The 2011 Standard of Good Practice for Information Security. June 2011

(1)

June 2011

The 2011 Standard of

Good Practice

for Information Security

(2)

Published by

Information Security Forum Limited Tel: +44 (0)20 7213 1745 Fax: +44 (0)20 7213 4813 Email: [email protected] Web: www.securityforum.org

Acknowledgements

The Information Security Forum would like to extend its special thanks to those Member organisations who volunteered to provide case study information for this report.

Warning

This document is confi dential and purely for the attention of and use by Member organisations of the Information Security Forum (ISF): including Academic and Supply Chain Members.

If you are not a Member of the ISF, or have received this document in error, please destroy it or contact the ISF on [email protected]. Any storage or use of this document by organisations which are not Members of the ISF is not permitted and strictly prohibited.

This document has been produced with care and to the best of our ability. However, neither the Information Security Forum nor Information Security Forum Limited accepts any responsibility for problems or incidents arising from its use (other than responsibility for personal injury or physical damage to property). Furthermore, neither the Information Security Forum nor Information Security Forum Limited makes any representation or gives any warranty of any kind as to the accuracy completeness or current applicability of the information provided.

Classifi cation: Restricted to ISF Members and ISF Service Providers.

Principal authors

Mark Chaplin

Jason Creasey

Contributors Adrian Davis Nick Frost Simon Rycroft Technical review Miles Clement Gary Wood Supplementary content Christopher Petch Matias Lopez-Portillo

Review and quality assurance

Steve Thorne

Design

Louise Liu Snehal Rabadia

(3)

The ISF 2011 Standard of Good Practice

The 2011 Standard of Good Practice for Information Security (the 2011 Standard) has been produced by the

Information Security Forum (ISF) for its Members. This version contains the latest thinking – combining developments and enhancements from previous editions and facts and insights from the many authoritative projects run by the ISF over the last 20 years – to produce the international reference source for information security.

The 2011 Standard is core to the ISF’s Membership offerings, forming the centre-piece of its tools and techniques. For example, the 2011 Standard is tightly integrated with the ISF’s Information Risk Analysis Methodology (IRAM), and with the Benchmark, which enables Members to gain a clear picture of their organisation’s performance across all aspects of information security, and compare with other leading organisations.

The 2011 Standard will be updated annually, refl ecting the rapid pace of change and organisations’ greater need for information security. In this way it will keep the ISF and its Members ahead of the curve in delivering up-to-date good practice in information security.

www.securityforum.org

Building and maintaining strong security arrangements throughout your supply chain

ISF reports are normally for the exclusive use of its Members. However, the ISF has created an external supplier version of the 2011 Standard that may be shared with organisations that supply goods and services to Members. This approach enables Members to ensure that:

• Consistently strong practices are established, assessed and maintained throughout their supply chain • Organisations supplying goods and services to a Member are able to meet the Member’s expectations • All parties provide feedback to the ISF in its ongoing effort to ensure the Standard maintains its leading position

as the reference which is practical, focused on the right areas, and effective in managing information risk. Members may download the special edition of the 2011 Standard for “organisations in Member supply chains” from the ISF’s Member Exchange (MX) system and share it amongst their suppliers.

The investment committed to developing the 2011 Standard and future annual updates, and its signifi cant value, has lead the ISF Member Council to agree that the 2011 Standard will not be freely available in the public domain. Non-Members who are not in Member supply chains may purchase a copy of the 2011 Standard on the ISF public website.

For more information please contact Mark Chaplin on +44 (0)20 7213 1226 or email [email protected]

We take great care to minimise the impact on the environment in the paper we use. The paper we have used in this document is FSC* certifi ed and manufactured at an ISO14001** accredited mill.

*FSC – Forest Stewardship Council. This ensures there is an audited chain of custody from the tree in the well managed forest through to the fi nished document in the printing factory.

