1 - Im trying to look for the best ISO norms for a web application that has a web server ,DB, Firewall ,application server . So if i try to write an IT Security concept for a web application which norm should i use ?
Answer: For security of web application I'd suggest you to take a look at ISO 15408 at ISO site: https://www.iso.org/standard/50341.html This standard is an international reference for computer security certification
2 - what is the main difference between 27001, 27002, 27003, 27004 , I'm trying to read them but I feel there is a lot a similarity and no difference to choose the right one of them
Answer: ISO 27001 covers the requirements for the establishment, implementation, maintenance and continual improvement of an Information Security Management System. ISO 27002 provides details and recommendations for the implementation of the controls described in the Annex A of ISO 27001.
ISO 27003 provides details and recommendations for the implementation of the requirements of ISO 27001. And ISO 27004 provides specific guidance for monitoring, measurement, analysis and evaluation of an ISMS.
In short, ISO 27001 defines what must be done, and ISO 27002, 27003 and 27004 provides recommendations about how to do what is required.
Thank you for you replay ,
is 27001 combined with 27002 a good idea to secure a web application also? , because i mean there is some points in 27001 that we dont need probably or if i want to write a security policy for a web application , because i didn't get a lot of information about 15408 and how it works
What do u think about PCI ? im just trying to get the best norm and explain why thanks for u help