Security · Topic 03 of 23 · Part I — Foundations

Standards & frameworks

Standards give testers vocabulary and structure; they give professional defensibility — the difference between citing NIST 800-115 and saying "we improvised".

Syllabus: § ICT Security Fundamentals (1.1–1.3) → Understanding relevant security standards and frameworks
Topic 03 · The landscape map

Why the field has so many standards — and why it matters

By the end of this topic you can:
  • Name the major standards and state in one sentence what each is for
  • Choose an appropriate standard when scoping or executing a test for a given client
  • Distinguish testing methodologies, management frameworks, controls catalogues, and hardening guides
  • Locate the relevant section of a standard's table of contents for a given testing problem

Four families — not one list

Conflating the families is the most common source of client confusion. Each answers a different question.

FamilyQuestion it answersKey examples
1 · Testing methodologiesHow do I perform a security test?OSSTMM, PTES, OWASP WSTG, NIST 800-115, BSI Studie
2 · Management frameworksHow should an organization run its security program?ISO/IEC 27001, NIST CSF
3 · Controls cataloguesWhat specific protections should be in place?CIS Controls v8, ISO/IEC 27002, BSI IT-Grundschutz, NIST 800-53
4 · Hardening guidesHow do I configure this specific technology securely?CIS Benchmarks, DISA STIGs, vendor baselines
Heuristic If it tells you what to do as a tester → family 1. If it describes the client's program → family 2. If it lists specific safeguards → family 3. If it gives step-by-step config commands → family 4.

Family 1 — Testing methodologies: OSSTMM & PTES

OSSTMM

  • Open Source Security Testing Methodology Manual (ISECOM)
  • Treats testing as a measurement discipline — defines a RAV (Risk Assessment Value) to express results numerically
  • Covers human, physical, wireless, telecom, and data-network channels
  • Best when rigorous, repeatable quantification is required

PTES

  • Penetration Testing Execution Standard — community-driven, web-hosted
  • Seven phases: pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, reporting
  • Strong on engagement lifecycle and threat modeling
  • Pragmatic and widely cited; good starting point for newcomers

Family 1 — Testing methodologies: OWASP, NIST, BSI

OWASP

  • WSTG Testing Guide — web-app methodology with specific mapped test cases
  • Top 10 Risk-awareness list — the most cited and most misused OWASP deliverable; a risk list, not a methodology
  • ASVS Application Security Verification Standard — levels of security requirements an application should satisfy
  • MASTG / MASVS Mobile equivalents of WSTG / ASVS; API Security Top 10 for API-specific risks
Common mistake The Top 10 is a risk-awareness list, not a test-case guide. Use WSTG for methodology; cite the Top 10 only for risk framing.

NIST SP 800-115

  • US federal guidance — freely available, widely referenced
  • Three pillars: Review · Target identification & analysis · Vulnerability validation
  • Accessible vocabulary; less prescriptive than OSSTMM

BSI Studie

  • Durchführungskonzept für Penetrationstests — German federal counterpart
  • Defines pentest classification axes: perspective, information basis, aggressivity, scope, approach, technique, target
  • Valuable for scoping conversations with DACH-region clients

Family 2 — Management frameworks

Testers do not implement these — but every large client is governed by at least one. Knowing them lets you hold a credible conversation.

ISO/IEC 27001

  • Dominant management-system standard for information security (ISMS)
  • Certification means the ISMS was independently audited against the standard
  • Requires periodic risk assessment — a primary driver for testing engagements
  • Companion: ISO/IEC 27002 (controls catalogue, family 3)

NIST CSF v2.0 (2024)

  • Six functions: Govern, Identify, Protect, Detect, Respond, Recover
  • Testing exercises Detect, Protect, and Respond most directly
  • Clients may request findings "mapped to CSF functions"

Sector-specific

  • PCI-DSS (payment cards), HIPAA (US healthcare)
  • DORA (EU financial sector, 2025) — mandates Threat-Led Penetration Testing (TLPT)
  • NIS2 (EU critical infrastructure) — extends testing obligations to many new sectors

Data protection as a testing driver

Privacy regulations are increasingly why clients commission testing — not just ISO 27001 or sector frameworks.

GDPR (EU) Article 32 mandates appropriate technical and organizational security measures. Applies globally to organizations handling EU residents' data. Fines up to 4% of global annual revenue.
FADP (Switzerland, 2023) Broadly GDPR-aligned. Security testing is a common mechanism to demonstrate compliance. Testers handling client data must respect the FADP's data-minimization and lawfulness requirements.
Other regimes CCPA / CPRA (California), HIPAA (US healthcare), LGPD (Brazil), PDPA (Singapore). Each jurisdiction imposes its own obligations; testers working internationally must identify which applies.

When a client says "show us how secure our data handling is" — that brief is usually driven by a privacy regulation, not a framework preference.

Swiss regulations and assurance frameworks

Swiss-specific

RegulationTesting relevance
FINMA 2023/1Requires periodic pentesting and vulnerability assessments at Swiss financial institutions; defines frequency and scope
NCSC guidanceBaseline measures and incident-response guidance for federal and critical organizations
GeBüVElectronic bookkeeping; relevant when assessing accounting and ERP systems

Financial client → FINMA 2023/1. Data processor → FADP. EU operations → NIS2 / DORA.

