Professional Documents
Culture Documents
ISF
ISF
STANDARD
About the Standard
The Standard of Good Practice for Information Security (the Standard) has been
produced by the Information Security Forum (ISF), an international association of
over 260 leading organisations which fund and co-operate in the development of a
practical research programme in information security. During the last 16 years the ISF
has spent more than US$75 million providing authoritative material to its Members.
The ISF’s work probably represents the most comprehensive and integrated set of
material anywhere in the world in the area of information risk management.
The Standard of Good Practice is a key deliverable from the ISF’s extensive work
programme. It has been developed and enhanced over a number of years and has
benefited from the results of the many projects run by the ISF.
As the ISF is a membership organisation, ISF reports are normally for the exclusive
use of ISF Members. However, the ISF has agreed to make The Standard of Good
Practice available to non-Members with the objectives of:
The Standard has been developed using a proven methodology to produce the
international benchmark for information security. The Standard is updated regularly,
refining proven practices and addressing ‘hot topics’.
The ISF runs a comprehensive Information Security Status Survey that enables
Members to gain a clear picture of their organisation’s performance across all aspects
of information security. The Survey provides a practical, automated tool with which a
Member organisation can measure the effectiveness of their information security
arrangements, compare them with those of other leading organisations, and assess
how well they are performing against The Standard of Good Practice.
The Standard is designed to The Standard addresses information security from a business perspective,
present organisations with a providing a practical basis for assessing an organisation’s information security
challenging but achievable
target against which they can arrangements. It focuses on the arrangements that should be made by leading
measure their performance. organisations to keep the business risks associated with critical information
systems under control in today’s dynamic and competitive environment.
Improvements This version of the Standard (Version 4.0 - March 2003, updated to version
incorporated in this 4.1 - January 2005) provides improvements that include the following:
version
A - Additional sections on key topics covering:
In order to maintain consistency with previous versions, the look and feel of
the document has been retained. Furthermore, the vast majority of the text
remains unchanged.
Target audience The Standard is aimed at major national and international organisations that
recognise that information security is a key business issue. However, the
Standard will also be of real, practical use to any type of organisation, such as
The Standard can add value to a small- to medium-sized enterprise.
any organisation irrespective
of market sector, size or
structure. Good practice detailed in the Standard will typically be incorporated into
an organisation’s information security arrangements by a range of key
individuals including:
Table 1: How ISF Members rated drivers for a security management standard
Driver
When looking at the ‘high’ and ‘very high’ ratings made in the
survey, the ‘major drivers’ received significant support from
Members. The ‘important’ and ‘other’ categories – while rated
slightly lower – also received significant support.
Part 2
Basis for the Standard The ISF Standard was first released in 1996. It has been developed and
enhanced every two years, using a proven methodology, to produce the
international standard for information security. It is based on the extensive
knowledge of ISF Members and on the expertise of a full-time ISF
Management Team. Other international and national standards (such as
ISO 17799) and the results of earlier ISF Information Security Status Surveys
were also used as sources of information.
ISF projects
Practical experience
of ISF Members
Management
Team
International and
national standards
Status survey
results analysis
Part 2
Design and The Standard has been tested to ensure that it conforms with ten
development criteria design and development criteria which should apply to any security
management standard.
These criteria, along with a brief assessment of how the Standard meets
them, are set out in Table 2 below.
Table 2: How the Standard conforms with design and development criteria
1 Covers all key issues Addresses all security matters in five self-contained aspects.
2 Is complete Exhaustive in its coverage of the topic of information security and is
consistent and even in the level of detail it offers.
3 Includes latest developments Brought fully up-to-date every two years; this version addressing topics
and ‘hot topics’ such as broadband and wireless communications, PDAs, intrusion
detection and forensics.
4 Has an easy-to-understand Laid out in a clear tabular manner, supported by a topics matrix
structure and layout (cross-reference) and an index.
5 Is clear and unambiguous Uses only simple words and accepted technical terms, and is reviewed by
ISF Members who do not have English as their first language.
6 Provides sufficient detail to be Provides a consistent level of detail that forms the basis for easy and
practical straightforward application.
7 Is applicable to any Designed with large organisations in mind, but is equally applicable to
organisation individual business units as well as small- to medium-sized enterprises.
8 Is achievable in practice Sets a proven achievable target which every organisation should be
capable of reaching.
9 Forms the basis for the Expressed in a way which makes measurement simple and
measurement of performance straightforward.
10 Is easy-to-use Designed and laid out in a format – using a simple numbering system –
which security professionals of any level of experience can apply easily in
practice.
A risk analysis would typically be used to identify the need for additional
controls in particular areas, over and above those specified in the Standard.