(4)

The ISF has developed a security model to support organisations in designing their approach to addressing information security and to give them a basis for identifying the key aspects of an information security programme. The ISF provides insights, best practice standards and tools which address each aspect of the model to aid organisations in enhancing their information security environment.

Within the ISF Security Model, The 2011 Standard of Good Practice for Information Security forms part of the Research and Reports service. Using a rating from very high to very low, the way in which this report aligns with the ISF Security Model is shown below.

KNOWLEDGE EXCHANGE

TOOLS & METHODS

RESEARCH & REPORTS

Governance

The framework by which policy and direction is set, providing executive management with assurance that security management activities are being performed correctly and consistently.

Risk

The potential business impact and likelihood of particular threats materialising – and the application of controls to mitigate risks to acceptable levels.

Compliance

The policy, statutory and contractual obligations relevant to information security which must be met to operate in today’s business world to avoid civil or criminal penalties and mitigate risk.

People

The executives, staff and external parties with access to information, who need to be aware of their Information Security responsibilities and requirements and whose access to systems and data need to be managed.

Process

Business processes, applications and data that support the operations and decision making.

Technology

The physical and technical infrastructure, including networks and end points, required to support the successful deployment of secure processes.

key

Very high High Medium Low Very low

GOVERNANCE RISK

PEOPLE PROCESS COMPLIANCE

TECHNOLOGY

The ISF Security Model

A pdf copy of the ISF Security Model can be downloaded from the ISF’s Member Exchange (MX) system, which can be used to clearly describe to your team and others (management, potential Supply Chain or other Membership prospects) the key aspects of the information security environment within your organisation.

(5)

Introduction to the 2011 Standard

About the 2011 Standard of Good Practice 1

Basis for the 2011 Standard 1

Target audience 2

How the 2011 Standard can help you

Using the 2011 Standard 3

Enable compliance with ISO 27001 and support compliance with other recognised standards 3 Validate information security arrangements in external suppliers 4 Provide a foundation for your information risk assessment 5

Form a basis for policies, standards and procedures 6

Raise information security awareness 6

Form the basis of a detailed or high-level information security assessment 7 Develop or improve specific information security arrangements 7

Features of the 2011 Standard

New and updated content 8

Modular and Aspect-based formats 8

Relationship between the 2011 Standard and other major information security standards 10

Fundamental and specialised controls 11

Comparing this 2011 Standard with previous versions 11

Structure and layout

Overview 12

Topic layout 13

About the Index 14

The 2011 Standard

SECURITY GOVERNANCE SECURITY REQUIREMENTS CONTROL FRAMEWORK

SECURITY MONITORING AND IMPROVEMENT

Appendix A: Categories and topics

252

Appendix B: Sources used in developing the 2011 Standard

254

Appendix C: Threat types

255

Appendix D: The 2011 Standard in Aspect format

258

(6)

2011 Standard of Good Practice • Information Security Forum

Introduction to the 2011 Standard

The ISF provides a highly integrated set of tools and services to help Members manage information risk. These are founded on The 2011 Standard of Good Practice for Information Security, the Information Risk Analysis

Methodology (IRAM) and the Benchmark. When applied as part of an ‘Information Risk Management Business

Cycle’ as described below, these tools and services support the business process to manage Information Risk.

The ISF Information Risk Management Business Cycle

The above Business Cycle describes how Members may use a highly integrated and consistent set of tools and services to ensure that controls respond to risk and regulation – to support enterprise success. Most importantly, these tools and services can be used to assess compliance against other standards commonly used by Members.

2

3

4 333

4

Defi ning the means by which the policy will be implemented,

how risk will be assessed, and implementing controls consistent with risk appetite.

The ISF’s Information Risk Analysis Methodology (IRAM) is designed to assess risks at application, business process or business unit level and select appropriate controls to mitigate risk consistent with risk appetite. The 2011 Standard defi nes potential information security controls. Once risk and security requirements are identifi ed using IRAM, the ‘Control Framework’ in the 2011 Standard can be used to select appropriate controls.

