ISO 27001, NIS, LPM, NIST CSF, PCI-DSS, NC, compliance in 6 acronyms

The cybersecurity industry, and incident response in particular, is a place where all kinds of acronyms flourish. It's so easy to get lost in them. Standard, directive, law, process... let's take a look at the definitions of 6 acronyms commonly used in compliance and that no-one should ignore.

ISO 27001, the international standard for cyber risk management

ISO 27001, published in 2005 and revised in 2013, was developed by the specialized global standards system ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission). So you can see why it's also known by the acronym ISO/IEC 27001:2013. This international reference standard defines the information security management system (ISMS) to be implemented within the organization. It provides a framework to help organizations implement, maintain and continuously improve their ISMS.

ISO 27001 is sufficiently generic to be adapted to any type of organization, whatever its size, nature or sector of activity. Its aim is to put in place the protection measures needed to maintain the confidentiality, availability and integrity of your organization's information.

This standard addresses safety through risk management. The 252 requirements of this standard cover the following areas in particular:

• regulations governing the protection of personal data
• information security governance and data governance strategy
• security of material resources (infrastructures, networks and IT systems)
• human resources (staff organization and responsibilities, information system security policy, cybersecurity awareness, etc.)
• physical security (access to buildings or IT infrastructure)
• systems and software development and maintenance 
• business continuity (BCP, DRP, etc.)

A company that correctly applies all the requirements of ISO 27001 can be certified by a qualified auditor. ISO 27001 certification is a guarantee of confidence in data storage and security. In addition to being a commercial asset (more and more tenders require a certification package), it puts your organization in a dynamic of continuous improvement in information system security. 

LPM, the French military programming law

In France, the Loi de Programmation Militaire (LPM) has been voted on regularly since the 1960s. Every 4 to 6 years, this law sets the program for military spending. The 2014-2019 LPM includes a reinforced "cyber" component, and initiates the legislative framework for Opérateurs d'Importance Vitale (OIV), making them responsible for securing their vitally important information systems (SIIV). 

The latest version, the LPM 2019-2025, makes cybersecurity a priority focus. Increasing the number of cybersecurity experts, protecting weapon systems and IS from the design phase, strengthening the capabilities of the Center for Analysis and Defensive Computer Control (CALID) and the armed forces' SOCs... these are the key measures of this text.

NIS, the European cybersecurity directive

The NIS (Network and Information Security) Directive is a founding piece of legislation for cybersecurity on a European scale. Adopted in 2016 by the European Parliament, this directive requires legislative transposition at national level. According to the ANSSI, in charge of this project: "This directive aims at the emergence of a strong and trusted Europe, which relies on the national cybersecurity capabilities of Member States, the establishment of effective cooperation and the protection of the nation's critical economic and societal activities, to collectively face the risks of cyberattacks.". 

One of the key points of this directive is to raise the level of cybersecurity in member states by setting up national CSIRTs (Computer Security Incident Response Teams).

The second objective of the text is to increase cross-border collaboration. It is by sharing information and working together that Europe will face up to cyber threats.

Finally, the directive also lays down a series of network and information security requirements for essential service operators (ESOs) and digital service providers. Each country must draw up a list of sectors it considers "essential", such as energy, transport, water, health and finance. In France, this directive is in line with the 2014-2019 LPM and the establishment of OIVs (Opérateurs d'Importance Vitale).

Faced with increasing cyber threats, the European Union is looking for greater security, and is preparing a revision of this directive. The aim of NIS V2.0 is not to increase the number of security rules, but to extend the scope of application of security rules. According to statements made by Guillaume Poupard, Director General of the ANSSI in June 2022, the number of "essential" players would be multiplied by 10.

NIST CSF, the US cybersecurity framework

In the USA, the National Institute of Standards and Technology (NIST) published the CSF (CyberSecurity Framework) in 2014 for private-sector organizations with critical infrastructures to guide them in managing their cybersecurity. This "framework for improving the cybersecurity of critical infrastructures"is the result of joint work between the US government, academia and private industry. Widely deployed around the world, this framework consists of standards, guides and best practices^[1]..

The 5 main functions of this framework are defined by action verbs, from recognition to resolution:

• Identify: develop an organizational understanding (systems, assets, data...) to manage cybersecurity risks.
• Protect: this refers to the protective measures to be developed and implemented to guarantee the security of the organization's critical services.
• Detect: refers to the identification of cybersecurity events.
• Response: defines the actions to be taken in response to a detected cybersecurity incident.
• Recover: this establishes the appropriate activities to be carried out to maintain resilience plans and restore what may have been altered following a cybersecurity incident. 

The aim of these functions is to provide a strategic view of the cybersecurity risks that could arise within an organization.

In addition to these functions, there are some twenty categories (risk management, maintenance, governance, etc.) and almost a hundred sub-categories derived from references to other standards such as ISO 27001. Adaptable to all types of companies, this framework has the advantage of presenting information in a simple, straightforward way. 

PCI-DSS, protecting banking transactions

PCI-DSS (Payment Card Industry Data Security Standard) is the acronym for the set of data security policies and procedures applicable to the payment card industry. 

It comprises 12 main requirements, grouped into 6 groups called "control objectives". 

The first version of PCI-DSS was published at the end of 2004, and is regularly updated. The aim of this standard is to protect credit, debit and payment card transactions. It also aims to prevent the misuse of cardholders' personal information.

All bankcards are required to comply with the PCI-DSS standard. This international standard is currently being developed by a conglomerate of 5 players (MasterCard, Visa, American Express, Discover Card and JCB). 

NC, the off-frame of compliance

Talking about compliance would be nonsense without mentioning the acronym NC for Non-Compliance. By definition, a non-conformity is a failure to comply with a rule in force. It is therefore a malfunction in a process, service or product, relative to an initial requirement. Non-compliance with a regulation or standard can be classified as a major or minor NC, depending on the corrective measures required to re-establish conformity.

And Baptiste David, Head of PreSales & Delivery at Tenacy is very clear on the subject: 

^[1] French version: https: //nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018fr.pdf