An Introduction to Standards related to Information Security

The good thing about standards is that there are so many of them." This humorous comment is often made when some well meaning team member wants to solve a problem by referring to a standard. This may be true, but what is also true is that information systems are becoming more "complex" (in the vaguest sense of the word), that systems and the information processed are more distributed and that the requirement for access is more demanding. Also, the requirement for access is not limited to, or from, a specific or single site, organisation or even country. This has a huge effect on interfacing requirements, information storage and presentation formats and, of course, security. Adopting internationally recognised standards is a definite route to solve a lot of these problems. Standards are a mechanism for different stakeholders to refer to a common, trusted reference. Standards provide a common technological language, thus enabling a system stakeholder to provide definitions for terms used in a project, and to qualify vague expressions such as "complex". The South African Bureau of Standards (SABS) is the recognised national institution for the promotion and maintenance of standards in South Africa. The SABS prepare and publish South African National Standards (identified by the letters SANS) reflecting national consensus on a wide range of subjects. A business unit of the SABS, Standards South Africa (StanSA), administers more than 450 technical committees and subcommittees to produce standards. The SABS is a member body of the International Organisation for Standardisation (ISO) and participates actively in a number of their committees. This tutorial provides a short introduction to International and South African National Standards related to Information Security. Some of the existing standards are highlighted and the development process is introduced. The tutorial focuses on ISO/IEC International Standards and the national adoption or development by StanSA.