β Security standards without the headache β just facts, links, and context.
Security standards provide the technical and organizational foundations for protecting systems, data, and infrastructure. While they are not laws, theyβre often essential for demonstrating compliance with legal and regulatory requirements, including European mandates like the Cyber Resilience Act (CRA) and the Radio Equipment Directive (RED).
Whether you're working in enterprise IT, cloud services, automotive, healthcare, or industrial systems, these standards, when applied correctly, help you build systems that are more secure, more resilient, and easier to prove compliant.
π§ What Youβll Find in This Guide
This guide cuts through the noise and helps you make sense of security standards, fast. Hereβs what to expect:
- A clear overview of how security policies and standards fit into your organizationβs governance
- A breakdown of both horizontal standards (applicable across industries) and vertical standards tailored to specific domains like automotive, healthcare, and industrial systems
- Coverage of specialized areas like secure software development, AI risk, incident response, and more
- Contextual notes to help you understand which standards apply where, and how they map to regulations like GDPR, CRA, RED, and others
- Direct links to authoritative sources
π Table of Contents
- From Policies to Standards
- Core Cybersecurity Standards (ISO/IEC)
- Risk, Governance & Security Frameworks
- Secure Systems, Software & Supply Chain
- Sector-Specific & EU-Aligned Standards
- Identity, Authentication & Cryptography
- Incident & Vulnerability Management
- Data Privacy & Payment Security
- Glossary
π§ From Policies to Standards
Security standards donβt exist in a vacuum β they flow from your companyβs broader governance structure.
In most organizations, the structure looks like this:
- Laws & Regulations β define the legal obligations (e.g., GDPR, HIPAA, RED, CRA)
- Policies β internal rules set by your organization to guide actions and align with legal and ethical requirements
- Standards β frameworks and best practices used to implement your policies
- Procedures β specific instructions, tools, or workflows that operationalize the standards
π‘ Note on Terminology
This post uses βsecurity standardsβ in a broad, practical sense β including both formal standards (like ISO/IEC 27001) and widely adopted frameworks (like the NIST Cybersecurity Framework or CIS Controls). Some are certifiable, some are guidelines, and some are strategic models for risk management. Wherever you see βstandard,β think: βtrusted reference for doing security right.β
π Example: Policy β Standard β Procedure
| Layer | Example |
|---|---|
| Policy | βAll access to systems must be approved and reviewed regularly.β |
| Standard | ISO/IEC 27001 A.9.2 β User access provisioning must be controlled |
| Procedure | βUse Jira to submit an access request. IT Manager must review and approve. Quarterly audits via AccessReviewBot.β |
This layered structure ensures your security program:
- β Aligns with laws and regulations
- π Is clear, enforceable, and auditable
- 𧱠Scales as your company grows
- π€ Builds trust with customers, partners, and auditors
βΉοΈ Note on ISO and IEC
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) collaborate to publish many cybersecurity standards under the ISO/IEC label.
π Note on EN and hEN Standards
EN standards (European Norms) are official European standards, and hENs are a subset recognized by the EU for legal compliance (e.g., RED, CRA).
The OJEU (Official Journal of the European Union) lists harmonised standards that provide presumption of conformity with EU laws.
π Core Cybersecurity Standards (ISO/IEC)
These ISO/IEC standards form the foundation of most modern cybersecurity programs. ISO/IEC 27001 is certifiable and widely used for compliance, while others offer detailed guidance for implementation and sector-specific needs.
-
ISO/IEC 27001 β Information Security Management Systems (ISMS)
Requirements for establishing and maintaining an information security program. -
ISO/IEC 27002 β Information Security Controls
Implementation guidance for ISO/IEC 27001 controls. -
ISO/IEC 27017 β Cloud Security Guidelines
Cloud-specific security recommendations for providers and customers. -
ISO/IEC 27018 β PII Protection in the Cloud
Privacy-specific controls for cloud environments handling personal data. -
ISO/IEC 27005 β Risk Management
Risk assessment and treatment aligned with ISO/IEC 27001.
π Risk, Governance & Security Frameworks
These frameworks help align cybersecurity with business goals, legal obligations, and risk management practices.
