The Standard of Good Practice for Information Security (SOGP), published by the Information Security Forum (ISF), is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains.[1] Show The most recent edition is 2020, an update of the 2018 edition. A 2022 edition is coming. Upon release, the 2011 Standard was the most significant update of the standard for four years. It covers information security 'hot topics' such as consumer devices, critical infrastructure, cybercrime attacks, office equipment, spreadsheets and databases and cloud computing. The 2011 Standard is aligned with the requirements for an Information Security Management System (ISMS) set out in ISO/IEC 27000-series standards, and provides wider and deeper coverage of ISO/IEC 27002 control topics, as well as cloud computing, information leakage, consumer devices and security governance. In addition to providing a tool to enable ISO 27001 certification, the 2011 Standard provides full coverage of COBIT v4 topics, and offers substantial alignment with other relevant standards and legislation such as PCI DSS and the Sarbanes Oxley Act, to enable compliance with these standards too. The Standard is used by Chief Information Security Officers (CISOs), information security managers, business managers, IT managers, internal and external auditors, IT service providers in organizations of all sizes. The 2018 Standard is available free of charge to members of the ISF. Non-members are able to purchase a copy of the standard directly from the ISF. Organization[edit]The Standard has historically been organized into six categories, or aspects. Computer Installations and Networks address the underlying IT infrastructure on which Critical Business Applications run. The End-User Environment covers the arrangements associated with protecting corporate and workstation applications at the endpoint in use by individuals. Systems Development deals with how new applications and systems are created, and Security Management addresses high-level direction and control. The Standard is now primarily published in a simple "modular" format that eliminates redundancy. For example, the various sections devoted to security audit and review have been consolidated. AspectFocusTarget audienceIssues probedScope and coverageSecurity Management (enterprise-wide)Security management at enterprise level.The target audience of the SM aspect will typically include:The commitment provided by top management to promoting good information security practices across the enterprise, along with the allocation of appropriate resources.Security management arrangements within:
The six aspects within the Standard are composed of a number of areas, each covering a specific topic. An area is broken down further into sections, each of which contains detailed specifications of information security best practice. Each statement has a unique reference. For example, SM41.2 indicates that a specification is in the Security Management aspect, area 4, section 1, and is listed as specification #2 within that section. The Principles and Objectives part of the Standard provides a high-level version of the Standard, by bringing together just the principles (which provide an overview of what needs to be performed to meet the Standard) and objectives (which outline the reason why these actions are necessary) for each section. The published Standard also includes an extensive topics matrix, index, introductory material, background information, suggestions for implementation, and other information. See also[edit]See Category:Computer security for a list of all computing and information-security related articles. What is the ISF standard of good practice?The Standard of Good Practice for Information Security (SOGP), published by the Information Security Forum (ISF), is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains.
How often is ISF Standard of Good Practice updated?One of its main products for members is the Standard of Good Practice which is updated annually. The Standard of Good Practice is a risk and control framework for managing cybersecurity for which the underlying risk management is the ISF Risk Assessment Methodology or IRAM.
What is ISF in cyber security?The ISF's Information Security Status Survey (the Survey) is a comprehensive Risk Management tool that evaluates a wide range of security controls used by organizations to control the business risks associated with their IT-based information systems.
Which membership based Organisation produces international standards which cover good practice for information assurance?Published by ISO (the International Organization for Standardization) and the IEC (International Electrotechnical Commission), the series explains how to implement best-practice information security practices. It does this by setting out ISMS (information security management system) requirements.
|