HOME

TheInfoList



OR:

The Standard of Good Practice for Information Security (SOGP), published by the
Information Security Forum The Information Security Forum (ISF) is an independent information security body. Primary deliverables The ISF delivers a range of content, activities, and tools. The ISF is a paid membership organisation: all its products and services are inc ...
(ISF), is a business-focused, practical and comprehensive guide to identifying and managing
information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
risks in organizations and their supply chains. The most recent edition is 2020, an update of the 2018 edition. A 2022 edition is coming. Upon release, the 2011 Standard was the most significant update of the standard for four years. It covers information security 'hot topics' such as consumer devices, critical infrastructure, cybercrime attacks, office equipment, spreadsheets and databases and cloud computing. The 2011 Standard is aligned with the requirements for an
Information Security Management System Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core ...
(ISMS) set out in
ISO/IEC 27000-series The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27K' for short) comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechn ...
standards, and provides wider and deeper coverage of
ISO/IEC 27002 ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled ''Information security, cybersecurity and privacy protect ...
control topics, as well as cloud computing, information leakage, consumer devices and security governance. In addition to providing a tool to enable ISO 27001 certification, the 2011 Standard provides full coverage of
COBIT COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance. The framework is business focused and defines a set of generic processes for the ma ...
v4 topics, and offers substantial alignment with other relevant standards and legislation such as
PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card scheme, card brands. The standard is administered by the Payment Card Industry Security Standards Council a ...
and the Sarbanes Oxley Act, to enable compliance with these standards too. The Standard is used by Chief Information Security Officers (CISOs), information security managers, business managers, IT managers, internal and external auditors, IT service providers in organizations of all sizes. The 2018 Standard is available free of charge to members of the ISF. Non-members are able to purchase a copy of the standard directly from the ISF.


Organization

The Standard has historically been organized into six categories, or ''aspects''. Computer Installations and Networks address the underlying
IT infrastructure Information technology infrastructure is defined broadly as a set of information technology (IT) components that are the foundation of an IT service; typically physical components (computer and networking hardware and facilities), but also variou ...
on which Critical Business Applications run. The End-User Environment covers the arrangements associated with protecting corporate and workstation applications at the endpoint in use by individuals. Systems Development deals with how new applications and systems are created, and Security Management addresses high-level direction and control. The Standard is now primarily published in a simple "modular" format that eliminates redundancy. For example, the various sections devoted to security audit and review have been consolidated. {, class="wikitable" , -valign="bottom" !width=10%, Aspect !width=15%, Focus !width=27%, Target audience !width=17%, Issues probed !width=31%, Scope and coverage , -valign="top" ! Security Management (enterprise-wide) , Security management at enterprise level. , The target audience of the SM aspect will typically include: * Heads of
information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
functions * Information security managers (or equivalent) * IT auditors , The commitment provided by top management to promoting good information security practices across the enterprise, along with the allocation of appropriate resources. , Security management arrangements within: * A group of companies (or equivalent) * Part of a group (e.g. subsidiary company or a business unit) * An individual organization (e.g. a company or a government department) , -valign="top" ! Critical Business Applications , A business application that is critical to the success of the enterprise. , The target audience of the CB aspect will typically include: * Owners of business applications * Individuals in charge of business processes that are dependent on applications * Systems integrators * Technical staff, such as members of an application support team. , The security requirements of the application and the arrangements made for identifying
risks In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environme ...
and keeping them within acceptable levels. , Critical business applications of any: * Type (including transaction processing, process control, funds transfer, customer service, and workstation applications) * Size (e.g. applications supporting thousands of users or just a few) , -valign="top" ! Computer Installations , A computer installation that supports one or more business applications. , The target audience of the CI aspect will typically include: * Owners of computer installations * Individuals in charge of running
data center A data center (American English) or data centre (British English)See spelling differences. is a building, a dedicated space within a building, or a group of buildings used to house computer systems and associated components, such as telecommunic ...
s * IT managers * Third parties that operate computer installations for the organization * IT auditors , How requirements for computer services are identified; and how the computers are set up and run in order to meet those requirements. , Computer installations: * Of all sizes (including the largest mainframe,
server Server may refer to: Computing *Server (computing), a computer program or a device that provides functionality for other programs or devices, called clients Role * Waiting staff, those who work at a restaurant or a bar attending customers and su ...
-based systems, and groups of workstations) * Running in specialized environments (e.g. a purpose-built data center), or in ordinary working environments (e.g. offices, factories, and warehouses) , -valign="top" ! Networks , A
network Network, networking and networked may refer to: Science and technology * Network theory, the study of graphs as a representation of relations between discrete objects * Network science, an academic field that studies complex networks Mathematics ...
that supports one or more business applications , The target audience of the NW aspect will typically include: * Heads of specialist network functions * Network managers * Third parties that provide network services (e.g.
Internet service providers An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise privatel ...
) * IT
auditors An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon.” Auditing ...
, How requirements for network services are identified; and how the networks are set up and run in order to meet those requirements. , Any type of communications network, including: *
Wide area network A wide area network (WAN) is a telecommunications network that extends over a large geographic area. Wide area networks are often established with leased telecommunication circuits. Businesses, as well as schools and government entities, us ...
s (WANs) or
local area networks A local area network (LAN) is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, university campus or office building. By contrast, a wide area network (WAN) not only covers a larger ...
(LANs) * Large scale (e.g. enterprise-wide) or small scale (e.g. an individual department or business unit) * Those based on Internet technology such as intranets or
extranets An extranet is a controlled private network that allows access to partners, vendors and suppliers or an authorized set of customers – normally to a subset of the information accessible from an organization's intranet. An extranet is similar to ...
* Voice, data, or integrated , -valign="top" ! Systems Development , A
systems development In software engineering, a software development process is a process of dividing software development work into smaller, parallel, or sequential steps or sub-processes to improve design, product management. It is also known as a software devel ...
unit or department, or a particular systems development project. , The target audience of the SD aspect will typically include * Heads of systems development functions * System developers * IT auditors , How business requirements (including information security requirements) are identified; and how systems are designed and built to meet those requirements. , Development activity of all types, including: * Projects of all sizes (ranging from many worker-years to a few worker-days) * Those conducted by any type of developer (e.g. specialist units or departments, outsourcers, or business users) * Those based on tailor-made software or application packages , -valign="top" ! End User Environment , An environment (e.g. a business unit or department) in which individuals use corporate business applications or critical workstation applications to support business processes. , The target audience of the UE aspect will typically include: * Business managers * Individuals in the end-user environment * Local information-security coordinators * Information-security managers (or equivalent) , The arrangements for user education and
awareness Awareness is the state of being conscious of something. More specifically, it is the ability to directly know and perceive, to feel, or to be cognizant of events. Another definition describes it as a state wherein a subject is aware of some inform ...
; use of corporate business applications and critical workstation applications; and the protection of information associated with
mobile computing Mobile computing is human–computer interaction in which a computer is expected to be transported during normal usage, which allows for the transmission of data, voice, and video. Mobile computing involves mobile communication, mobile hardware ...
. , End-user environments: * Of any type (e.g. corporate department, general business unity, factory floor, or
call center A call centre ( Commonwealth spelling) or call center (American spelling; see spelling differences) is a managed capability that can be centralised or remote that is used for receiving or transmitting a large volume of enquiries by telephone. ...
) * Of any size (e.g. several individuals to groups of hundreds or thousands) * That include individuals with varying degrees of IT skills and awareness of information security. The six aspects within the Standard are composed of a number of ''areas'', each covering a specific topic. An area is broken down further into ''sections'', each of which contains detailed specifications of
information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
best practice. Each statement has a unique reference. For example, SM41.2 indicates that a specification is in the Security Management aspect, area 4, section 1, and is listed as specification No. 2 within that section. The Principles and Objectives part of the Standard provides a high-level version of the Standard, by bringing together just the ''principles'' (which provide an overview of what needs to be performed to meet the Standard) and ''objectives'' (which outline the reason why these actions are necessary) for each section. The published Standard also includes an extensive topics matrix, index, introductory material, background information, suggestions for implementation, and other information.


