PDF 2017 ISF Standard Good Practice: Tips and Tricks for Effective Implementation and Use
PDF 2017 ISF Standard Good Practice: What You Need to Know
If you are looking for a comprehensive and practical guide to cyber security best practices, you may want to check out the PDF 2017 ISF Standard Good Practice (SOGP). The SOGP is a document produced by the Information Security Forum (ISF), an independent, not-for-profit organization that specializes in cyber security and information risk management. The SOGP provides a leading and internationally recognized set of good practice covering all aspects of cyber resilience, information security, and risk management.
Pdf 2017 Isf Standard Good Practice
The SOGP is updated regularly to reflect current and emerging information security issues. The latest edition was released in March 2020, but you can still access the previous edition from 2017 if you prefer. The PDF 2017 ISF Standard Good Practice contains over 300 pages of detailed guidance on various topics related to cyber security.
In this article, we will give you an overview of what the PDF 2017 ISF Standard Good Practice covers, why it is important, and what are the main changes in the 2017 edition. We will also provide you with some tips on how to use the SOGP effectively in your organization.
Security Governance
Security governance is the process of establishing and maintaining a security governance framework, which includes setting direction and performing assurance activities for cyber security. Security governance also involves aligning cyber security with business objectives and external requirements, such as laws, regulations, standards, or contracts.
Establishing a security governance framework
A security governance framework is a set of structures, roles, policies, and processes that enable an organization to manage cyber security effectively and efficiently. A security governance framework should:
Define the scope, objectives, and principles of cyber security
Assign roles and responsibilities for cyber security at different levels of the organization
Establish policies and procedures for cyber security decision making and oversight
Provide mechanisms for monitoring, measuring, and reporting on cyber security performance and compliance
Support continuous improvement and adaptation of cyber security practices
The PDF 2017 ISF Standard Good Practice provides guidance on how to design and implement a security governance framework that suits the organization's size, complexity, culture, and risk appetite. It also provides examples of security governance frameworks from different industry sectors and regions.
Aligning with business objectives and external requirements
Cyber security should not be seen as an isolated or technical function, but as an integral part of the organization's overall strategy and operations. Cyber security should support the organization's business objectives, such as increasing revenue, reducing costs, enhancing customer satisfaction, or improving innovation. Cyber security should also comply with external requirements that apply to the organization, such as laws, regulations, standards, or contracts.
The PDF 2017 ISF Standard Good Practice provides guidance on how to align cyber security with business objectives and external requirements by:
Identifying and prioritizing the organization's key business drivers and stakeholders
Understanding and assessing the organization's legal and regulatory obligations and industry best practices
Establishing cyber security goals and metrics that reflect the organization's priorities and expectations
Communicating and demonstrating the value and benefits of cyber security to senior executives and other key stakeholders
Information Risk Assessment
Information risk assessment is the process of determining the requirements for protecting the confidentiality, integrity, and availability of information assets. Information risk assessment also involves assessing vulnerabilities and threats to information assets, analysing and treating information risks, and documenting and communicating the results.
Determining protection requirements
Protection requirements are the levels of confidentiality, integrity, and availability that information assets need to have in order to support the organization's business objectives and comply with external requirements. Protection requirements depend on factors such as:
The value and sensitivity of information assets
The potential impact of unauthorized disclosure, modification, or loss of information assets
The legal, regulatory, contractual, or ethical obligations related to information assets
The expectations and preferences of information owners, custodians, users, or recipients
The PDF 2017 ISF Standard Good Practice provides guidance on how to determine protection requirements by:
Identifying and classifying information assets based on their characteristics and ownership
Prioritizing information assets based on their criticality and dependency
Assessing the confidentiality, integrity, and availability needs of information assets using predefined criteria or scales
Assigning protection levels or labels to information assets based on their assessed needs
Assessing vulnerabilities and threats
Vulnerabilities are weaknesses or gaps in the organization's cyber security arrangements that could be exploited by threats. Threats are sources of harm that could compromise the confidentiality, integrity, or availability of information assets. Vulnerabilities and threats can be technical or non-technical in nature.