Part 2
Setting an effective The design and development criteria – along with the drivers outlined
standard earlier in this part – underpinned the process used for producing the
Standard. The Standard of Good Practice is therefore driven by a set of
real-world principles which focus on meeting commercial needs in order to
produce accurate and clear statements of good practice.
Part 3
Getting the best out of The main sections of The Standard of Good Practice provide a set of
the Standard high-level principles and objectives for information security together with
associated statements of good practice. They can be used to improve the level
of security in an organisation in a number of ways. For example, an
organisation can use the Standard to:
Technical standards/ In some areas organisations will wish to draw up more detailed standards/
procedures procedures to support the Standard. These are often of a technical nature,
covering topics such as:
• Windows 2003
• Virus protection
• Instant Messaging
• Patch Management
• Web server security.
Part 3
Measuring performance Although The Standard of Good Practice specifies what should be done,
against the Standard organisations will often want to know how well they are performing against
the Standard. Through their membership, ISF Members can take advantage
of the ISF’s Information Security Status Survey, which allows an organisation
to make a quantitative and comprehensive assessment of how well they
conform with the Standard.
For information about the Survey or the ISF, please contact the ISF
Management Team on standard@securityforum.org
Security Management
Systems
Development
Critical Business
Applications
IT Facilities
Computer Networks
Installations
Aspect of
security Focus Issues probed Scope and coverage
Security Security The commitment provided The status of security management within:
Management management at by top management to • a group of companies (or equivalent)
(enterprise-wide) enterprise level. promoting good • part of a group (eg subsidiary company
information security or a business unit)
practices across the • an individual organisation (eg a
enterprise, along with the company or a government department).
allocation of appropriate
resources.
Critical Business A business The security requirements The status of critical business applications
Applications application that of the application and the of any:
is critical to the arrangements made for • type (including transaction processing,
success of the identifying risks and process control, funds transfer, customer
enterprise. keeping them within service and desktop applications)
acceptable levels. • size (eg applications supporting
thousands of users or just a few).
Networks A network that How requirements for Any type of communications network
(‘Communications supports one or network services are including:
Networks’ in more business identified and how the • wide area networks (WAN) or local area
previous versions) applications. networks are set up and networks (LAN)
run in order to meet those • large scale (eg enterprise-wide) or small
requirements. scale (eg an individual department or
business unit)
• those based on Internet technology
such as intranets or extranets
• voice, data or integrated.
Systems A systems How business requirements The status of developments of all types,
Development development (including information including:
unit/department security requirements) are • projects of all sizes (ranging from many
or a particular identified and how systems man-years to a few man-days)
systems are designed and built to • those conducted by any type of
development meet those requirements. developer (eg specialist unit/
project. departments, outsourced or business
users)
• those based on tailor-made software or
application packages.
Part 4
Structure of the The five aspects within the standard are composed of a number of areas,
Standard each covering a specific topic. An area is broken down further into a set
of sections.
Aspect
eg a Critical Business Application
Section 1.1 Section 1.2 Section 1.3 Section 2.1 Section 3.1 Section 3.2
Good Practice
Good Practice
Good Practice
Good Practice
Good Practice
Good Practice
Statement of
Statement of
Statement of
Statement of
Statement of
Statement of
Topics matrix
Some sections within the Standard (eg change management and risk
analysis) appear more than once, as each aspect is designed to be complete
‘in its own right’ and must therefore cover certain essential factors.
Understanding the For each aspect and area presented in the main sections of this document, a
layout of the Standard brief introduction is provided which encapsulates their importance and the
main issues involved.
The Standard in An examination of the main sections of The Standard of Good Practice will
practice show that it covers the entire spectrum of arrangements that need to be
made to keep the business risks associated with information systems within
acceptable limits. It is a major tool in improving the quality and efficiency of
security controls applied by an organisation.
What has been Much of the Standard produced in version 4.0 in March 2003 is still
updated? appropriate and valid, so much of it remains unchanged. The areas that have
been updated are those that have been the subject of additional research and
investigation, or reflect good practices employed by ISF Members for
key topics.
The key findings from this research form the main basis for updates.
Additionally, feedback from the results of the ISFs Information Security
Status Survey have been incorporated. Where possible, single word changes
that have been requested for typographical reasons have been avoided, unless
they change the meaning of a sentence. A summary of the changes can be
found on the following pages.
Only pages that have changed have been reissued. Old pages should
be removed and new pages inserted in the appropriate section.
Appendix A
Appendix A
Appendix A
Computer Installations
Appendix A
Networks
Appendix A
Systems Development
SD5 Testing
SD5.1 Testing process None.
SD5.2 Acceptance testing None.
SD6 Implementation
SD6.1 System promotion criteria None.
SD6.2 Installation process None.
SD6.3 Post implementation review None.