Information Security Forum

Information Security Forum

Industry	information security best practice research
Founded	London, United Kingdom (1989)
Website	SecurityForum.org

The ISF delivers a range of content, activities, and tools. It is a paid membership organisation: all its products and services are included in the membership fee. From time to time, the ISF makes research documents and other papers available to non-members.

Standard of Good Practice

The ISF released the updated Standard of Good Practice for Information Security in 2018. The 2018 version builds upon the 2016 release and includes updated controls, approaches, and developments in information security.

The standard is intended to help organisations manage information security risks.^[1]

The 2016 standard covers current information security topics such as threat intelligence, cyber attack protection, and industrial control systems, as well as significant enhancement of existing topics including Information Risk Assessment, Security Architecture and Enterprise Mobility Management. It can be used to build a framework for developing an information security management system. In addition to covering information security-related standards such as COBIT 5 for Information Security, The CIS Critical Security Controls for Effective Cyber Defense, the 2016 standard covers ISO/IEC 27002 as well as PCI DSS 3.1 and the NIST Cybersecurity Framework.

In 2014, Infosecurity Magazine reported that the ISF had mapped its Standard of Good Practice to the NIST Cybersecurity Framework, providing a reference point for organizations seeking to align with NIST control objectives. According to the article, the ISF standard also addresses additional topics such as information security governance, supply chain management, data privacy, and mobile device security, and is updated annually based on member feedback, benchmarking, and developments in global legislation and standards.^[2]

A 2013 report commissioned by the UK Department for Business, Innovation and Skills identified the ISF’s Standard of Good Practice for Information Security as a widely used cyber security standard. According to the report, it “covers the complete spectrum of information security arrangements that need to be made to keep the business risks associated with information systems within acceptable limits, and presents good practice in practical, clear statements”.^[3]

In a 2006 report, Carnegie Mellon University's Software Engineering Institute described the ISF as an international association of over 280 organizations that cooperate on practical research in information security. The report noted that the ISF’s Standard of Good Practice for Information Security is a guideline organized into six aspects: security management, critical business applications, computer installations, networks, systems development, and end user environment. Each aspect includes multiple areas and detailed practices.^[4]

Research projects

Based on member input, the ISF selects a number of topics for research in a given year. The research includes interviewing member and non-member organizations and thought leaders, academic researchers, and other key individuals, as well as examining a range of approaches to the issue. The resulting reports typically go into depth describing the issue generally, outlining the key information security issues to be considered, and proposing a process to address the issue, based on best practices.

In 2020, Security Magazine reported that the ISF had released a paper titled Deploying Open Source Software: Challenges and Rewards, aimed at helping security professionals understand the benefits and perceived challenges of using open source software (OSS). The article described OSS as “a core part of IT infrastructure and applications” and noted that the ISF's guidance helps organizations “set up a program of protective measures to effectively manage OSS.” The publication also highlighted that the rise of agile and DevOps methodologies has driven increased OSS adoption.^[5]

Benchmarking program

The ISF's Benchmark (formerly called the 'Information Security Status Survey') has been developed using input from member organisations over a 25-year period. Organizations can participate in the Benchmark service at any time and can use the web-based tool to assess their security performance across a range of different environments, compare their security strengths and weaknesses against other organizations, and measure their performance against the ISF's 2016 Standard of Good Practice, ISO/IEC 27002:2013, and COBIT version 5 for information security. The Benchmark provides a variety of data export functionality that can be used for analyzing and presenting data for management reporting and the creation of security improvement programs. It is updated on a biennial basis to align with the latest thinking in information security and to reflect changes in the information security landscape.^[6]

Events

The ISF's annual global conference, the 'World Congress', takes place in a different city each year. The 2017 conference took place in October in Cannes, France. The event features sessions on information security topics and organisational practices and includes presentations and discussions with information security professionals from various sectors. Over 1,000 global senior executives attend. The event includes a series of keynote presentations, workshops and networking sessions, best practices and thought leadership.^[6]

Online portal

The ISF's extranet portal, ISF Live, enables members to directly access all ISF materials, including member presentations, messaging forums, contact information, webcasts, online tools, and other data for member use.^[7]

Information Security Forum

Activities and publications

Standard of Good Practice

Research projects

Benchmarking program

Events

Online portal

See also

References

External links

Wikiwand - on