Basics of Standards, Acts, Frameworks & Policies
We all must have heard these words with some theoretical information on how to do things and how things should be.
There are many confusions arise in between Standard, Policy and Framework. Let see all those terms here one by one for understanding.
Standard document:
A standard is a mandatory requirement or a code of practice approved and prepared by external recognized body. An IT or non IT organization must comply with requirements of some industry standard.
The standard is made of clauses or sub clauses where all the control points are mentioned. A control is nothing a bullet point activities which needs to be carried out in a step by step process.
An ISO standard is internationally agreed by experts under International Organization for Standardization.
For example: Quality Management Standard (ISO 9000 Family), Health Safety Standard (ISO 45000 Family), IT security Standard (ISO/IEC 27000 Family). We will cover some IT related standards later in this post.
Policy document:
Policies are high level statement of intent and generally adopted by a governance body within an organization. This is a set of rules developed by an organization for its technology, products and services.
For example: Information Security Policy, Business Continuity Policy, Asset Management Policy, Incident Management Policy, Access Control Policy, Password Management Policy etc.
ACT document:
Act is something known as an instrument or a fact said or recorded by someone and agreed. It is generally a legal instrument.
For Example: Registration Act, Information Technology Act 2000 (India), Income Tax Act, Public Records Act 1993, National Security and Investment Act 2021 (UK), Privacy Act (USA), Freedom of Information Act (FOIA) (USA), etc.
Framework document:
Framework is just a conceptual document and with sets of procedures, goals which is used for taking appropriate decisions. Helpful for decision making.
For Example: A project plan, robot framework, strategic plan, Project Governance Framework, project life cycle, NIST cyber security framework, ISO standards, COBIT5 etc.
Procedure:
Procedures are documented, defined steps to achieve the business objective. A procedure need to be written in clear and concise manner in step by step process.
For example: Incident/ Problem Management Procedure, Change Management Procedure, Raise a service ticket procedure, close a service ticket procedure, traffic management procedure etc.
I am again putting a little more brief on some Standards and their use. These standards are meant for organizational certification as well as any individual or professional can certify him/her self to acquire the knowledge and making their resume strong with global accredited certifications.
ISO 31000: Risk Management
It is a guideline that provides principles and process to manage a risk. It can be used by any organization.
ISO/IEC 27001:2013: Information Security Management System
This is an international standard that says, how to manage information security management system(ISMS). It helps organization to protect organizational data, how to define information security policy, how to manage assets security, access control, what to do for physical and environmental security, operational security etc. We will cover this part later.
ISO/IEC 27017:2015:- Information Security guidelines for cloud security
This standard gives guidance for information security controls applicable to the provision and use of cloud services. It recommends the implementation of cloud specific information security controls that supplement the guidance.
ISO/IEC 27018:2019:- Privacy protection
This standard is a code of practice focuses on protection of personal data in the public cloud. The personal data is also known as Personal Identifiable Information (PII). The protection of PII data is very important from both external and internal threats, which are saved in public cloud such as Google, AWS, oracle etc.
ISO/IEC 20000:2011: Information Technology Service Management
It is an international standard which helps in best practices for IT service management (ITSM). It helps organizations to evaluate and manage their service delivery more effectively. It is strongly linked with ITIL (Information Technology Infrastructure Library).
NIST Cyber Security Framework:
NIST (National Institute of Standards and Technology) is an non-regulatory agency publishes frameworks and guidelines openly and free. The NIST cyber security Framework helps to understand, manage and reduce cyber security risks. It helps how to implement the framework effectively.
COBIT5: (Control Objectives for Information and Related Technology)
COBIT5 is a business and management framework for the Governance and Management in enterprise IT. It helps organizations meet business challenges in regulatory compliance, risk management etc.
ITIL (Information Technology Infrastructure Library)
ITIL is a framework that helps organization to manage their IT service in PDCA (Plan, Do, Check, Act) methodology.
GDPR (General Data Protection Regulation)
GDPR is a regulation in Europe Law on data protection and privacy in the European Union and the European Economic Area. This requires organizations or any businesses to protect personal data and privacy of EU citizens for transactions that occur within EU member states.
PCI-DSS (Payment Card Industry Data Security Standard)
PCI DSS is widely accepted set of policies and procedures that helps to manage security of credit cards, debit cards transactions and protect card holders against misuse of their personal information as well financial information.
So these are some basic standards and guidelines that are widely known and adopted in industries. There are many standards and policies available nation wise and region wise.
Thank You-
-DR