Enhancing controls and activities where alignment of risk,

policy and implementation requires improvement.

Where the ISF Benchmark has highlighted weaknesses / gaps in controls, Members can use the 2011 Standard and other ISF reports to identify and select controls to better align arrangements.

Assessing the effectiveness of controls implemented against

policy and regulatory requirements.

The ISF’s Benchmark is a powerful service that enables Members to assess the extent to which controls are implemented. It also allows areas of control weakness / gaps (and strengths) to be identifi ed and provides comparisons to peers. The Benchmark enables assessment using a high level Security Healthcheck for lower risk activities, and more detailed assessments at the level of the 2011 Standard for higher risk areas and critical business applications. The Benchmark reports results in many formats, including ISO, COBIT and PCI DSS formats, and so can also be used to assess performance and gaps against those standards. 1 DEFINE 2 IMPLEMENT 3 EVALUATE 4 ENHANCE How the 2011 Standard and other ISF tools improve information security SoGP 1

Establishing the ‘tone from the top’ and commitment towards

sound information security governance, assessing the organisation’s ‘risk appetite’, aligning security strategy with the organisation’s strategy and developing information security policy accordingly.

The 2011 Standard offers comprehensive material on which information security governance and information security policy can be based. The 2011 Standard covers the requirements of other signifi cant information security standards and regulations (ie ISO, COBIT, PCI DSS) and so can be used where these apply. Many Members have adopted the Standard ‘as is’ as the detailed part of their information security policy.

DEFINE IMPLEMENT

(7)

Intr

o

About the 2011 Standard of Good Practice

The 2011 Standard of Good Practice for Information Security (the 2011 Standard) is the most practical source of

information security and information risk-related guidance available worldwide. Signifi cantly updated for 2011, the 2011 Standard addresses information security from a business perspective and provides an ideal basis for assessing and improving an organisation’s information security arrangements.

A full list of topics can be found in Appendix A: Categories and topics.

The 2011 Standard covers the complete spectrum of security arrangements that need to be made to keep business risks associated with information systems within acceptable limits, and presents good practice in practical, clear statements. As a result, not only does it contribute towards improving the quality and effi ciency of information security arrangements applied by an organisation, it also acts as a powerful aid towards information security compliance. As the 2011 Standard is mapped fully to the content of ISO 27001*, ISO 27002*, ISO 27005* and COBIT version 4, using the 2011 Standard to comply with these standards can greatly reduce the complexity of potentially onerous compliance (and certifi cation) activities. Further, as the 2011 Standard is aligned closely with other regulatory requirements and guidance such as the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes Oxley Act, Basel III Accord and Cloud Security Alliance (CSA) Controls Matrix, it can make a signifi cant contribution to harmonising information security compliance activities across the board.

* Full titles and descriptions of the relevant standards in the ISO 27000 ‘suite’ are provided on page 10.

Basis for the 2011 Standard

The 2011 Standard is based on analysis of a wide range of material, in-depth research, and the extensive knowledge and practical experience of ISF Members worldwide. It is updated every year in order to:

• meet the needs of leading international organisations • defi ne new areas of good practice and enhance existing ones

• promote the most up-to-date thinking in information risk management • remain tightly aligned with other information security-related standards

• cover the latest ‘hot’ topics, such as cloud security, consumerisation and cybercrime. The main inputs to development of the 2011 Standard are illustrated in Figure 1 below.

Introduction to the 2011 Standard

An extensive work programme involving the expertise of a

full-time ISF Global Team, that performs research into ‘hot’ topics in information security, produces reports, tools and methodologies, and maintains strategic initiatives such as the ISF’s Information Risk Analysis Methodology (IRAM).

Analysis and integration of information security-related

standards (eg ISO 27002 and COBIT v4.1), and legal and

regulatory requirements (eg Sarbanes-Oxley Act, Payment Card Industry Data Security Standard (PCI DSS), Basel III, and the EU Directive on Data Protection).

