FR | NL | EN
   About us     Contact     Glossary index     Sitemap   

   Home > Information Security Forum (ISF)

Information Security Forum (ISF)     Print

Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit organisation that supplies authoritative opinion and guidance on all aspects of information security. The ISF delivers practical solutions to overcome wide-ranging security challenges impacting business information today.


The Standard of Good Practice for Information Security is the foremost authority on information security. The Standard is developed from research and the actual practices of and incidents experienced by major organizations, incorporating the ISF's extensive research, comprehensive benchmarking program, analysis of other standards and prevailing practices, and the direct feedback from and active involvement of ISF members.

The Standard addresses information security from a business perspective, providing a practical basis for assessing an organisation’s information security arrangements. It contains a broad range of features , covering the entire spectrum of arrangements that need to be made to keep the business risks associated with information systems within acceptable limits. As a result, it is a major tool for improving the quality and efficiency of information security controls applied by an organisation.

Standard organisation

The Standard is organised into six categories, called aspects.

Aspect Focus Issues
SM • Security Management (enterprise-wide) Security management at enterprise level. The commitment provided by top management to promoting good information security practices across the enterprise, along with the allocation of appropriate resources
CB • Critical Business Applications A business application that is critical to the success of the enterprise The security requirements of the application and the arrangements made for identifying risks and keeping them within acceptable levels.
CI • Computer Installations A computer installation that supports one or more business applications. How requirements for computer services are identified; and how the computers are set up and run in order to meet those requirements.
NW • Networks A network that supports one or more business applications How requirements for network services are identified; and how the networks are set up and run in order to meet those requirements.
SD • Systems Development A systems development unit or department, or a particular systems development project How business requirements (including information security requirements) are identified; and how systems are designed and built to meet those requirements
UE • End User Environment An environment (e.g. a business unit or department) in which individuals use corporate business applications or critical workstation applications to support business processes. The arrangements for user education and awareness; use of corporate business applications and critical workstation applications; and the protection of information associated with mobile computing.

The six aspects within the Standard are composed of a number of areas, each covering a specific topic. An area is broken down further into sections, each of which contains detailed specifications of information security best practice. Each statement has a unique reference.

Target audience

The Standard is aimed at major national and international organisations that recognise information security as a key business issue. However, the Standard will also be of real, practical use to any type of organisation, such as a small- to medium-sized enterprise.




SM • Security Management (Enterprise Wide)

SM1 High-level direction
SM2 Security organisation
SM3 Security requirements
SM4 Secure environment
SM5 Malicious attack
SM6 Special topics SM7 Management review

CB • Critical Business Applications

CB1 Business requirements for security
CB2 Application management
CB3 User environment
CB4 System management
CB5 Local security management
CB6 Special topics

CI • Computer Installations

CI1 Installation management
CI2 Live environment
CI3 System operation
CI4 Access control
CI5 Local security management
CI6 Service continuity

NW • Networks

NW1 Network management
NW2 Traffic management
NW3 Network operations
NW4 Local security management
NW5 Voice networks

SD • Systems Development

SD1 Development management
SD2 Local security management
SD3 Business requirements
SD4 Design and build
SD5 Testing
SD6 Implementation

UE • User Environment

UE1 Local security management
UE2 Corporate business applications
UE3 Desktop applications
UE4 Computing devices
UE5 Electronic communications
UE6 Environment management

Website: ISF

QAP © 2010 | advice[at] | audit[at]
   Audit     Advisory     Training     Change     Disclaimer     Copyright