Standards on Cybersecurity
Cybersecurity Standards: European and International standards supporting cybersecurity and the voluntary application of Regulation (EU) 2019/881 on ENISA and on information and communications technology cybersecurity certification (Cybersecurity Act)
Related standards or drafts
Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 2: Security functional components (ISO/IEC 15408-2:2022)
60.60
Standard published
CEN/CLC/JTC 13
Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 3: Security assurance components (ISO/IEC 15408-3:2022)
60.60
Standard published
CEN/CLC/JTC 13
Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 4: Framework for the specification of evaluation methods and activities (ISO/IEC 15408-4:2022)
60.60
Standard published
CEN/CLC/JTC 13
Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 5: Pre-defined packages of security requirements (ISO/IEC 15408-5:2022)
60.60
Standard published
CEN/CLC/JTC 13
Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Methodology for IT security evaluation (ISO/IEC 18045:2022)
60.60
Standard published
CEN/CLC/JTC 13
Fixed-time cybersecurity evaluation methodology for ICT products
60.60
Standard published
CEN/CLC/JTC 13
Security Evaluation Standard for IoT Platforms (SESIP). An effective methodology for applying cybersecurity assessment and re-use for connected products.
60.60
Standard published
CEN/CLC/JTC 13
Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 1: Introduction and general model (ISO/IEC 15408-1:2022)
60.60
Standard published
CEN/CLC/JTC 13
General requirements for the competence of testing and calibration laboratories (ISO/IEC 17025:2017)
60.60
Standard published
CEN/CLC/JTC 1
Conformity assessment - Requirements for bodies certifying products, processes and services (ISO/IEC 17065:2012)
60.60
Standard published
CEN/CLC/JTC 1
Information security, cybersecurity and privacy protection — Requirements for the competence of IT security testing and evaluation laboratories — Part 1: Evaluation for ISO/IEC 15408
90.20
Standard under periodical review
ISO/IEC JTC 1/SC 27
Information security, cybersecurity and privacy protection — Requirements for the competence of IT security testing and evaluation laboratories — Part 2: Testing for ISO/IEC 19790
90.20
Standard under periodical review
ISO/IEC JTC 1/SC 27
Information security, cybersecurity and privacy protection - Information security controls (ISO/IEC 27002:2022)
60.60
Standard published
CEN/CLC/JTC 13
Information security, cybersecurity and privacy protection — Guidance on managing information security risks
60.60
Standard published
ISO/IEC JTC 1/SC 27
Security for industrial automation and control systems - Part 3-2: Security risk assessment for system design
60.60
Standard published
CLC/TC 65X
Security for industrial automation and control systems - Part 4-1: Secure product development lifecycle requirements
60.60
Standard published
CLC/TC 65X
Cyber-attacks on crucial infrastructure, like power plants or hospitals, can significantly impact people's physical welfare and affect their ability to undertake basic activities. The security of these systems, apart from their broader IT systems, is ensured by Operational Technologies (OT) which supervise the proper performance of automated tasks like shutting down a generator to prevent a blackout or stopping a valve to avoid chemical overflow.
Cybersecurity is an important topic for connected devices and systems. ISO, IEC and CEN or CENELEC standards support cybersecurity and the application of the Cybersecurity Act.
European standards and International standards support the application of the Cybersecurity act and associated implementing legislation in Europe.
The line distinguishing Informational Technologies (IT) and Operational Technologies (OT) has been blurred thanks to the Industrial Internet of Things (IIoT) which connects physical machines to networked sensors and software. This connectivity and interaction have increased the potential entry points for cybercriminals, hence the need for a defense strategy that considers IT and OT environments.
Standards have been developed to protect information and ICT measures. These include security requirements capture methodology, management of information, and multiple security mechanisms. Such standards offer guidelines for security controls, services, and the management of information security systems. They also cover areas such as cryptographic and other security mechanisms, security aspects of identity management, and conformance assessment. As such, organizations must follow these standards to ensure the integrity of their IT and OT systems and minimize the risk of cyber-attacks. They span areas from cybersecurity evaluation methodology for ICT products, to supplier relationships in cybersecurity, health informatics cybersecurity, IoT security, and privacy requirements.
These stringent standards are a vital tool in the ongoing fight against cybercrime, providing clear guidelines for protecting the IT and OT environments within our critical infrastructure. Some of these standards address partially the Essential Requirements of the current proposal for Cyber Resilience Act:
- Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks;
- Products with digital elements shall be delivered without any known exploitable vulnerabilities;
- On the basis of the risk assessment referred to in Article 10(2) and where applicable, products with digital elements shall:
- - be delivered with a secure by default configuration, including the possibility to reset the product to its original state;
- - ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems;
- - protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms;
- - protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, as well as report on corruptions;
- - process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended use of the product (‘minimisation of data’);
- - protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks;
- - minimise their own negative impact on the availability of services provided by other devices or networks;
- - be designed, developed and produced to limit attack surfaces, including external interfaces;
- - be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques;
- - provide security related information by recording and/or monitoring relevant internal activity, including the access to or modification of data, services or functions;
- - ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates and the notification of available updates to users.
You may find below link to the European and International standards on Cybersecurity.
Click on the links below for accessing the standards or information about them.
Keywords: European Standards, International Standard, CEN standard, CENELEC standard, ISO/IEC Standard, ENISA, ENISA Regulation, ENISA, Cybersecurity Regulation, Cyber, EU Cyber, EU cyber security, Cyber security Europe, Cyber Resilience Act