SOC / ISAE attestations

  • SOC 2 Type II — broad audit of five trust criteria over 6–12 months; common for SaaS and cloud providers in the US market
  • SOC for Cybersecurity — narrower, deeper; focused on cybersecurity risk management aligned with NIST CSF
  • ISAE 3402 — international (ISO/IAASB) equivalent of SOC 2; preferred in Europe
Tester role These are audit frameworks — testers support control validation; the auditor leads.

Family 3 — Controls catalogues

The "what should have been there" reference. Cite a published control rather than improvising remediation advice.

CIS Controls v8

  • 18 controls broken into safeguards tagged by implementation group
  • IG1 = small org, IG2 = medium, IG3 = large — enables prioritized remediation by client size
  • Practical starting point for any Swiss SME

ISO/IEC 27002

  • Companion catalogue to ISO 27001
  • Describes objectives, not implementation steps — broader and less prescriptive than CIS

BSI IT-Grundschutz

  • German federal baseline catalogue — very detailed
  • Organized into modules, e.g. OPS.1.1.3 Patch and Change Management
  • Used heavily in DACH public sector; valuable when the client follows Grundschutz

NIST SP 800-53

  • US federal controls catalogue — over 1 000 controls and enhancements
  • Primarily relevant for US federal or federal-adjacent work

Family 4 — Hardening guides

Technology-specific, step-by-step configuration instructions — family 3 controls made concrete for a specific platform.

CIS Benchmarks

  • Available for Windows, Linux, macOS, Docker, Kubernetes, AWS, Azure, GCP, databases, network devices — nearly every major technology
  • Level 1 — basic hardening for most organizations
  • Level 2 — advanced, for high-sensitivity environments
  • Prescriptive down to specific values and commands

DISA STIGs

  • US Department of Defense equivalent — more stringent, assumes hostile environment
  • Applicable for defence-adjacent clients

Three tester use cases

  • Validation — benchmark as a test checklist
  • Remediation citation — "enable MFA per CIS Benchmark §2.3.11"
  • Scoping vocabulary — "CIS Level 1 or Level 2?" is more precise than "secure"

Hardening guides assume the technology is correctly deployed. They do not address architectural flaws.

Using standards in a real engagement

1Citation, not recitation. Name the methodology at engagement level; point to controls only at the finding level.
2Prompt, not checklist. Use a standard as a floor — every item considered — then exceed it through target-specific judgement.
3Mind the version. NIST CSF is at v2.0 (2024); CIS Controls at v8. State the version in every report.
Example wording "Testing was conducted in accordance with PTES, with web-application portions guided by OWASP WSTG v4.2. Remediation aligns with CIS Controls v8 Safeguard 5.3 — Disable Dormant Accounts."

Choosing the right standard for the job

SituationPrimary referencePair with
Web or mobile application targetOWASP WSTG (test cases) + OWASP ASVS (requirements)OWASP Top 10 for risk framing
API targetOWASP API Security Top 10 + WSTGOWASP ASVS
Network / infrastructure pentestNIST 800-115 + PTESBSI vocabulary for DACH clients
Client needs measurement & metricsOSSTMMPTES for engagement structure
"What should we fix first?"CIS Controls v8 (prioritized by IG)ISO 27002 for broader coverage
Regulated sectorWhatever the regulator demandsOne of the above as operational methodology

Most engagements combine two or three standards — one methodology, one or two controls or hardening references.

Check — ISO 27001 as a testing mandate

Scenario

A client says: "We want to be tested against ISO 27001." Is that a meaningful request? What would you need to clarify?

Reveal answer

ISO 27001 is a management-system framework, not a testing methodology — you cannot directly "test against" it. Clarify whether they want: (a) a pentest whose findings map to ISO 27002 controls; (b) an audit of their ISMS; or (c) compliance evidence supporting their 27001 certification cycle. Each is a different engagement type with different deliverables.

What you take home

  • Standards provide professional vocabulary, engagement structure, and legal defensibility — not bureaucratic overhead
  • Four families: testing methodologies, management frameworks, controls catalogues, hardening guides — conflating them causes client confusion
  • OSSTMM, PTES, OWASP WSTG, NIST 800-115, and BSI Studie tell you how to test; ISO 27001 and NIST CSF describe the client's security program
  • Privacy laws (GDPR, FADP, CCPA) are increasingly the primary reason clients commission testing
  • In Switzerland: FINMA 2023/1 mandates periodic testing for financial institutions; FADP governs data handling throughout the engagement
  • CIS Controls v8 is the most actionable remediation reference for most clients; cite the version and safeguard number
  • Most engagements use one methodology and one or two controls or hardening references in combination

Next: Topic 04 — Scope and testing boundaries. Where standards meet the contract that defines what a tester may and may not do.

END · TOPIC 03

Standards are the floor, not the ceiling

Before next session: find the CIS Benchmark for an OS you use and read the Level 1 profile introduction.