Which Information Security controls are available?

We are continuously reviewing and adding new Information Security controls to CyberComply. The following are currently available within CyberComply:

CCC 2020

The Cloud Cybersecurity Controls for Saudi Arabia mandate stringent security measures for Cloud service providers (CSPs) operating within the Kingdom, including data encryption, access controls and incident response protocols, aiming to safeguard sensitive information. These controls apply across various sectors, particularly critical industries such as finance, healthcare and government, ensuring compliance and elevating cyber security resilience.

CES (2021)

Cyber Essentials 2021 is a UK government-backed certification scheme designed to help organisations protect against common cyber threats by implementing key security controls, such as firewalls, secure configuration, user access control, malware protection and patch management. Its scope covers a wide range of industries, particularly those handling sensitive data, to ensure basic cyber security measures are in place, thus safeguarding against cyber attacks.

CES (2022)

Cyber Essentials 2022 is a UK government-backed certification scheme that outlines five basic security control sets (firewall, secure configuration, user access control, malware protection, and patch management) to protect against common cyber threats. Its scope encompasses organisations of all sizes across various industries, emphasising the importance of basic cyber security practices to safeguard sensitive data and systems.

CES (2023)

Cyber Essentials 2023 is a UK government-backed cyber security certification scheme designed to help organisations protect against common cyber threats by implementing five essential security controls: firewalls, secure configuration, user access control, malware protection, and security update management. This standard is relevant across all industries, particularly those handling sensitive personal data, and aims to enhance basic cyber security measures to mitigate risks and support compliance with broader data protection regulations.

CIS V8

The Center for Internet Security Version 8 (CIS v8) standard provides a globally recognised set of 18 critical security controls designed to help organisations of all sizes establish and enhance their cyber security practices by focusing on key areas like inventory management, secure configuration and continuous vulnerability assessment. Applicable to any industry handling sensitive or valuable data, it offers a comprehensive framework aimed at reducing cyber risk and improving overall security posture.

CISCO CCF

Cisco Common Criteria for Cloud (CCF) is a framework that outlines robust security requirements and controls for Cloud services. The framework is crucial for organisations in sectors such as finance, healthcare and government that handle sensitive information and require stringent data security measures to maintain regulatory compliance and safeguard client data. CCF's voluntary adoption can enhance security and compliance, particularly for organisations subject to stringent data protection laws such as the General Data Protection Regulation (GDPR) in the EU or UK, California Consumer Privacy Act (CCPA) in California and Health Insurance Portability and Accountability Act (HIPAA) in the US.

CISCO CCF - IRAP

Cisco's Cloud Controls Framework (CCF), aligned with the Information Security Registered Assessors Program (IRAP), outlines essential security controls and compliance measures required for Cloud service providers operating within Australia. This framework ensures rigorous adherence to data protection, confidentiality and system integrity, crucial for industries involved in handling government data and services, reinforcing their commitment to high security and regulatory compliance standards.

CPRA

The California Privacy Rights Act (CPRA) is a data privacy regulation that enhances the California Consumer Privacy Act (CCPA) by introducing stricter data protection requirements, including expanded rights for consumers over their personal data, mandatory data minimisation, and the establishment of the California Privacy Protection Agency for enforcement. It applies to organisations that collect or process personal data of California residents and is particularly relevant to industries that handle large volumes of consumer data, such as technology, e-commerce and finance.

CSA CCM V3

The Cloud Security Alliance (CSA) Cloud Controls Matrix Version 3 is a cyber security framework focusing on key Cloud security controls and providing guidance for managing Cloud-specific security and compliance risks. It encompasses 16 domains, including data privacy, application security and incident response, making it highly relevant for organisations using Cloud services across all industries, notably those in finance, healthcare and technology sectors. CSA CCM v3 can be used alongside a variety of regulatory requirements by organisations globally.

