Following are some of the various Cyber security standards being used often across the world:
ISO 27001: 2013 - Well known International standard on Information security. Please note that this standard is not available for free and needs to be purchased, however references to various aspects of this standard may be found on the internet. Certification on this standard is also available.
How is the standard used by practitioners and organizations: This standard is used for implementation of Information security management system in an organization, it is used as a reference to identify what systems / processes an organization needs to build to implement and maintain Information security / cyber security. For example the standards mentions that Information security policy needs to be developed, Internal audit needs to be conducted etc. Annex A of the standard is used to develop Information security policies and develop controls.
Copies of this standard need to be purchased - https://www.iso.org/isoiec-27001-information-security.html
ISO 27002 - Code of practice implementation guidance document that supplements ISO 27001. This document provides details on how each control from Annex A of ISO 27001 can be implemented and provides detailed activities that may be performed.
How is the standard used by practitioners and organizations: If a practitioner or organization needs to know details of any control or further controls, these are available in this standard. For example ISO 27001: 2013 control A.6.1.3 mentions Contact with authorities and provides limited details such as “Appropriate contact with relevant authorities shall be maintained”, a practitioner would want to know what are the possible authorities with whom contacts should be maintained. These details are provided in ISO 27002 such as law enforcement, regulatory bodies, supervisory authorities, utilities, emergency services, electricity suppliers, telecommunication providers etc.
NIST Cybersecurity framework (NIST CSF) - well known framework on Cyber security and provides a maturity model for cyber security journey in an organization. This standard has been developed by the National Institute of Standards and Technology, United States especially for US Federal government agencies. This standard is available for free on the Internet.
How is the standard used by practitioners and organizations: Generally NIST CSF is used to conduct benchmarking of an organization’s cyber security against the NIST tiers and create a roadmap to reach the next Tier rating.
NIST 800-53: This standard consists of controls for security and privacy of information systems and organizations. Since the standard is developed by NIST, US the primary intent of the standard is to assist US Federal government agencies in implementation of security and privacy. However many organizations across the world use this standard to identify possible controls that may exist for a given aspect. This standard may be compared with ISO 27002 and performs a similar role of providing detailed controls on what needs to be done on various aspects such as physical security, access control etc.
How is the standard used by practitioners and organizations: If a practitioner or organization needs to know details of any control or further controls, these are available in this standard. For example the standard provides granular details on what to do on invalid login attempts - “Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
“Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other [Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded.”
These are most commonly referred standards across the world for Cyber security / Information security and practical knowledge of these standards are important for an ITGC / ISO 27001 / NIST CSF / GRC expert.
Helpful resources: