The International Organization for Standardization (ISO) is an independent, non-governmental international organization with an international membership of 163 national standards bodies. The ISO/IEC 27000 family of standards helps organizations keep their information assets secure.
ISO/IEC 27110, “Information technology, cybersecurity and privacy protection — Cybersecurity framework development guidelines,” specifies that all cybersecurity frameworks should have the following concepts: Identify, Protect, Detect, Respond, Recover. It also outlines the distinction between Information Security and Cybersecurity. These guidelines align with the NIST Cybersecurity Framework (CSF).
- Identify: The Identify concept addresses people, policies, processes and technology when defining the scope of activities.
- Protect: The Protect concept can contain many categories and activities related to the safeguarding of assets against intentional or unintentional misuse.
- Detect: The Detect concept can include traditional asset monitoring and attack detection.
- Respond: The Respond concept can include the traditional incident response concepts as well as policies, procedures and plans.
- Recover: The activities in the Recover concept define the restoration and communication related activities after a cybersecurity event.
Google's security risk management capabilities are audited as part of ISO/IEC 27001/27002 (Information Security Management), ISO/IEC 27017 (Cloud Security), FedRAMP, and NIST 800-53, which align with the conceptual framework and recommended guidance specified in ISO/IEC 27110 (Identify, Protect, Detect, Respond, Recover).