Standard of Good Practice for Information Security

Last updated
The 2011 Standard of Good Practice ISF070501.jpg
The 2011 Standard of Good Practice

The Standard of Good Practice for Information Security (SOGP), published by the Information Security Forum (ISF), is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains. [1]

Contents

The most recent edition is 2022, an update of the 2020 edition.

Upon release, the 2011 Standard was the most significant update of the standard for four years. It covers information security 'hot topics' such as consumer devices, critical infrastructure, cybercrime attacks, office equipment, spreadsheets and databases and cloud computing.

The 2011 Standard is aligned with the requirements for an Information Security Management System (ISMS) set out in ISO/IEC 27000-series standards, and provides wider and deeper coverage of ISO/IEC 27002 control topics, as well as cloud computing, information leakage, consumer devices and security governance.

In addition to providing a tool to enable ISO 27001 certification, the 2011 Standard provides full coverage of COBIT v4 topics, and offers substantial alignment with other relevant standards and legislation such as PCI DSS and the Sarbanes Oxley Act, to enable compliance with these standards too.

The Standard is used by Chief Information Security Officers (CISOs), information security managers, business managers, IT managers, internal and external auditors, IT service providers in organizations of all sizes.

The 2018 Standard is available free of charge to members of the ISF. Non-members are able to purchase a copy of the standard directly from the ISF.

Organization

The Standard has historically been organized into six categories, or aspects. Computer Installations and Networks address the underlying IT infrastructure on which Critical Business Applications run. The End-User Environment covers the arrangements associated with protecting corporate and workstation applications at the endpoint in use by individuals. Systems Development deals with how new applications and systems are created, and Security Management addresses high-level direction and control.

The Standard is now primarily published in a simple "modular" format that eliminates redundancy. For example, the various sections devoted to security audit and review have been consolidated.

AspectFocusTarget audienceIssues probedScope and coverage
Security Management (enterprise-wide)Security management at enterprise level.The target audience of the SM aspect will typically include: The commitment provided by top management to promoting good information security practices across the enterprise, along with the allocation of appropriate resources.Security management arrangements within:
  • A group of companies (or equivalent)
  • Part of a group (e.g. subsidiary company or a business unit)
  • An individual organization (e.g. a company or a government department)
Critical Business ApplicationsA business application that is critical to the success of the enterprise.The target audience of the CB aspect will typically include:
  • Owners of business applications
  • Individuals in charge of business processes that are dependent on applications
  • Systems integrators
  • Technical staff, such as members of an application support team.
The security requirements of the application and the arrangements made for identifying risks and keeping them within acceptable levels.Critical business applications of any:
  • Type (including transaction processing, process control, funds transfer, customer service, and workstation applications)
  • Size (e.g. applications supporting thousands of users or just a few)
Computer InstallationsA computer installation that supports one or more business applications.The target audience of the CI aspect will typically include:
  • Owners of computer installations
  • Individuals in charge of running data centers
  • IT managers
  • Third parties that operate computer installations for the organization
  • IT auditors
How requirements for computer services are identified; and how the computers are set up and run in order to meet those requirements.Computer installations:
  • Of all sizes (including the largest mainframe, server-based systems, and groups of workstations)
  • Running in specialized environments (e.g. a purpose-built data center), or in ordinary working environments (e.g. offices, factories, and warehouses)
NetworksA network that supports one or more business applicationsThe target audience of the NW aspect will typically include: How requirements for network services are identified; and how the networks are set up and run in order to meet those requirements.Any type of communications network, including:
Systems DevelopmentA systems development unit or department, or a particular systems development project.The target audience of the SD aspect will typically include
  • Heads of systems development functions
  • System developers
  • IT auditors
How business requirements (including information security requirements) are identified; and how systems are designed and built to meet those requirements.Development activity of all types, including:
  • Projects of all sizes (ranging from many worker-years to a few worker-days)
  • Those conducted by any type of developer (e.g. specialist units or departments, outsourcers, or business users)
  • Those based on tailor-made software or application packages
End User EnvironmentAn environment (e.g. a business unit or department) in which individuals use corporate business applications or critical workstation applications to support business processes.The target audience of the UE aspect will typically include:
  • Business managers
  • Individuals in the end-user environment
  • Local information-security coordinators
  • Information-security managers (or equivalent)
The arrangements for user education and awareness; use of corporate business applications and critical workstation applications; and the protection of information associated with mobile computing.End-user environments:
  • Of any type (e.g. corporate department, general business unity, factory floor, or call center)
  • Of any size (e.g. several individuals to groups of hundreds or thousands)
  • That include individuals with varying degrees of IT skills and awareness of information security.

