Security standards

security resources

International standards

See organisations for details of ISO and IET.

BS EN ISO/IEC 17025:2005 - General requirements for the competence of testing and calibration laboratories

ISO/IEC 17025 is standard published by ISO and formerly known as ISO/IEC Guide 25. Calibration, testing and sampling including digital forensics.
http://shop.bsigroup.com/en/ProductDetail/?pid=000000000030159674

BS ISO/IEC 27001:2005 (BS 7799-2:2005) - Information security management systems

Specification for an information systems management system (ISMS) and the foundation for third party audit and certification.
http://shop.bsigroup.com/en/ProductDetail/?pid=000000000030126472

BS ISO/IEC 27002:2005 (BS 7799-1:2005, BS ISO/IEC 17799:2005) - Code of practice for information security management

Guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.
http://shop.bsigroup.com/en/ProductDetail/?pid=000000000030166440

BS ISO/IEC 27034-1:2011 - Application security - Part 1: Overview and concepts

Building application security into the development life cycle.
http://shop.bsigroup.com/en/ProductDetail/?pid=000000000030168520

British standards

Including BS specifications, guidance and codes of practice.

BS 8878:2009 Web accessibility

Draft for public comment.
http://www.bsi-global.com/en/Shop/Publication-Detail/?pid=000000000030180387

BS 10008:2008 Evidential weight and legal admissibility of electronic information

Requirements for the implementation and operation of electronic information management systems, storage and transfer of information, and addresses issues relating to authenticity and integrity of information.
http://www.bsigroup.com/en/Shop/Publication-Detail/?pid=000000000030172973

BS 10012:2009

Data Protection. Specification for a Personal Information Management System.
http://www.bsigroup.com/en/Shop/Publication-Detail/?pid=000000000030175849

BS 25999:2006 Business continuity management

Business continuity management (BCM) principles, processes and terminology.
http://www.bsi-global.com/en/Shop/Publication-Detail/?pid=000000000030157563

Codes of Practice

Agreed and developing industry best practice.

Advertising Standards Authority (ASA) CAP Code

The UK code of non-broadcast advertising, sales promotion and direct marketing.
http://www.cap.org.uk/The-Codes/CAP-Code.aspx

Agreed Upon Procedures (AUP)

Standard procedures for service provider assessment and self-assessment of security, privacy and business continuity from Shared Assessments.
http://www.sharedassessments.org/download/

The Association of Chief Police Officers (ACPO) Good Practice Guide for Computer-Based Evidence

Best practice in all dealings with electronic evidence.
http://www.7safe.com/electronic_evidence/

Central Office of Information (UK) Website Standards and Guidelines

Public sector website standards and guidelines published and those in consultation.
http://www.coi.gov.uk/guidance.php?page=188

Centre for the Protection of National Infrastructure (UK) Guidance on Securing Web Sites

Technical Note 06/03 from the former NISCC.
http://www.cpni.gov.uk/Docs/re-20030801-00726.pdf

Code of Practice for the investigation of protected electronic information

Powers and duties conferred under Part III of the UK's Regulation of Investigatory Powers Act 2000.
http://security.homeoffice.gov.uk/ripa/publication-search/ripa-cop/electronic-information

The Employment Practices Code and supplementary guidance

A code of practice from the UK's Information Commissioner which includes a section on monitoring at work.
http://www.ico.gov.uk/Home/for_organisations/topic_specific_guides/employment.aspx

Guidance on Encrypting Data on Mobile Devices

US government guidance.
http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf

Home Office (UK) Good Practice Guidance for the Providers of Social Networking and Other User Interactive Services

Social networking guidance providing advice for industry, parents and children about how to stay safe online.
http://police.homeoffice.gov.uk/publications/operational-policing/social-networking-guidance

Information Commissioner's Office (ICO) Guidance on the Rules on Use of Cookies and Similar Technologies

Updated December 2011.
http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/guidance_on_the_new_cookies_regulations.ashx

