The Standard of Good Practice for Information Security (SOGP), published by the

Information Security Forum The Information Security Forum (ISF) is an independent information security body. Primary deliverables The ISF delivers a range of content, activities, and tools. The ISF is a paid membership organisation: all its products and services are inc ...

(ISF), is a business-focused, practical and comprehensive guide to identifying and managing

information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...

risks in organizations and their supply chains. The most recent edition is 2020, an update of the 2018 edition. A 2022 edition is coming. Upon release, the 2011 Standard was the most significant update of the standard for four years. It covers information security 'hot topics' such as consumer devices, critical infrastructure, cybercrime attacks, office equipment, spreadsheets and databases and cloud computing. The 2011 Standard is aligned with the requirements for an

Information Security Management System Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core ...

(ISMS) set out in

ISO/IEC 27000-series The ISO/IEC 27000-series (also known as the 'ISMS Family of Standards' or 'ISO27K' for short) comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechn ...

standards, and provides wider and deeper coverage of

ISO/IEC 27002 ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled ''Information security, cybersecurity and privacy protect ...

control topics, as well as cloud computing, information leakage, consumer devices and security governance. In addition to providing a tool to enable ISO 27001 certification, the 2011 Standard provides full coverage of

COBIT COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance. The framework is business focused and defines a set of generic processes for the ma ...

v4 topics, and offers substantial alignment with other relevant standards and legislation such as

PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card scheme, card brands. The standard is administered by the Payment Card Industry Security Standards Council a ...

and the Sarbanes Oxley Act, to enable compliance with these standards too. The Standard is used by Chief Information Security Officers (CISOs), information security managers, business managers, IT managers, internal and external auditors, IT service providers in organizations of all sizes. The 2018 Standard is available free of charge to members of the ISF. Non-members are able to purchase a copy of the standard directly from the ISF.

Organization

The Standard has historically been organized into six categories, or ''aspects''. Computer Installations and Networks address the underlying

IT infrastructure Information technology infrastructure is defined broadly as a set of information technology (IT) components that are the foundation of an IT service; typically physical components (computer and networking hardware and facilities), but also variou ...

on which Critical Business Applications run. The End-User Environment covers the arrangements associated with protecting corporate and workstation applications at the endpoint in use by individuals. Systems Development deals with how new applications and systems are created, and Security Management addresses high-level direction and control. The Standard is now primarily published in a simple "modular" format that eliminates redundancy. For example, the various sections devoted to security audit and review have been consolidated. {, class="wikitable" , -valign="bottom" !width=10%, Aspect !width=15%, Focus !width=27%, Target audience !width=17%, Issues probed !width=31%, Scope and coverage , -valign="top" ! Security Management (enterprise-wide) , Security management at enterprise level. , The target audience of the SM aspect will typically include: * Heads of

functions * Information security managers (or equivalent) * IT auditors , The commitment provided by top management to promoting good information security practices across the enterprise, along with the allocation of appropriate resources. , Security management arrangements within: * A group of companies (or equivalent) * Part of a group (e.g. subsidiary company or a business unit) * An individual organization (e.g. a company or a government department) , -valign="top" ! Critical Business Applications , A business application that is critical to the success of the enterprise. , The target audience of the CB aspect will typically include: * Owners of business applications * Individuals in charge of business processes that are dependent on applications * Systems integrators * Technical staff, such as members of an application support team. , The security requirements of the application and the arrangements made for identifying

risks In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environme ...

and keeping them within acceptable levels. , Critical business applications of any: * Type (including transaction processing, process control, funds transfer, customer service, and workstation applications) * Size (e.g. applications supporting thousands of users or just a few) , -valign="top" ! Computer Installations , A computer installation that supports one or more business applications. , The target audience of the CI aspect will typically include: * Owners of computer installations * Individuals in charge of running

data center A data center (American English) or data centre (British English)See spelling differences. is a building, a dedicated space within a building, or a group of buildings used to house computer systems and associated components, such as telecommunic ...

s * IT managers * Third parties that operate computer installations for the organization * IT auditors , How requirements for computer services are identified; and how the computers are set up and run in order to meet those requirements. , Computer installations: * Of all sizes (including the largest mainframe,

server Server may refer to: Computing *Server (computing), a computer program or a device that provides functionality for other programs or devices, called clients Role * Waiting staff, those who work at a restaurant or a bar attending customers and su ...

