[General Users] [Youngsters & Students] [Parents and Teachers] [IT Professionals] [SME]
To facilitate your planning on information security management for your company, we have highlighted some internationally recognised information security standards, guidelines and effective security practices for reference.
( To view and print the downloaded document, you need to use an Adobe Acrobat Reader. Please click here to download if necessary. )
The Government of HKSAR has issued a Baseline IT Security Policy and a series of guidelines related to IT security to provide references and guidance to Government bureaux and departments in respect of the protection of Government information systems. The related documents are obtainable through the hyperlinks provided below. Users should note that the documents are for general reference only and users are responsible to make their own assessment on the information provided and to obtain independent advice before acting on it.
Baseline IT Security Policy - This document sets the baseline standards of IT security policy for Government bureaux/departments. It states what aspects are of paramount importance.
IT Security Guidelines - This document introduces concepts relating to IT security and elaborates further on the Baseline IT Security Policy.
Internet Gateway Security Guidelines - This document acts as a supplementary document to IT Security Guidelines to provide guidelines on Internet gateway security.
Security Risk Assessment & Audit Guidelines - This document acts as a supplementary document to IT Security Guidelines to give an introduction to a generic reference model for IT security risk assessment and security audit.
Information Security Incident Handling Guidelines - This document acts as a supplementary document to IT Security Guidelines to provide reference for the planning and preparation for, the detection of, and the response to information security incidents.
There is increasing public concern about the security of information passing through public Wi-Fi networks. To address such a concern, the Communications Authority (CA) has published a set of security guidelines for public Wi-Fi service operators to follow. The guidelines are developed jointly with the industry and the relevant professional bodies.
ISO 27001 - ISO standards specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.
ISO 27002 - The document is the code of practice for information security controls.
British Standard 7799 Part 3 - Guidelines for information security risk management published by BSI Group.
COBIT - The Control Objectives for Information and related Technology (COBIT) is a control framework for the governance and management of enterprise IT published by ISACA.
Common Criteria (also known as ISO/IEC 15408) - combine and align existing and emerging evaluation criteria with a collaborative effort among national security standards organisations of Australia, Canada, France, Germany, Japan, Netherlands, New Zealand, Spain, UK and US.
ITIL (or ISO/IEC 20000 series) - A collection of best practices in IT service management (ITSM), and focuses on the service processes of IT and considers the central role of the user.
National Information Security Technology Standard Specification
- A collection of national information security standards formulated by the National Information Security Standards Technical Committee. These standards include information security management, information security evaluation, authentication and authorisation, etc.
SANS Security Policy Resource
– A set of resources for for rapid development and implementation of information security policies.
A Guide to Personal Data Privacy and Consumer Protection on the Internet – The guide is published by the Hong Kong Productivity Council on the protection of data privacy.
Electronic Transactions Ordinance - It concerns the legal status of electronic records and digital signatures used in electronic transactions as that of their paper-based counterparts.
Guidance for Data Users on the Collection and Use of Personal Data through the Internet – The guidance is prepared by the Privacy Commissioner for Personal Data to assist organization to comply with the Hong Kong Personal Data (Privacy) Ordinance.
Major Principles in OECD Guidelines for Consumer Protection in the Context of Electronic Commerce– The guideline lists the principles and good practices on e-commerce
OWASP Top Ten Project – The document for web application security representing a broad consensus about what the most critical web application security flaws are.
Payment Card Industry Data Security Standard - A standard developed by a number of major credit card companies (including American Express, MasterCard Worldwide and Visa International) to enhance payment account data security.
A Practical Guide for IT Managers and Professionals on the Personal Data (Privacy) Ordinance – The guide was compiled by Hong Kong Computer Society (HKCS) to help enterprises, especially IT Managers and Professionals, to protect personal data privacy.
Best Practice Guide for Mobile App Development – The guide is tailored for small-to-medium enterprises (“SMEs”) to establish their own app development guide taking due account of the importance of protection of personal data privacy.
Guidance on Personal Data Erasure and Anonymisation – The guidance provides advice as to when personal data should be erased, as well as how personal data may be permanently erased by means of digital deletion and/ or physical destruction.
Health Insurance Portability and Accountability Act (HIPAA) - The Acted was enforced by the US government in order to enact their national Standards for Privacy of Individuals Identifiable Health Information.
ISACA's Standards, Guidelines and Procedures - The Standards Board of Information Systems Audit and Control Association issues a series of information systems auditing standards, guidelines and procedures.
RFC 2350 Expectations for Computer Security Incident Response, from IETF (The Internet Engineering Task Force) – The document expresses the general Internet community's expectations of Computer Security Incident Response Teams.
SANS Top-20 Security Risks - The list includes 20 vulnerabilities organised into different categories according to their affected areas such as vulnerabilities that affect operating systems and those that affect network devices.
Copyright 2002. The Government of the Hong Kong Special Administrative Region.