Information Commissioner's Office (ICO) Privacy Impact Assessment Handbook

How to determine whether a privacy impact assessment (PIA) is needed (UK) and the steps to take for small and large-scale PIAs.
http://www.ico.gov.uk/for_organisations/topic_specific_guides/pia_handbook.aspx

Information Commissioner's Office (ICO) Privacy Notices Code of Practice

Guidance on consumer-friendly privacy notices for paper and online systems (UK).
http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/privacy_notices_cop_final.pdf

Interception and Monitoring of Communications in Further Education and Higher Education

UKERNA, who provide the JANET network, produced a code of practice.
http://www.jisclegal.ac.uk/esecurity/esecurity.htm

Interception of Communications Code of Practice

Code of practice for entitled public authorities to intercepting communications under the RIPA.
http://security.homeoffice.gov.uk/ripa/publication-search/ripa-cop/
The Home office also published (consultation closed 30 August 2006) a revised 'Acquisition and Disclosure of Communications Data Revised Draft Code of Practice' ahead of a public consultation.
http://www.homeoffice.gov.uk/documents/cons-2006-ripa-part1/

National Institute of Science and Technology (NIST) Special Publications (800 Series)

Guidelines on computer security matters, especially important to US federal organizations.
http://csrc.nist.gov/publications/PubsSPs.html

Open Web Application Security Project (OWASP) Guide to Building Secure Web Applications

The gold standard for web application security, adopted by many commercial and public organisations. Version 2, July 2005. See also the Application Security Verification Standard (ASVS), Software Assurance Maturity Model (below), OWASP Testing Guide and OWASP Top Ten most critical web application security flaws referenced by the Payment Card Industry Security Standards Council in their Data Security Standard (below).
http://www.owasp.org/index.php/Category:OWASP_Guide_Project

Open Web Application Security Project (OWASP) Software Assurance Maturity Model (SAMM)

Framework to help organisations of all sizes formulate and implement a strategy for software development security.
http://www.opensamm.org/

Payment Card Industry Data Security Standard (PCI DSS)

Mandatory actions for payment card processing. Version 2.0, October 2010.
https://www.pcisecuritystandards.org/security_standards/documents.php?view=&association=PCI+DSS&language=

Retention of Communications Data under Part 11: Anti-Terrorism, Crime and Security Act 2001

Guidance from the Home Office.
http://security.homeoffice.gov.uk/news-publications/publication-search/general/5b1.pdf

Risk Taxonomy Technical Standard

Risk vocabulary definitions and relationships published by the Open Group.
http://www.opengroup.org/pubs/catalog/c081.htm

The Standard of Good Practice for Information Security

From the Information Security Forum http://www.securityforum.org/.
http://www.isfsecuritystandard.com/

Other web application security resources

Web application security legislation, organisations, and publications.

Contact Watson Hall

Watson Hall works with your business and information systems staff, partners and suppliers, including professional advisors such as accountants, auditors, insurers and solicitors. We guide, assist and build security and skills in organisations to reduce security risk.

Act now

Watson Hall works with your business and information systems staff, partners and suppliers, including professional advisors such as accountants, auditors, insurers and solicitors. We guide, assist and build security and skills in organisations to reduce security risk.

To discuss security matters in confidence and without obligation, telephone us on 020 7183 3710 or complete the enquiry form

© 2007-2014 Watson Hall Ltd, last reviewed 17 April 2012

These pages contain general information only. Nothing in these pages constitutes professional advice. Please read the website's terms of use, and consult a suitably qualified information security professional on any specific problem or matter.

© 2007-2014 Watson Hall Ltd, last reviewed 17 April 2012

Watson Hall Ltd is a company registered in England no 6004969 at North Bastle, Gatehouse, NE48 1NG, United Kingdom.

https://www.watsonhall.com/security/standards.pl
Watson Hall Ltd - Standards and codes of practice
Requested by: 54.196.57.4 on Wednesday, 16 April 2014 at 08:49 hrs