CSA CCM V4

The Cloud Security Alliance (CSA) Cloud Controls Matrix Version 4 is a detailed security framework that provides fundamental security principles to guide Cloud service providers in assessing their overall risk. This version includes new domains such as DevSecOps and Cloud Key Management, ensuring comprehensive Cloud security governance, making it highly relevant for sectors adopting Cloud technologies, such as IT, finance and healthcare.

CSCC 2019

The Critical Systems Cybersecurity Controls 2019 Saudi Arabia outlines cyber security measures for critical national infrastructure to protect against cyber threats, requiring robust risk assessment, incident response and continuous monitoring practices. The scope encompasses sectors in Saudi Arabia such as energy, finance and telecommunications, ensuring the resilience and security of essential services critical to national stability.

ECC 2018

The Essential Cybersecurity Controls 2018 Saudi Arabia mandates critical cyber security measures for organisations to protect against cyber threats, focusing on governance, risk management and technical controls. It applies across all industries operating within Saudi Arabia, emphasising the importance of safeguarding information assets and ensuring continuity of services in both public and private sectors.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) applies to US organisations within the healthcare industry such as healthcare providers, insurers and other entities that process health data. HIPAA mandates the protection and confidential handling of protected health information (PHI) by covered entities and their business associates, enforcing standards for data privacy, security and breach notification.

ISO/IEC 20000

ISO/IEC 20000 is an international standard for IT service management that outlines requirements for establishing, implementing, maintaining and continually improving a service management system. It applies universally across industries, helping organisations ensure that their IT services meet business needs and deliver consistent, high-quality service.

ISO/IEC 22301

ISO/IEC 22301 is the international standard for a business continuity management system (BCMS), outlining requirements for establishing, implementing, maintaining and improving a documented management system to protect against, reduce the likelihood of, and ensure business recovery from, disruptive incidents. It is applicable to organisations of all sizes and industries seeking to ensure operational resilience and continuity in the face of potential disruptions.

ISO/IEC 27001:2013/27701:2019 - PRIVACY

ISO/IEC 27001:2013/27701:2019 is a combined standard focusing on information security management and privacy information management. It requires organisations to establish, implement, maintain and continually improve an information security management system (ISMS) and a privacy information management system (PIMS). Applicable across various industries, it aids in protecting data, ensuring privacy compliance and managing information security risks, particularly relevant to sectors handling sensitive data like finance, healthcare and IT.

ISO/IEC 27001:2013

ISO/IEC 27001:2013 is an international standard for an information security management system (ISMS) that mandates the implementation of comprehensive security controls to protect sensitive information. It applies to all types of organisations and industries, ensuring they manage information security risks effectively by establishing, implementing, maintaining and continually improving their ISMS.

ISO/IEC 27002:2022

ISO/IEC 27001:2022 is a global standard for an information security management system (ISMS), requiring organisations to establish, implement, maintain and continually improve a framework for managing sensitive company and customer information. Applicable across all industries, it outlines best practices for risk assessment, incident management and compliance, helping organisations protect data integrity, confidentiality and availability.

ISO/IEC 27017

ISO/IEC 27017 is an international standard providing guidelines for information security controls applicable to Cloud services, emphasising secure Cloud environments and management practices. It builds upon ISO/IEC 27001 and ISO/IEC 27002 with Cloud-specific extensions, making it particularly relevant for organisations offering or using Cloud services to ensure robust data protection and compliance across sectors such as finance, healthcare and technology.

ISO/IEC 27018

ISO/IEC 27018 is an international standard focusing on protecting personal data in the Cloud, requiring Cloud service providers to implement specific controls for safeguarding personally identifiable information (PII) and ensuring compliance with privacy principles. It applies primarily to the Cloud computing industry and is crucial for organisations handling sensitive customer data in the Cloud, ensuring trust and regulatory adherence.

ISO/IEC 27032:2012

ISO 27032:2012 is a cyber security standard that provides guidelines for improving information security management practices to protect cyberspace, focusing on cooperation among stakeholders and addressing areas like cyber-attack prevention and incident response. It applies across various industries, especially those that involve handling sensitive information, such as finance, healthcare and technology.