-
COBIT β IT Governance Framework
Used for aligning IT strategy and operations with enterprise goals. -
ISO 31000 β Enterprise Risk Management
High-level risk principles and processes applicable across industries. -
NIST Cybersecurity Framework (CSF) β Risk-Based Cybersecurity Model
Voluntary but widely used framework for managing cybersecurity risks. -
NIST SP 800-53 β Security and Privacy Controls
A catalog of detailed controls for information systems. -
NIST SP 800-171 β Protecting Controlled Unclassified Information (CUI)
For non-federal organizations handling sensitive government data. -
CIS Controls β Prioritized Cybersecurity Best Practices
A practical set of defensive actions for all organization sizes.
π§ Secure Systems, Software & Supply Chain
These standards support building secure systems from the ground up, covering secure software development, engineering practices, and managing supply chain risks.
Secure Engineering & Development
-
NIST SP 800-160 Vol. 1 β Engineering Secure Systems
Applies systems engineering principles to build trustworthy and resilient systems. -
ISO/IEC 27034 β Application Security
Integrates security into the software development lifecycle. -
NIST SSDF (SP 800-218) β Secure Software Development Framework
Outlines best practices for designing and building secure software.
Supply Chain Security
-
NIST SP 800-161 Rev. 1 β Cybersecurity Supply Chain Risk Management
Helps organizations manage cyber risks in third-party and supplier ecosystems. -
ISO/IEC 27036 β Security for Supplier Relationships
Addresses governance, contract clauses, and ongoing assurance for suppliers.
π Sector-Specific & EU-Aligned Standards
This group includes standards tailored for IoT, automotive, industrial systems, and those aligned with key EU regulations like RED and CRA.
IoT, Automotive, Medical, and Industrial
-
ISO/SAE 21434 β Automotive Cybersecurity Engineering
Ensures cybersecurity across the vehicle lifecycle. Required for UNECE R155. -
ISO 24089:2023 β Road vehicles β Software update engineering
Specifies requirements and recommendations for software update engineering for road vehicles. Useful for UNECE R156. -
ETSI EN 303 645 β Baseline Security for Consumer IoT Devices
Sets baseline security requirements like default passwords and updates. -
ETSI TR 103 935 β Assessment of cyber risk based on products' properties Provides guidance for evaluating the cyber risk of IoT products
-
IEC 81001-5-1 β Health software and health IT systems safety, effectiveness and security defines the life cycle requirements for development and maintenance of health software.
-
IEC 62443 β Industrial Automation & Control Systems Security
The go-to standard for OT environments like SCADA and manufacturing.
EU Regulatory Alignment
- hEN 18031 β Cybersecurity for Radio Equipment (RED)
A harmonised EU standard providing presumption of conformity under RED and CRA.
π Identity, Authentication & Cryptography
Identity, authentication, and cryptography form the backbone of digital trust. These standards help secure access, manage credentials, and protect sensitive communications.
- Helps you design secure authentication flows for users and systems
- Supports GDPR, CRA, and eIDAS compliance with structured identity assurance
- Essential for systems involving SSO, MFA, remote onboarding, or cross-border ID verification
π Note: eIDAS (Electronic Identification, Authentication and Trust Services) is an EU regulation that ensures secure and interoperable digital identity, signatures, and trust services across member states. It's especially relevant for organizations handling electronic transactions or user identification in the EU.
NIST Digital Identity Guidelines (SP 800-63)
- 800-63A β Enrollment & Identity Proofing
- 800-63B β Authentication & Lifecycle Management
- 800-63C β Federation & Assertions
π Key Concepts:
- IAL: Identity Assurance Level
- AAL: Authenticator Assurance Level
- FAL: Federation Assurance Level
ISO/IEC Identity Standards
- ISO/IEC 24760-1 β Framework for Identity Management
- ISO/IEC 29115 β Authentication Assurance Framework
- ISO/IEC 29003 β Identity Proofing
Cryptographic Standards
- NIST FIPS 140-3 β Security Requirements for Cryptographic Modules
- NIST SP 800-131A Rev. 2 β Approved Algorithm Transitions
- NIST β Cryptographic Standards and Guidelines
- ISO/IEC 19790 β International Crypto Module Requirements
- NIST SP 800-52 Rev. 2 - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
- NIST Post-Quantum Encryption Standards
π§― Incident & Vulnerability Management
These standards provide guidance for detecting, responding to, and disclosing cybersecurity incidents and vulnerabilities.
