Standards are produced by numerous different security, government and regulatory organisations. Some may be mandatory, depending on the type of business activities you operate. Others can be adopted as best practice, or used as a basis for defining your own company standards. i2S recommends the following resources as a good starting point:
- SANS 20 - The 20 critical security controls that every business should implement as a minimum to protect their business
- ISO 2700x - Requirements and code of practice for Information Security Management Systems (ISMS)
- COBIT - The Control Objectives for Information and related Technology is a framework developed by ISACA for IT management and governance. COBIT also provides security specific standards
- ITIL - The Information Technology Information Library is a collection of best practices in IT Service Management (ITSM). Again, ITIL can be adopted for all IT, including Security
- PCI DSS - The Payment Card Industry Data Security Standard was developed by a number of major credit card companies. Do you process payments? If so, it is your responsibility to secure customer cardholder data.
- SOX - The Sarbanes Oxley Act of 2002 is mandatory for any company trading on the US stock exchange.