ISO/IEC 27701:2019

ISO 27701:2019 is an international standard that extends ISO/IEC 27001 and ISO/IEC 27002, providing guidelines for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS). It focuses on enhancing data privacy practices by specifying requirements and providing controls for the processing of personally identifiable information (PII), making it highly relevant for sectors that involve handling sensitive personal data, such as healthcare, finance and technology.

NCSC

The National Cyber Security Centre (NCSC) provides guidelines and best practices for enhancing cyber security, focusing on risk management, incident response and data protection, particularly relevant to UK organisations. UK government bodies, critical national infrastructure providers and private sector organisations handling sensitive data are encouraged to follow these guidelines, which also serve as voluntary best practices for organisations globally, to mitigate cyber threats and ensure robust cyber security frameworks.

NHS DSP - CATEGORY 3

The NHS Data Security and Protection (DSP) Toolkit Category 3 mandates that organisations provide assurance on data security and protection practices, specifically focusing on ensuring data confidentiality, integrity and availability. It is specific to the UK and applies to organisations in the healthcare industry, requiring NHS trusts and their partners to comply with legal data protection obligations to safeguard patient information and maintain public trust.

NIS CAF

The Network and Information Systems Cyber Assessment Framework (NIS CAF) is a cyber security standard that mandates robust security measures, risk management processes and incident response plans to protect critical infrastructure sectors such as energy, healthcare, water and transport from cyber threats, and ensure service continuity. It must be adhered to by operators of essential services and digital service providers within the EU and the European Economic Area (EEA).

NIST 800-53

NIST 800-53 is a comprehensive framework providing guidelines for managing security and privacy controls in federal information systems and organisations, emphasising risk management and ensuring a robust cyber security posture. This standard applies primarily to federal agencies in the US, while private sector companies, particularly in regulated industries such as finance, healthcare and critical infrastructure, often adopt its controls to enhance their cyber security measures.

NIST CSF

The NIST Cybersecurity Framework (NIST CSF) provides a set of guidelines to manage and mitigate cyber security risks through a flexible, repeatable and cost-effective approach, encompassing five core functions: Identify, Protect, Detect, Respond and Recover. It is a US standard developed by the National Institute of Standards and Technology (NIST) and is widely recognised and adopted internationally, particularly by organisations in critical infrastructure sectors such as energy, finance and healthcare, to enhance their cyber security posture and resilience against cyber threats.

NIST SP 800-171

NIST SP 800-171 is a standard for protecting controlled unclassified information (CUI) in non-federal systems and organisations, requiring the implementation of 110 security controls across 14 families, including access control, incident response and system integrity. Its scope includes any contractor or subcontractor handling CUI for the US federal government, making it particularly relevant for defence and federal contracting industries.

PCI DSS V3.2

Payment Card Industry Data Security Standard Version 3.2 (PCI DSS v3.2) is a worldwide standard mandating comprehensive security measures for organisations that handle payment card information, focusing on requirements such as maintaining secure networks, protecting cardholder data, implementing strong access control measures and conducting regular security testing and monitoring; it applies globally to merchants, processors, acquirers, issuers and service providers across the payment card industry to ensure protection against data breaches and fraud.

PCI DSS V4.0

Payment Card Industry Data Security Standard Version 4.0 (PCI DSS v4.0) is a comprehensive framework designed to enhance payment card data security through rigorous requirements for data protection, network security and access control. Applicable to organisations that handle cardholder information, it mandates measures like encryption, secure network configurations and regular monitoring to protect against data breaches, making it crucial for organisations in finance, retail and any sectors dealing with payment card transactions.

SOC 2 TSC

System and Organization Controls - 2 Trust Services Criteria (SOC 2 TSC), developed by the American Institute of CPAs (AICPA), is a globally recognised standard outlining requirements for managing customer data based on five trust service principles: security, availability, processing integrity, confidentiality and privacy. It is crucial for organisations handling sensitive data, particularly in sectors like technology, finance and healthcare, to demonstrate their commitment to rigorous data protection and privacy measures.

Updated on: 28/06/2024