The PDF 2017 ISF Standard Good Practice provides guidance on how to assess vulnerabilities and threats by:
Identifying potential vulnerabilities in the organization's people, processes, technology, or environment
Evaluating the likelihood and severity of vulnerabilities being exploited by threats
Identifying potential threats from internal or external sources that could target information assets intentionally or accidentally
Evaluating the likelihood and severity of threats causing harm to information assets
Analysing and treating information risks
Analysing and treating information risks
Information risks are the combination of vulnerabilities, threats, and potential impacts that could affect the confidentiality, integrity, or availability of information assets. Information risks can be analysed and treated using various methods and techniques.
The PDF 2017 ISF Standard Good Practice provides guidance on how to analyse and treat information risks by:
Estimating the level of information risk based on the assessed likelihood and impact of vulnerabilities and threats
Comparing the level of information risk with the organization's risk appetite and tolerance
Selecting appropriate risk treatment options, such as avoiding, transferring, accepting, or reducing information risk
Implementing and monitoring the effectiveness of risk treatment actions and controls
Documenting and communicating the results and recommendations of information risk assessment and treatment
Information Security Architecture
Information security architecture is the process of defining security architecture principles and standards, applying security architecture patterns and frameworks, and integrating security into system development and acquisition. Security architecture is a consistent and coherent approach to designing and implementing cyber security solutions that meet the organization's protection requirements and align with its business objectives and external requirements.
Defining security architecture principles and standards
Security architecture principles are high-level statements that guide the design and implementation of cyber security solutions. Security architecture standards are specific rules or requirements that define how cyber security solutions should be configured or operated. Security architecture principles and standards should:
Support the organization's security governance framework and information risk assessment process
Reflect the organization's business drivers, security goals, and protection requirements
Comply with relevant legal, regulatory, contractual, or industry obligations
Enable interoperability, scalability, flexibility, and usability of cyber security solutions
Promote security by design, defense in depth, least privilege, and other best practices
The PDF 2017 ISF Standard Good Practice provides guidance on how to define security architecture principles and standards by:
Identifying and engaging key stakeholders involved in security architecture activities
Establishing a security architecture governance structure and process
Developing and documenting security architecture principles and standards based on industry frameworks or models
Maintaining and updating security architecture principles and standards as needed
Applying security architecture patterns and frameworks
Applying security architecture patterns and frameworks
Security architecture patterns are reusable solutions that address common cyber security challenges or scenarios. Security architecture frameworks are structured collections of security architecture patterns that provide a comprehensive and consistent approach to cyber security design and implementation. Security architecture patterns and frameworks should:
Support the organization's security architecture principles and standards
Meet the organization's protection requirements and business objectives
Address the organization's specific cyber security context and environment
Leverage proven practices and technologies from internal or external sources
Facilitate communication and collaboration among security architecture stakeholders
The PDF 2017 ISF Standard Good Practice provides guidance on how to apply security architecture patterns and frameworks by:
Selecting and adapting security architecture patterns and frameworks that suit the organization's needs and preferences
Applying security architecture patterns and frameworks to different domains, layers, or components of the organization's information systems
Integrating security architecture patterns and frameworks with other architectural disciplines, such as enterprise, business, or data architecture
Evaluating and improving security architecture patterns and frameworks based on feedback and lessons learned
Integrating security into system development and acquisition
System development and acquisition is the process of planning, designing, building, testing, deploying, operating, maintaining, and disposing of information systems. Security should be integrated into system development and acquisition throughout the system lifecycle, from inception to retirement. Security should also be considered when outsourcing or procuring information systems or services from external providers.
The PDF 2017 ISF Standard Good Practice provides guidance on how to integrate security into system development and acquisition by:
Defining security requirements and specifications for information systems based on the organization's protection requirements and business objectives
Incorporating security controls and measures into information system design and implementation using security architecture patterns and frameworks
Conducting security testing and verification to ensure that information systems meet security requirements and specifications
Managing security changes and updates to information systems using a formal change management process
Ensuring that information systems are securely disposed of or decommissioned at the end of their lifecycle
Establishing security criteria and standards for selecting and managing external providers of information systems or services
Information Security Management
Information Security Management
Information security management is the process of implementing security policies and procedures, managing security roles and responsibilities, and educating and training staff and users. Information security management aims to ensure that cyber security arrangements are effective, efficient, and consistent across the organization.
Implementing security policies and procedures
Security policies and procedures are documents that define the rules and guidelines for cyber security in the organization. Security policies and procedures should:
Support the organization's security governance framework and information risk assessment process
Reflect the organization's security architecture principles and standards
Cover all aspects of cyber security, such as governance, risk, architecture, management, incident, awareness, etc.
