• MARKET - Market Analysis - Policy Framework and Legislation - Standards

    Practical implementation of such cyber security policies is largely addressed by establishing prioritised, flexible, repeatable, performance-based and cost-effective activities for assisting organisations to manage cyber security risk. Table 5.3 identifies a range of key PACs-related framework guidance standards in existence. Given the complexity of the cyber security challenge it is not surprising that one exhaustive model applicable to any organisation or government exists. However broad prescriptive stages do apply (e.g. establishing, implementing, operating, monitoring, reviewing, maintaining and improving), and the Plan-Do-Check-Act (PDCA) model provides a strong methodology basis.

    Table 8.3 – Key PACs-related framework guidance standards 

    Guidance Framework/Initiative Overview
    AICPA Trust Service Criteria

    Governed by AICPA (a key US Accounting institute) provide a set of professional attestation and advisory services based on a core set of principles and criteria that address the risks and opportunities of IT-enabled systems and privacy programs.

    BITS Shared Assessments

    Created by leading financial institutions, the Big 4 accounting firms, and key service providers to inject standardization, consistency, speed, efficiency and cost savings into the service provider assessment process.

    BSI Germany

    Set of standards created byOffice for Information Security (BSI) is to promote IT security in Germany;jsessionid=A45D0DD327B267B9259103FF0FB93278.2_cid359


    The Cybersecurity Coordination Group (CSCG) acts as a single point of contact for pan‐European interchange on Cyber Security standardization and will provide a set of recommendations and advice to the European Commission (DG CONNECT and DG ENTR) and EU Member States in the area of Cyber Security standardization.

    Cloud Controls Matrix (CCM)

    Led by Cloud Security Alliance (CSA), designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.


    Led by ISACA, widely used framework for governance and management of enterprise IT.

    CSA Enterprise Architecture

    Formerly known as the Trusted Cloud Initiative, CSA initiative thathelps cloud providers develop industry-recommended, secure and interoperable identity, access and compliance management configurations, and practices.


    Published in 2009, provides aset of assurance criteria designed to assess the risk of adopting cloud services, compare different Cloud Provider offers, obtain assurance from the selected cloud providers, reduce the assurance burden on cloud providers.


    TC CYBER focuses on development of standards across key areas including, (1) Cybersecurity, (2) Security of infrastructures, devices, services and protocols,(3)Security advice, guidance and operational security requirements to users, (4) manufacturers and network and infrastructure operators, (4)Security tools and techniques to ensure security, (5) Creation of security specifications and alignment with work done in other ETSI committees

    FedRAMP Security Controls

    US Federal government provider requirements from secure cloud computing

    ISO/IEC 27001-2013

    Specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organisations, regardless of type, size or nature.


    Set of Critical Infrastructure Standards developed by North American Electric Reliability Corporation

    NIST Critical Infrastructure Protection Framework

    Provides a structure that organisations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs.

    NIST SP800-53

    Provides a catalog of security and privacy controls for federal information systems and organisations and a process for selecting controls to protect organisational operations (including mission, functions, image, and reputation), organisational assets, individuals, other organisations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors.


    Requirements and standards for storage and processing of payment card data


    Return to Policy Framework and Legislation or continue to Legislation



Getting Started

Which type of company are you? Choose one of the options below and get a head-start.

Framework Overview

Navigate through the different parts of the Framework


Joomla! Debug Console


Profile Information

Memory Usage

Database Queries