Is there any industry standard security documentation I can use a baseline?

By bgksentry ·
Ill just break it down fully.
The owner of my company is working on a partnership deal with an insurance company. His plan is for us to survey a potential client's network, and analyze the security based on a set of industry standard guidelines. If they are deemed secure, or purchase the equipment and service we provide(thats the key here) then they are approved for a cost-effective Insurance plan for their data and network.
We are a security experienced group of 4 engineers, all of us our MSCE, and two of us are Security+ certified. Analyzing and finding security faults is no difficult task for us, things like password policy, use of domains instead of workgroups, DMZ, NAT, etc etc. However, we are having trouble finding unbiased industry standard documentation for the basic networks we are dealing with. We are considering purchasing the ISO 27000 documentation online, but I wanted to ask around if see if anyone has ever dealt with anything similar. I appreciate any guidance in this matter. Thanks.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

I've been doing this for many many years

by robo_dev In reply to Is there any industry sta ...

It depends on what your requirements are, but in the past the starting point was the SAZ 70 certification, and today it's replacement SSAE 16, supported of course by the ISO 27001 set of standards.

I hate to say 'it all depends' but it does.

If you don't have a mandatory compliance situation like PCI or FIPS140, then you're really not going to find a 'one size fits all' solution. For any organization, you need to identify what the risks are, what controls exist to mitigate those risks, and verify that the controls are working.

I might point you in the direction of the security standards and hardening guidelines developed and maintained my NIST.

Collapse -

IT Grundschutz

by toomas.mottus In reply to Is there any industry sta ...

There is actually no need to buy ISO 27000 documentation. German standards body has taken ISO27000 and created an improved baseline security standard. It has also taken into account additional standards like ITIL with V-model and Deming Cycle.

Standard itself is available:

And security threats and measures catalogue is available at:

Please take into account that English version of the catalogue is not the most up to date version.

Related Discussions

Related Forums