Norms and Standards

Standards. Standards around the world outline clarity about the prescribed characteristics of innovative products and professionally executed services, in order to generate value-creation potentials under challenging competitive and market situations. Furthermore, adequate standards create a reliable framework as well as elicit decisive requirements to engineering progressive future applications. Both are in the conflict of interest in terms of individualization and unification. However, such requirements are not necessarily contradictory. Moreover, economically careful standards – as a state of the art and by allocating resources responsibly – serve systematically to improve the quality in researched areas of our society, and thus make sense to establish reliable minimum requirements. In particular, this concerns five particular areas of interest. Such are: society, technology, administration, market economics (e.g. industry, production) and science.

Established standards are of particular importance for the global economy, and especially to succeed at the local level to resolve discovered problems. Furthermore, the application of consolidated standards reinforces the efficiency of processes and suggests systematic methods in order to create values. As a result, it strengthens the confidence in marketed products and services. On the other hand, they examine minimum requirements in terms of security for the benefit of our all.

The applied standards represent the national, regional and international state of the art. Moreover, standards are based on international best practices. In particular, this includes national legal requirements (e.g. SVG, SVV), European legal standards (eIDAS, GDPR, NIS-directive etc.) or state of the art frameworks w.r.t. technical as well as organizational requirements (e.g. CEN, Common Criteria for Information Technology, DIN, EESSI, ETSI, IETF, ISO, ITSEC, NIST, ÖNORM, Protection Profiles, SOG-IS, WebTrust for CA).

For a detailed explanation and profound description of A-SIT‘s activities, please see the list of relevant standards and best practices. Moreover, you can find background information on legal requirements (e.g. resolutions, laws, regulations, implementing decisions) in the section of legal bases.

Norms vs. Standards. Particularly in German-speaking countries, there is a distinction made between norms and standards. On the contrary, the Anglo-American area summarizes both as standards. Often, the development of a norm is primarily based on the higher engineering pace pursuant to the examined requirements of an already assigned standard. Regardless of this, either the fully compliance or the orientation to requirements that are mentioned in standards are voluntary until they are part of a contract or if they are legally required by law.

The norm. A norm is primarily a qualified document of well-founded recommendations and structured conditions to provide a solid framework. It is designed and conceived through the involvement of relevant stakeholders in a problem-solving process with the objective of consensus. Examples of IT security norms include: DIN ISO/IEC 27000 series, ÖVE/ÖNORM EN ISO/IEC 17065 etc.

A standard. The engineering of standards can occur under the exclusion of the public. In addition, this is either managed as a formalized or non-formalized process. That means that the development either takes place within the outlined framework of a collected set of rules (e.g. studied frameworks, adjusted standards). However, a standard can be the obtained result from either planned or unplanned processes (e.g. random distribution, numerical use of technology). Best practices are and so-called de-facto standards are also commonly applied. Such de-facto standards are constructed on foundations of non-binding recommendations. The following selected examples represent standards in the IT security domain: BSI Standard 200-2, Common Criteria for Information Technology Security Evaluation, SOG-IS Crypto Catalogue, etc. Relevant standards from other market industries and topics are for instance: HL7, USB etc.

Both processes are therefore summarized in the Anglo-American area as standardization. Moreover, standardization organizations are responsible for the engineering of standards. That means that such organizations construct plans, design concepts, derive specifications and realize the implementation of standards. Furthermore, standardization organizations are responsible in terms of the publication and distribution of the derived standards. In addition, standards are introduced at national, regional and international levels.

Protection Profiles. Standardized protection profiles pursuant to common criteria specifications define the protection requirements and the security objectives for product classes. In particular for digital signature schemes and techniques as well as for electronic identities, these protection profiles are relevant guides for secure systems.

Social benefits. Consumers benefit from global standardization that makes life easier and trustworthy. Standards from the connected domain of security for information technology (also: IT-security) are particularly useful to strengthen the quality of security features for services, processes, systems and products. Moreover, applied standards are internationally comparable. This also implies promoting the distribution of innovation and it strengthens the compatibility of the computer systems involved. Furthermore, the development of novel solutions on the basis of legally binding principles (e.g. privacy and security-by-design) is projected from the beginning. Additionally, standards are particularly important in terms of effectiveness in preparing for future security requirements for a highly interconnected world (e.g. Internet of Things). The factors described therefore improve economic performance and provide economic benefits in the chain of economic value added in terms of IT security.

  • Cross-domain interoperability of components and systems
  • Efficient risk management and minimization of impacts on damage events
  • A common language, standardized systems and minimization of misunderstanding
  • Unitary measurement, methodical evaluation, systematic testing and continuous improvement of performance
  • International cooperation for heterogeneous organizations / companies
  • Identification of weaknesses and derivation of action plans
  • Quality assurance and continuous improvement
  • Reduction of redundancies and methodical simplifications of complex core-problems
  • Creation of new market access
  • Protective function for consumers under trustworthy expectations
  • Review existing performance standards and build on previous work