[SystemSafety] Data communication security system standards
M Mencke
menckem at gmail.com
Thu Jan 15 10:55:32 CET 2015
Dear all,
I have some questions regarding the scope of some of the standards
developed by ISO/IEC JTC 1/SC27 – IT Security Techniques. They are listed
here:
http://www.iso.org/iso/home/store/catalogue_tc/catalogue_tc_browse.htm?commid=45306&published=on
It is divided into 5 principal Working Groups; Information security
management systems (ISMS), Cryptography and security mechanisms, Security
evaluation, testing and specification, Security controls and services, and
Identity management and privacy technologies.
The standard I am currently investigating is a standard within the scope of
WG 1, the ISO 27001. It is possible for a company to hold ISO 27001
certification. One of the sections of this standard concerns network
security, and compliance with this standard assumes that the adequate
protection mechanisms have been put in place by the company. However, as
far as I can see, the application of the standard is limited to the
organization itself. Therefore, the ISMS would be implemented only within
the company. What I would like to know is if a company supplies a system
which implements different types of network traffic, whether the protection
mechanisms implemented within the networks for trusted/untrusted
communication can be certified by a particular standard. The ISO 27001
standard relates to the organization, I would like to know if the data
communications of the product itself can be certified. In the link I sent
above there is a rather large number of standards, including ones regarding
network security techniques. However, I do not have access to all of them,
and I was wondering if these standards are intended for organizations or
products, and whether anyone has seen certification of products according
to these standards in practice.
On the other hand, there is the NITS 800-30 and one of the standards it
references, the ISO/IEC 27005:2011. However, the ISO/IEC 27005 is also
included within the list of standards applicable only to organizations,
here: https://www.iso.org/obp/ui/#iso:pub:PUB200004:en
Therefore, I have some doubts regarding whether compliance with the NITS
800-30 or the ISO/IEC 27005 automatically implies that the organization’s
products also comply with these standards.
Any opinions would be appreciated.
Kind regards,
Myriam.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20150115/bd0cce17/attachment-0001.html>
More information about the systemsafety
mailing list