-based systems, and groups of workstations) * Running in specialized environments (e.g. a purpose-built data center), or in ordinary working environments (e.g. offices, factories, and warehouses) , -valign="top" ! Networks , A

network Network, networking and networked may refer to: Science and technology * Network theory, the study of graphs as a representation of relations between discrete objects * Network science, an academic field that studies complex networks Mathematics ...

that supports one or more business applications , The target audience of the NW aspect will typically include: * Heads of specialist network functions * Network managers * Third parties that provide network services (e.g.

Internet service providers An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise privatel ...

) * IT

auditors An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon.” Auditing ...

, How requirements for network services are identified; and how the networks are set up and run in order to meet those requirements. , Any type of communications network, including: *

Wide area network A wide area network (WAN) is a telecommunications network that extends over a large geographic area. Wide area networks are often established with leased telecommunication circuits. Businesses, as well as schools and government entities, us ...

s (WANs) or

local area networks A local area network (LAN) is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, university campus or office building. By contrast, a wide area network (WAN) not only covers a larger ...

(LANs) * Large scale (e.g. enterprise-wide) or small scale (e.g. an individual department or business unit) * Those based on Internet technology such as intranets or

extranets An extranet is a controlled private network that allows access to partners, vendors and suppliers or an authorized set of customers – normally to a subset of the information accessible from an organization's intranet. An extranet is similar to ...

* Voice, data, or integrated , -valign="top" ! Systems Development , A

systems development In software engineering, a software development process is a process of dividing software development work into smaller, parallel, or sequential steps or sub-processes to improve design, product management. It is also known as a software devel ...

unit or department, or a particular systems development project. , The target audience of the SD aspect will typically include * Heads of systems development functions * System developers * IT auditors , How business requirements (including information security requirements) are identified; and how systems are designed and built to meet those requirements. , Development activity of all types, including: * Projects of all sizes (ranging from many worker-years to a few worker-days) * Those conducted by any type of developer (e.g. specialist units or departments, outsourcers, or business users) * Those based on tailor-made software or application packages , -valign="top" ! End User Environment , An environment (e.g. a business unit or department) in which individuals use corporate business applications or critical workstation applications to support business processes. , The target audience of the UE aspect will typically include: * Business managers * Individuals in the end-user environment * Local information-security coordinators * Information-security managers (or equivalent) , The arrangements for user education and

awareness Awareness is the state of being conscious of something. More specifically, it is the ability to directly know and perceive, to feel, or to be cognizant of events. Another definition describes it as a state wherein a subject is aware of some inform ...

; use of corporate business applications and critical workstation applications; and the protection of information associated with

mobile computing Mobile computing is human–computer interaction in which a computer is expected to be transported during normal usage, which allows for the transmission of data, voice, and video. Mobile computing involves mobile communication, mobile hardware ...

. , End-user environments: * Of any type (e.g. corporate department, general business unity, factory floor, or

call center A call centre ( Commonwealth spelling) or call center (American spelling; see spelling differences) is a managed capability that can be centralised or remote that is used for receiving or transmitting a large volume of enquiries by telephone. ...

) * Of any size (e.g. several individuals to groups of hundreds or thousands) * That include individuals with varying degrees of IT skills and awareness of information security. The six aspects within the Standard are composed of a number of ''areas'', each covering a specific topic. An area is broken down further into ''sections'', each of which contains detailed specifications of

best practice. Each statement has a unique reference. For example, SM41.2 indicates that a specification is in the Security Management aspect, area 4, section 1, and is listed as specification No. 2 within that section. The Principles and Objectives part of the Standard provides a high-level version of the Standard, by bringing together just the ''principles'' (which provide an overview of what needs to be performed to meet the Standard) and ''objectives'' (which outline the reason why these actions are necessary) for each section. The published Standard also includes an extensive topics matrix, index, introductory material, background information, suggestions for implementation, and other information.

References

Know all about ISO 27000 Standards

External links

The Standard of Good Practice
*Th
Information Security Forum
Computer security standards Cybercrime in the United Kingdom Data security Information technology in the United Kingdom Risk analysis

Organization

See also

References

External links