Be clear, concise, and easy to understand and follow
Be approved, communicated, and enforced by senior management
The PDF 2017 ISF Standard Good Practice provides guidance on how to implement security policies and procedures by:
Developing and documenting security policies and procedures based on industry frameworks or models
Reviewing and updating security policies and procedures regularly or as needed
Distributing and publishing security policies and procedures to relevant stakeholders
Monitoring and auditing compliance with security policies and procedures
Addressing non-compliance issues and taking corrective actions
Managing security roles and responsibilities
Managing security roles and responsibilities
Security roles and responsibilities are the duties and accountabilities for cyber security that are assigned to different individuals or groups in the organization. Security roles and responsibilities should:
Support the organization's security governance framework and information risk assessment process
Reflect the organization's security architecture principles and standards
Cover all aspects of cyber security, such as governance, risk, architecture, management, incident, awareness, etc.
Be clearly defined, documented, and communicated
Be aligned with the organization's structure, culture, and resources
The PDF 2017 ISF Standard Good Practice provides guidance on how to manage security roles and responsibilities by:
Identifying and assigning security roles and responsibilities to different levels of the organization, such as senior management, business units, functions, or teams
Establishing and maintaining a security organization that provides leadership, direction, coordination, and support for cyber security activities
Defining and implementing security delegation and escalation mechanisms to ensure effective and timely decision making and problem solving
Reviewing and updating security roles and responsibilities regularly or as needed
Evaluating and rewarding performance and contribution of security roles and responsibilities
Educating and training staff and users
Educating and training staff and users
Educating and training staff and users is the process of raising awareness and skills on cyber security among employees and other stakeholders, such as customers, partners, suppliers, or regulators. Educating and training staff and users should:
Support the organization's security governance framework and information risk assessment process
Reflect the organization's security policies and procedures
Cover all aspects of cyber security, such as governance, risk, architecture, management, incident, awareness, etc.
Be tailored to the needs and preferences of different target audiences
Be engaging, interactive, and effective
The PDF 2017 ISF Standard Good Practice provides guidance on how to educate and train staff and users by:
Identifying and prioritizing the learning objectives and outcomes for different target audiences
Developing and delivering security education and training programs using various methods and formats, such as e-learning, workshops, simulations, or games
Evaluating and measuring the impact and effectiveness of security education and training programs
Reinforcing and refreshing security education and training programs regularly or as needed
Recognizing and rewarding participation and achievement in security education and training programs
Information Security Incident Management
Information Security Incident Management
Information security incident management is the process of preparing for incidents, responding to incidents, and learning from incidents. An information security incident is any event that could compromise the confidentiality, integrity, or availability of information assets. Information security incident management aims to minimize the impact and recurrence of incidents and to improve the organization's cyber resilience.
Preparing for incidents
Preparing for incidents is the process of establishing a robust incident response capability, including plans, teams, tools, and processes. Preparing for incidents should:
Support the organization's security governance framework and information risk assessment process
Reflect the organization's security policies and procedures
Cover all aspects of incident response, such as detection, containment, analysis, resolution, and reporting
Be aligned with the organization's business continuity and disaster recovery plans
Be tested and validated regularly or as needed
The PDF 2017 ISF Standard Good Practice provides guidance on how to prepare for incidents by:
Developing and documenting an incident response plan that defines the scope, objectives, roles, responsibilities, procedures, and resources for incident response
Establishing and training an incident response team that consists of qualified and authorized staff from different functions or areas of the organization
Providing and maintaining tools and equipment that support incident response activities, such as detection systems, forensic tools, or communication devices
Conducting exercises and simulations to test and validate the incident response plan and team
Reviewing and updating the incident response plan and team regularly or as needed
Responding to incidents
Responding to incidents
Responding to incidents is the process of detecting, containing, analysing, resolving, and reporting on cyber security incidents. Responding to incidents should:
Follow the organization's incident response plan and procedures
Involve the organization's incident response team and other relevant stakeholders
Cover all aspects of incident response, such as detection, containment, analysis, resolution, and reporting
Be timely, effective, and efficient
Be documented and communicated clearly and accurately
The PDF 2017 ISF Standard Good Practice provides guidance on how to respond to