The six aspects within the Standard are composed of a number of areas, each covering a specific topic. An area is broken down further into sections, each of which contains detailed specifications of information security best practice. Each statement has a unique reference. For example, SM41.2 indicates that a specification is in the Security Management aspect, area 4, section 1, and is listed as specification No. 2 within that section.

The Principles and Objectives part of the Standard provides a high-level version of the Standard, by bringing together just the principles (which provide an overview of what needs to be performed to meet the Standard) and objectives (which outline the reason why these actions are necessary) for each section.

The published Standard also includes an extensive topics matrix, index, introductory material, background information, suggestions for implementation, and other information.

See also

See Category:Computer security for a list of all computing and information-security related articles.

Related Research Articles

Information technology service management (ITSM) are the activities performed by an organization to design, build, deliver, operate and control information technology (IT) services offered to customers.

BS 7799 was a British standard "Code of Practice for Information Security Management", first published as such by the British Standards Institution (BSI) in February 1995. Read about the origins of BS 7799 here.

COBIT is a framework created by ISACA for information technology (IT) management and IT governance.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

The Information Security Forum (ISF) is an independent information security body.

ISO/IEC 27000 is one of the ISO/IEC technical standards in the ISO/IEC 27000 series of Information Security Management Systems (ISMS)-related standards. The formal title for ISO/IEC 27000 is Information technology — Security techniques — Information security management systems — Overview and vocabulary.

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information security, cybersecurity and privacy protection — Information security controls.

The ISO/IEC 27000-series comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO/IEC 27006 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Part of the ISO/IEC 27000 series of ISO/IEC Information Security Management System (ISMS) standards, it is titled Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems.

ISO/IEC 27005 "Information technology — Security techniques — Information security risk management" is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) providing good practice guidance on managing risks to information. It is a core part of the ISO/IEC 27000-series of standards, commonly known as ISO27k.

<span class="mw-page-title-main">IT risk management</span>

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC JTC 1/SC 27 develops International Standards, Technical Reports, and Technical Specifications within the field of information security. Standardization activity by this subcommittee includes general methods, management system requirements, techniques and guidelines to address information security, cybersecurity and privacy. Drafts of International Standards by ISO/IEC JTC 1 or any of its subcommittees are sent out to participating national standardization bodies for ballot, comments and contributions. Publication as an ISO/IEC International Standard requires approval by a minimum of 75% of the national bodies casting a vote. The international secretariat of ISO/IEC JTC 1/SC 27 is the Deutsches Institut für Normung (DIN) located in Germany.

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a large-scale study conducted in 2020.

A Master of Science in Information Assurance is a type of postgraduate academic master's degree awarded by universities in many countries. This degree is typically studied for in information assurance.

ISO/IEC 27040 is part of a growing family of International Standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in the area of security techniques; the standard is being developed by Subcommitee 27 (SC27) - IT Security techniques of the first Joint Technical Committee 1 of the ISO/IEC. A major element of SC27's program of work includes International Standards for information security management systems (ISMS), often referred to as the 'ISO/IEC 27000-series'.

Storage security is a specialty area of security that is concerned with securing data storage systems and ecosystems and the data that resides on these systems.

ISO/IEC 27017 is a security standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security problems. It was published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It is part of the ISO/IEC 27000 family of standards, standards which provides best practice recommendations on information security management. This standard was built from ISO/IEC 27002, suggesting additional security controls for the cloud which were not completely defined in ISO/IEC 27002.

ISO/IEC 27018 is a security standard part of the ISO/IEC 27000 family of standards. It was the first international standard about the privacy in cloud computing services which was promoted by the industry. It was created in 2014 as an addendum to ISO/IEC 27001, the first international code of practice for cloud privacy. It helps cloud service providers who process personally identifiable information (PII) to assess risk and implement controls for protecting PII. It was published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.

References

Know all about ISO 27000 Standards

  1. "Standard of Good Practice for Information Security 2020". Information Security Forum. Retrieved 2021-09-04.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.