ISO: Download over 600 Standards for free! (No, it is not piracy!)

A few days ago I reposted an old article on how to get a legit copy of ISO 27000 free of charge. Well, in truth, there are several other

How about downloading over 600 ISO standards free of charge? No subscription, no paywall, no strings attached! Simply over 600 Freely Available ISO Standards!

that that you can download and put to good use!

The complete list includes OVER 600 STANDARDS. Obliviously some may be quite outdated (like the ones from 1988!), but I was surprised to find out very recent publications on relevant topics such as ITInformation SecurityCloud Computing, and IT Service Management:

  • ISO/IEC 2382:2015 Information technology — Vocabulary
  • ISO/IEC 2382-37:2017 (E) Information technology — Vocabulary — Part 37: Biometrics
  • ISO/IEC 17788:2014 Information technology — Cloud computing — Overview and vocabulary
  • ISO/IEC 17789:2014 Information technology — Cloud computing — Reference architecture
  • ISO/IEC 19395:2015 Information technology — Sustainability for and by information technology — Smart data centre resource monitoring and control
  • ISO/IEC 19678:2015 Information Technology — BIOS Protection Guidelines
  • ISO/IEC TR 20000-10:2015 Information technology — Service management — Part 10: Concepts and terminology
  • ISO/IEC TR 20000-11:2015 Information technology — Service management — Part 11: Guidance on the relationship between ISO/IEC 20000-1:2011 and service management frameworks: ITIL
  • ISO/IEC TR 20000-12:2016 Information technology — Service management — Part 12: Guidance on the relationship between ISO/IEC 20000-1:2011 and service management frameworks: CMMI-SVC
  • ISO/IEC 27036-1:2014 Information technology — Security techniques — Information securityfor supplier relationships — Part 1: Overview and concepts
  • ISO/IEC 27000:2016(E) Information technology — Security techniques — Information security management systems — Overview and vocabulary

For the complete list, follow this link:

Cybersecurity excellence builder: A free download from NIST

KNOWING IS HALF THE BATTLE. I never expected a cliché quote from my Saturday morning childhood cartoons (Yo Joe!) to be a solid recommendation that I use on a day-to-day basis. This advice is particularly true whenever dealing with strategic disciplines such as cybersecurity, risk management, IT service management, corporate governance or business continuity. Yet, the absence of structured information is one of the most usual concerns for organizations.


So, what is the excuse? In terms of good practices / standards there are more than enough publications that can be used by most organizations ensure a great/practical benefit for business.

For instance, COBIT 5 is one of the most reliable frameworks for measuring information security maturity/capabilities. Putting COBIT DSS05 (Manage Security Services) process to practice is one of the most effective ways to enable business in achieving an adequate data protection level.



Cobit 5 – Enabling processes – DSS05 RACI Chart

Aside from time-tested solutions, a new and free publication recently captured my attention. If you want a quick look at your cybersecurity maturity level, NIST’s Baldrige Cybersecurity Excellence Builder is a great self-test tool.

The current draft version was published by the National Institute of Standards and Technology (NIST) last September, and even as a draft, it has a simple yet very pragmatic approach. The whole idea is enabling organizations to better understand the effectiveness of their cybersecurity risk management efforts. It helps leaders of organizations identify opportunities for improvement based on their cybersecurity needs and objectives, as well as their larger organizational needs, objectives, and outcomes.

Using the self-assessment it is possible to:

  • determine cybersecurity-related activities that are important to your business strategy and critical service delivery;
  • prioritize your investments in managing cybersecurity risk;
  • determine how best to enable your workforce, customers, suppliers, partners, and collaborators to be risk conscious and security aware, and to fulfill their cybersecurity roles and responsibilities;
  • assess the effectiveness and efficiency of your use of cybersecurity standards, guidelines, and practices;
  • assess the cybersecurity results you achieve;
  • identify priorities for improvement.

The publication is straightforward, with easy to follow practices. Just one word of advice: as with any self-test, it is necessary to have some basic understanding on the evaluated topic, so someone with a reasonable cybersecurity experience should validate any results in order to avoid any misinterpretation or errors.


As mentioned before, the Baldrige Cybersecurity Excellence Builder is a free publication, and it can be downloaded HERE (warning: PDF).



ISO 27000 – free and legal download!

IF YOU ARE AN INFOSEC PROFESSIONAL, STUDENT OR HAVE ANY INTEREST ON THE SUBJECT you are very likely to have heard about ISO/IEC 27001: 2013. What you may not know is that the 27K family is much, much bigger.

Currently there are 16 publications dedicated to the implementation and operation of an ISMS (Information Security Management System) aligned to international standards, and suitable for business of all sizes and verticals. According to the Brazilian National Information Security Survey, which I published last year, more and more Brazilian companies have been investing and adopting the standard.

Read more