Which of the following is a standardized language used to communicate security information between systems and organizations?

What is the ISO?

ISO (International Organization for Standardization) is a worldwide federation of national standards bodies.

ISO is a nongovernmental organization that comprises standards bodies from more than 160 countries, with one standards body representing each member country. For example, the American National Standards Institute represents the United States.

ISO members are national standards organizations that collaborate in the development and promotion of international standards for technology, scientific testing processes, working conditions, societal issues and more. ISO and its members then sell documents detailing these standards.

The ISO's General Assembly is its decision-making body. It consists of representatives from the members and elected leaders called principal officers. The organization has its headquarters in Geneva, Switzerland, where a central secretariat oversees operations.

How are ISO standards developed?

The International Organization for Standardization has a six-stage process for developing standards. The stages include the following:

• Proposal stage. The first step in developing a new standard starts when industry associations or consumer groups make a request. The relevant ISO committee determines whether a new standard is indeed required.
• Preparatory stage. A working group is set up to prepare a working draft of the new standard. The working group is composed of subject matter experts and industry stakeholders; when the draft is deemed satisfactory, the working group's parent committee decides which stage occurs next.
• Committee stage. This is an optional stage during which members of the parent committee review and comment on the draft standard. When the committee reaches consensus on the technical content of the draft, it can move to the next stage.
• Enquiry stage. The draft standard at this stage is called a Draft International Standard (DIS). It is distributed to ISO members for comments and, ultimately, a vote. If the DIS is approved at this stage without any technical changes, ISO publishes it as a standard. If not, it moves to the approval stage.
• Approval stage. The draft standard is submitted as a Final Draft International Standard (FDIS) to ISO members. They vote to approve the new standard.
• Publication stage. If ISO members approve the new standard, the FDIS is published as an official international standard.

ISO participating members vote on standards approvals. A standard must receive affirmative votes from at least two-thirds of participating members and negative votes from no more than one fourth of participating members.

What is ISO certification?

As it relates to ISO standards, certification is a certifying body's assurance that a service, product or system meets the requirements of the standard. While ISO develops the standards, third-party certification bodies certify conformity with those standards.

According to the ISO, the phrase "ISO certification" should never be used to indicate that a product or system has been certified by a certification body as conforming to an ISO standard. Instead, ISO suggests referring to certified products or systems using the full identification of the ISO standard.

For example, instead of "ISO certified", ISO recommends using the phrase "ISO 9001:2015 certified." This fully identifies the standard being certified, including the version -- in this case, the version of ISO 9001 released in 2015.

While ISO does not do certifications, its Committee on Conformity Assessment works on standards related to the certification process.

How do businesses become ISO certified?

The process of getting certified for an ISO standard can be expensive, time-consuming and potentially disruptive to the business. Before taking any steps to get certified, determining the need for certification can be the most important step.

The first step in becoming certified is determining whether certification is worth the costs. Some reasons that organizations pursue certifications include the following:

• Regulatory requirements. Some businesses and products require certification that they meet common standards.
• Commercial standards. When certification is not a regulatory requirement, products and services that are certified to meet minimum standards are a necessity for some industries.
• Customer requirements. Even where there is an industry standard or regulatory requirement for certification, some customers such as government agencies, may prefer or require certification.
• Improved consistency. Certification can help large organizations deliver consistent quality assurance across business units as well as across international borders.
• Customer satisfaction. Enterprise customers that use a product or service in different contexts and countries appreciate consistent performance. Compliance with standards can also help the certified organization resolve customer issues.

The certification process for ISO standards varies, depending on the standard and the certifying body. For popular standards, organizations may need to first review and select a suitable certification body. Recommendations for the steps to follow to get certified in the ISO's quality management standard, ISO 9001:2015, include the following:

• understand the ISO standard;
• identify trouble areas, where operations do not meet ISO requirements;
• formally document processes, procedures and plans to improve trouble areas;
• implement ISO standards;
• conduct an internal audit to check conformance with the standard before the official audit; and
• undergo formal compliance audit or certification process.

International Electrotechnical Commission (IEC) standards and ISO

The IEC is another international standards body that establishes standards for electronic technologies. The IEC works with other standards bodies including ISO, the International Telecommunication Union and the IEEE.

Standards that the ISO and IEC jointly develop are identified by the prefix "ISO/IEC." An example of this approach is ISO/IEC 27001:2013. It specifies requirements for setting up and running an information security management system.

Some popular standards that the ISO and IEC jointly defined include these:

• ISO/IEC 7498 is the set of standards that define the Open Systems Interconnection (OSI) universal reference model for communication protocols. OSI was first published in 1983, and the ISO adopted it as a standard in 1984; the current version was updated in 1994.
• ISO/IEC 27000 is a family of standards for information technology security techniques.
• ISO/IEC 31000 defines a risk management framework for standardizing definitions of risk-associated terms and offers guidelines for any person, business or agency. This family of standards defines an approach to managing risks, including risk identification, risk analysis, risk evaluation and risk assessment.

History of ISO

ISO is the successor to the International Federation of the National Standardizing Associations (ISA), which operated from 1928 to 1942.

In 1946, after World War II, ISA members and the United Nations Standards Coordinating Committee held a meeting on international standards. Their work led to the formation of ISO as a nongovernmental organization the following year.

ISO published its first standard, ISO/R 1:1951 (Standard Reference Temperature for Industrial Length Measurements), in 1951. The standard is now known as ISO 1:2016. As of 2021, ISO had published more than 24,000 standards.

According to ISO, ISO is not an abbreviation. It is a word, derived from the Greek isos, meaning "equal," which is the root for the prefix iso- that occurs in a host of terms, such as isometric (of equal measure or dimensions) and isonomy (equality of laws, or of people before the law). The name ISO is used around the world to denote the organization, thus avoiding the assortment of abbreviations that would result from the translation of "International Organization for Standardization" into the different national languages of members. Whatever the country, the short form of the organization's name is always ISO.

What are popular ISO standards?

Some of the most popular ISO standards include the following:

• ISO/IEC 27000. These security standards define a six-step process for developing and implementing information security policies and processes.
• ISO/IEC 17799. This security management standard specifies more than 100 best practices for business continuity, access control, asset management and more.
• ISO/IEC 20000. This ISO standard creates a technical specification and codifies best practices for IT service management.
• ISO/IEC 12207. This ISO standard creates a consistent lifecycle management process for all software.
• ISO 9000. This family of standards defines how organizations can establish and maintain effective quality assurance systems for manufacturing and service industries.

In a global marketplace, conforming with international standards can help businesses successfully compete. Find out how to get your organization certified with these tips on preparing for ISO 9001 certification.