Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
Editor's Blog and Industry Comments

ISF Standard of Good Practice Guide review.

02 November, 2007
Earlier this month, the Information Security Forum released a new Standard of Good Practice guide for reducing business risk relating to information systems for companiestest of all sizes
The Information Security Forum has offered its Standard of Good Practice guide for information security free to all visitors of its site, not only to members of the forum. Given the standing of the ISF within the information security community, it seemed like a good opportunity for non-members to take advantage of a valuable resource so ProSecurityZone decided to take a look at the guide to see how useful it really is.

At first sight, the 372 page PDF seemed cumbersome beyond the 15 minute attention threshold of the average busy IT Manager but beyond the dry and clumsy introduction, layout explanations, objectives, principles and definitions which occupy the first 75 pages, lies the real meat, a set of clear, effective and scalable guidelines for operating effective information security procedures in any size of organisation.

The main body of the guide is divided into 6 sections, each having a two letter code and before reading this main section, you need to find out which of these codes is most applicable to your environment and to do this, the first 75 pages need to be skimmed and its in this respect that it became apparent that the guide layout isn't as cumbersome as it first appears. The way to approach it is to break it down into what's relevant and use the effective navigation aids such as the summary table on page 4, the expansion of this in the "Principles" section and the very useful "topics matrix" on pages 66 to 75 to cut to the parts you want to use.

The result is the kind of advice that would cost a couple of thousand Euros in consultancy charges, all at the cost of a short form to fill in and a 4Mb download.

A "Guide to the Guide" and a concise version are also available but it isn't immediately obvious from the Information Security Forum website where these can be downloaded from.

Our ProSecurityZone reviewer would certainly recommend this guide to any organisation that wants to approach the subject of information security in a professional and organised way. The guide focuses on good practice, not on technology or products and this is important. By developing processes for managing and protecting information assets, companies create a culture of security that is systematic and largely independent of technology choices. The technology is also important of course, but it is less useful without a structured process for ensuring that it is used effectively and it is on these processes that the guide concentrates.

Bookmark and Share