The Information Security Forum's Standard of Good Practice for Information Security has been updated and re-released just a few days ago. I have long admired the ISF standard for two key reasons:
1. It is well written, clearly laid out and eminently usable. As a user, I really like pragmatic standards!
2. It is free. If the ISO/IEC 27000 standards were free, I'm sure they would be even more popular and widely used than they are and the world would be a safer place. For organizations or individuals who are unwilling or unable to afford ISO27k, the ISF standard makes a good second choice ... along with the NIST SP 800 standards and a raft of others.
The 2007 version is a weighty 372 pages but is fluff-free. Each of the controls is simply and directly stated with very little in the way of explanation, context, justification or implementation guidance. That's great for those of us with sufficient experience to fill in the gaps for ourselves but could be a bit ambitious for those new to information security management.
I'm sure I'll be referring to the standard in our security awareness materials, though not as much as ISO27k.
No comments:
Post a Comment