See also

''See :Computer security for a list of all computing and information-security related articles''. *
Cyber security standards IT security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all ...
*
Information Security Forum The Information Security Forum (ISF) is an independent information security body. Primary deliverables The ISF delivers a range of content, activities, and tools. The ISF is a paid membership organisation: all its products and services are inc ...
*
COBIT COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance. The framework is business focused and defines a set of generic processes for the ma ...
*
Committee of Sponsoring Organizations of the Treadway Commission The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992 (and subsequently re-released in 20 ...
(COSO) *
ISO 17799 ISO is the most common abbreviation for the International Organization for Standardization. ISO or Iso may also refer to: Business and finance * Iso (supermarket), a chain of Danish supermarkets incorporated into the SuperBest chain in 2007 * Iso ...
*
ISO/IEC 27002 ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled ''Information security, cybersecurity and privacy protect ...
*
ITIL The Information Technology Infrastructure Library (ITIL) is a set of detailed practices for IT activities such as IT service management (ITSM) and IT asset management (ITAM) that focus on aligning IT services with the needs of business. ITIL de ...
*
Payment Card Industry Data Security Standard The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council and its use i ...
(PCI DSS) *
Basel III Basel III is the third Basel Accord, a framework that sets international standards for bank capital adequacy, stress testing, and liquidity requirements. Augmenting and superseding parts of the Basel II standards, it was developed in response to ...
*
Cloud Security Alliance Cloud Security Alliance (CSA) is a not-for-profit organization with the mission to “promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure ...
(CSA) for
cloud computing security Cloud computing security or, more simply, cloud security refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud com ...


References


Know all about ISO 27000 Standards


External links


The Standard of Good Practice
*Th
Information Security Forum
Computer security standards Cybercrime in the United Kingdom Data security Information technology in the United Kingdom Risk analysis