In 2000, Standards Australia made available an updated version of the joint Australia and New Zealand Standard AS/NZS 4444, which is a standard for Information Security Management. This standard is closely related to the British Standard BS 7799. References to these standards are outlined below.
Standards Australia is also introducing a third party certification scheme, which will allow organisations to be certified as meeting the code of practice outlined in AS/NZS 4444. This will mirror the certification scheme in place for BS 7799.
AusCERT supports these initiatives. In our opinion, the review of AS/NZS 4444 and the introduction of a certification scheme will provide an opportunity for Australian and New Zealand organisations to reach a common understanding of desirable security requirements internally and between partners.
In this page we provide a range of information about standards directly or peripherally associated with information security within Australia and New Zealand, and throughout the world. This page does not set out to exhaustively list all standards in the known universe that may relate primarily or peripherally to information security. The list provided has been constructed with a view to what interests AusCERT members. We will be happy to add further references as requested or required.
Members and other interested parties who are interested in further developments are encouraged to contact our Business Development Manager, Ben Barton, who is developing our role in this initiative.
AusCERT has not reviewed all of the documents listed in this web page. This information is provided purely as a reference for AusCERT members.
|
Primary Information Security Standards |
Other Standards and Guidelines |
The primary information security standard in Australia is AS4444, and
in New Zealand NZS4444. This two-=part standard is closely related to
BS 7799 (outlined below). See
Standards Australia OnLine at
http://www.standards.com.au.
The current version of Part 1 of this standard is AS/NZS 4444.1:1999
Information Security Management - Code of Practice for Information
Security Management. More information is available by accessing
the Standards
Australia OnLine Catalogue and searching on Australian standard
number 4444.1:1999.
Part 2 of AS/NZS 4444:1999 is expected to be available in March 2000.
See DR 99448 Information Security Management - Part 2:
Specification for Information Security Management Systems. More
information is available by accessing the
Standards Australia OnLine Catalogue and search on 99448.
Standards Australia is currently coordinating a certification program
for this standard.
Additionally, Standards Australia is developing a facility
specifically related to standards for electronic commerce at
http://www.ecommercestandards.com.
British Standard BS 7799 is a widely accepted standard that has been
used as the basis for other Information Security standards, including
AS/NZS 4444. It was developed by the British Standards Institute
(BSI) - see
British Standards Online at
http://www.bsi.org.uk/.
The current versions of this two-part standard are:
BSI has implemented a certification scheme for BS 7799 through the
C:Cure program. Further details are available at
http://www.c-cure.org/.
Copies of BS7799 and associated guides are available through the
C:Cure web site.
The International Organization for Standardization (ISO) has produced
ISO standard IS 15408. This standard, The Common Criteria for
Information Technology Security Evaluation v2.1 (ISO IS 15408) is
effectively an evolutionary blending of ITSEC (see below), the
Canadian criteria, and the US Federal Criteria (see below).
It available from
http://csrc.nist.gov/cc/ccv20/ccv2list.htm.
An important series of documents are the Rainbow Series, which outline
a number of security standards developed in the United States. This
series is available at
http://www.radium.ncsc.mil/tpep/library/rainbow/.
Perhaps the most important of these books is the Trusted Computer
System Evaluation Criteria (TCSEC, or Orange Book).
While this standard has effectively been superseded by other standards
outlined above (it is dated 1985), it is nevertheless a useful
document. A further document, the US Federal Criteria, was
drafted but not adopted in the early 1990's.
TCSEC can be found at
http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html
Details about the scheme are available at
http://www.itsec.gov.uk/.
The following standards are associated with security to varying
degrees (ie. moderately to closely). Different groups of members will
have an interest in various degrees. We would be pleased to add
further relevant references upon request.
Copyright © 1993-2000, AusCERT.
Primary Information Security Standards
AS/NZS 4444
BS 7799
IS 15408 ("Common Criteria")
Rainbow Series ("Orange Book")
Information Technology Security Evaluation Criteria ("ITSEC")
The United Kingdom produced the Information Technology Security
Evaluation Criteria (ITSEC) in the early 1990's, and this
is another important historical evaluation scheme/standard. It builds
on the Orange Book scheme to some extent, with greater
granularity.
Other Standards and Guidelines
Australian Government Guidelines
Banking and Finance
Capability Maturity Model (CMM)
Miscellaneous
Last modified: Mon Jan 24 10:52:44 EST 2000
Please note our
disclaimers at
http://www.auscert.org.au/Information/disclaimer.html.
For more information on
AusCERT see
http://www.auscert.org.au/Information/Auscert_info/whatis.html
Questions or comments regarding this page:
AusCERT.