Incident Response
- NIST SP 800-61 Rev. 3 Incident Response Recommendations and Considerations for Cybersecurity Risk Management
- NIST SP 800-34 Rev. 1 Contingency Planning Guide
- ISO/IEC 27035 β Incident Management Lifecycle
- ISO 22301:2019 β Security and resilience - Business continuity management systems
Vulnerability Management & Disclosure
- ISO/IEC 30111 β Vulnerability Handling Processes
- ISO/IEC 29147 β Vulnerability Disclosure Guidelines
π³ Data Privacy & Payment Security
These standards are focused on securing sensitive personal and financial data, including GDPR alignment and industry regulations.
- PCI DSS β Payment Card Industry Data Security Standard
- ISO/IEC 27701 β Privacy Information Management System (PIMS)
π― Final Thoughts
Security standards are more than checklists, theyβre strategic tools for protecting digital assets, demonstrating compliance, and earning customer trust. Whether youβre building a connected car, running a cloud platform, or operating critical infrastructure, these standards help you manage risk and prove that you're doing things right.
π Glossary
| Term | Definition |
|---|---|
| AI RMF | Artificial Intelligence Risk Management Framework β A NIST-developed model for managing AI-specific risks like bias, security, and trustworthiness. |
| AIMS | Artificial Intelligence Management System β A certifiable ISO/IEC framework for governing AI across its lifecycle (e.g., ISO/IEC 42001). |
| CIS | Center for Internet Security β A nonprofit organization that publishes prioritized security best practices (like CIS Controls). |
| COBIT | Control Objectives for Information and Related Technologies β A governance and management framework for enterprise IT. |
| CRA | Cyber Resilience Act β A European regulation that introduces mandatory cybersecurity requirements for products with digital elements. |
| CSF | Cybersecurity Framework β A voluntary NIST framework that helps organizations manage and reduce cybersecurity risk. |
| C-SCRM | Cybersecurity Supply Chain Risk Management β A structured approach to identifying and managing supply chain cybersecurity risks. |
| CUI | Controlled Unclassified Information β Sensitive U.S. federal data that requires protection but isnβt classified. |
| eIDAS | Electronic Identification, Authentication and Trust Services β An EU regulation that standardizes digital identity, signatures, and trust services across member states. |
| EN | European Norm β A standard adopted by recognized European standardization organizations (CEN, CENELEC, or ETSI). |
| ETSI | European Telecommunications Standards Institute β A major European standards body, especially for telecommunications and IoT. |
| GRC | Governance, Risk, and Compliance β An approach to aligning IT with business goals while managing risk and meeting compliance requirements. |
| hEN | Harmonised European Standard β A subset of EN standards published in the Official Journal of the EU that can be used to show compliance with EU legislation (e.g., RED, CRA). |
| IEC | International Electrotechnical Commission β An international standards organization for electrical, electronic, and related technologies. Often co-publishes ISO/IEC cybersecurity standards. |
| PCI DSS | Payment Card Industry Data Security Standard β A global standard for securing credit card transactions and cardholder data. |
| PIMS | Privacy Information Management System β An extension to ISMS focused on managing personal data privacy (e.g., ISO/IEC 27701). |
| RED | Radio Equipment Directive β An EU directive that sets requirements for radio-enabled devices, including cybersecurity provisions as of 2025. |
| SSDF | Secure Software Development Framework β A NIST framework (SP 800-218) outlining best practices for secure software development. |
π¬ Letβs Connect
If you found this post helpful, or if you want to chat more about this or anything at the intersection of development and security β Iβd love to hear from you.
Feel free to reach out on LinkedIn
Always happy to connect with fellow developers, researchers, and security-minded folks.
Stay curious. Stay secure. ππ