Information technology – Security techniques – Specification for an information security management system (this replaces BS7799 Part 2).

ISO/IEC 27002:2005 Information technology – Security techniques – Code of practice for information security management (this replaces BS 17799).

ISO/IEC 27003:2010 Information technology – Security techniques – Information security management system implementation guidance.

ISO/IEC 27004:2009 Information technology – Security techniques – Information security management — Measurement.

ISO/IEC 27005:2011 Information security risk management (based on and incorporating ISO/IEC 13335 MICTS Part 2).

ISO/IEC 27006:2007 Requirements for bodies providing audit and certification of information security management systems.

ISO/IEC 27007:2011 Information technology – Security techniques – Guidelines for information security management systems auditing.

ISO/IEC 27008:2011 Information technology – Security techniques – Guidelines for auditors on information security controls.

ISO/IEC 27010:2012 Information technology – Security techniques – Information security management for inter-sector and inter-organisational communications.

ISO/IEC 27011:2008 Information technology – Security techniques – Information security management guidelines for telecommunications organizations based on ISO/IEC 27002.

ISO/IEC 27032:2012 Information technology – Security techniques – Guidelines for cybersecurity.

ISO/IEC 27033-1:2009 Information technology – Security techniques – Network security – Part 1: Overview and concepts.

ISO/IEC 27033-2:2012 Information technology – Security techniques – Network security – Part 2: Guidelines for the design and implementation of network security.

ISO/IEC 27033-3:2010 Information technology – Security techniques – Network security – Part 3: Reference networking scenarios – Threats, design techniques and control issues.

ISO/IEC 27034-1:2011 Information technology – Security techniques – Application security – Part 1: Overview and concepts.

ISO/IEC 27035:2011 – Information technology – Security techniques – Information security incident management.

ISO/IEC 24762:2008 Information technology – Security techniques – Guidelines for information and communications technology disaster recovery services.

ISO 38500:2008 – Corporate Governance of Information Technology.

ISO/IEC 18028-1:2006 Information technology – Security techniques – IT network security – Part 1: Network security management.

ISO/IEC 18028-2:2006 Information technology – Security techniques – IT network security – Part 2: Network security architecture.

ISO/IEC 18028-3:2005 Information technology – Security Techniques – IT Network Security – Part 3: Securing Communications Between Networks Using Security Gateways.

ISO/IEC 18028-4:2005 Information technology – Security techniques – IT network security – Part 4: Securing remote access.

ISO/IEC 18028-5:2006 Information technology – Security techniques – IT network security – Part 5: Securing communications across networks using virtual private networks.

Good Practice Guide for Computer-Based Electronic Evidence Official release version 4.0 (ACPO).

The Information Security Forum Standard of Good Practice (www.securityforum.org/?page=downloadsogp)

British Standards may be obtained in PDF or hard copy formats from the BSI online shop: www.bsigroup.com/Shop

ISO Standards may also be obtained through the BSI or directly from the ISO online shop: www.iso.org/iso/store.htm