Skip to main content

5. Related Publications

The risk management approach described by CSFaaS is underpinned by several security standards and guidelines essential for managing information security risks. Key resources include:

NIST Publications

  • [NIST FIPS 199], "Standards for Security Categorization of Federal Information and Information Systems", February 2004.
  • [NIST FIPS 200], "Minimum Security Requirements for Federal Information and Information Systems", March 2006.
  • [NIST SP 800-12, Rev. 1], "An Introduction to Information Security", June 2017.
  • [NIST SP 800-18], "Guide for Developing Security Plans for Federal Information Systems", February 2006.
  • [NIST SP 800-30 Rev. 1], "Guide for Conducting Risk Assessments", December 2018.
  • [NIST SP 800-37 Rev. 2], "Risk Management Framework for Information Systems and Organisations: A System Life Cycle Approach for Security and Privacy", December 2018.
  • [NIST SP 800-39], "Managing Information Security Risk: Organisation, Mission, and Information System View", March 2011.
  • [NIST SP 800-53 Rev. 5], "Security and Privacy Controls for Information Systems and Organisations", December 2019.
  • [NIST SP 800-53A Rev. 5], "Assessing Security and Privacy Controls in Information Systems and Organisations", January 2022.
  • [NIST SP 800-53B], "Control Baselines for Information Systems and Organisations", December 2020.
  • [NIST SP 800-161 Rev. 1], "Cybersecurity Supply Chain Risk Management Practices for Systems and Organisations", May 2022.
  • [NIST SP 800-171 Rev. 3], "Protecting Controlled Unclassified Information in Nonfederal Systems and Organisations", May 2024.
  • [NIST SP 800-171A Rev. 3], "Assessing Security Requirements for Controlled Unclassified Information", May 2024.
  • [NIST SP 800-221], "Enterprise Impact of Information and Communications Technology Risk Governing and Managing ICT Risk Programs Within an Enterprise Risk Portfolio”, November 2023.
  • [NIST IR 8286], “Integrating Cybersecurity and Enterprise Risk Management (ERM)”, October 2020.
    • [NIST IR 8286A], “Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management”, November. 2021.
    • [NIST IR 8286B], “Prioritizing Cybersecurity Risk for Enterprise Risk Management”, February 2022.
    • [NIST IR 8286C-ipd1], “Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight”, Sept. 2022, Upd. March 2024.
    • [NIST IR 8286D], “Using Business Impact Analysis to Inform Risk Prioritization and Response”, Nov. 2022.

ISO/IEC

International Organisation for Standardization (ISO) and the International Electrotechnical Commission (IEC) standards for risk management and information security:

  • [ISO/IEC 31000], "Risk management - Principles and guidelines".
  • [ISO/IEC 31010:2019], "Risk management - Risk assessment techniques".
  • [ISO/IEC 27001:2022], "Information technology - Security techniques - Information security management systems - Requirements".
  • [ISO/IEC 27002:2022], "Information security, cybersecurity and privacy protection - Information security controls"
  • [ISO/IEC 27005:2022], "Information technology - Security techniques - Information security risk management systems.

EU Regulations

Other Organisations

Additionally, CSFaaS draws significant influence from various organisations and their publications, including:

Other International regulations

And of course, for information on regulations worldwide, we strongly recommend the UNIDIR Cyber Policy Portal. The UNIDIR Cyber Policy Portal is an interactive map of the global cyber policy landscape, providing profiles of the cyber policies of all 193 UN Member States, as well as various intergovernmental organisations and multilateral frameworks.