A full list of standards reviewed can be found in

Appendix B: Sources used in developing the 2011 Standard

The involvement of ISF Members using techniques such as

workshops, face-to-face meetings and interviews, and the results of the ISF’s Benchmark.

(8)

Intr

o

Introduction to the 2011 Standard

Target audience

The 2011 Standard is aimed at major national and international enterprises that recognise that information security is a key business issue. However, the 2011 Standard will also be of real, practical use to any type of organisation, such as a small- to medium-sized enterprise – as it presents good practice as discrete topics that are described in clear, accessible language.

Good practice detailed in the 2011 Standard will typically be incorporated into an organisation’s information security policy and other arrangements by a range of key individuals or external parties, including:

• Chief Information Security Offi cers (or equivalent), responsible for developing policy and implementing a sound organisation-wide approach to Information Security Governance and Information Security Assurance

• Information Security Managers (or equivalent), responsible for promoting or implementing an information security assurance programme

• Business managers responsible for ensuring that critical business applications, processes and local environments on which their organisation’s success depends are well controlled

• IT managers and technical staff responsible for planning, developing, deploying and maintaining key information systems or facilities

• Internal and external auditors responsible for conducting security audits

• IT service providers responsible for managing critical facilities (eg computer installations and networks) on behalf of the organisation

• Organisations in your information processing supply chain that should understand and comply with your information security policy to protect your business interests.

(9)

Intr

o

How the 2011 Standard can help you

Using the 2011 Standard

The 2011 Standard of Good Practice for Information Security can be used in a range of circumstances, depending

on the requirements and priorities of your organisation. To illustrate the versatility and practical nature of the 2011 Standard, this section describes seven of the most common ways in which the 2011 Standard can be applied in an organisation – together with the associated business benefi ts. These are summarised and described in more detail.

Figure 2: How Members can benefi t from the 2011 Standard

How the 2011 Standard can help you

1. Enable compliance with ISO 27001 and support compliance with other recognised standards 2. Validate information security arrangements in

external suppliers

3. Provide a foundation for your information risk assessment

4. Form a basis for policies, standards and procedures

5. Raise information security awareness

6. Form the basis of a detailed or high-level information security assessment

7. Develop or improve specific information security arrangements 1 DEFINE 2 IMPLEMENT 3 EVALUATE 4 ENHANCE How the 2011 Standard and other ISF tools improve information security 2 2 I

3 EVAL E EVALVAALUUATEUATEATE

1 DEFINE

SoGP

The 2011 Standard is aligned with the requirements for an Information Security Management System (ISMS) set out in ISO 27001 and provides a wider and deeper coverage of ISO 27002 controls topics. It particularly covers many ‘hot’ topics not addressed by ISO 27002, such as cloud computing, information leakage, consumer devices and security governance. The 2011 Standard is therefore an ideal tool to enable ISO 27001 certifi cation. Further, as the 2011 Standard provides full coverage of COBIT v4 topics, and offers substantial alignment with other relevant standards and legislation such as PCI DSS and the Sarbanes Oxley Act, implementing the 2011 Standard will enable compliance with these too. This enabling role is shown in Figure 3 overleaf.

(10)

Intr

o

Figure 3: How the 2011 Standard supports compliance

Whatever information security standard or requirement organisations are obliged to comply with, the 2011 Standard provides the practical means by which certifi cation or compliance can be achieved.

Business benefi ts provided by use of the 2011 Standard:

• Effi ciency – enabling compliance / certifi cation / alignment with other relevant standards and regulations to meet business needs

• Simplifi cation – harmonising information security compliance activity throughout the organisation, delivering cost and effi ciency benefi ts

• Trust – increasing external confi dence that information risks are being managed effectively, enhancing reputation and potentially market value.

2 Validate information security arrangements in external suppliers

The 2011 Standard is a valuable resource for helping organisations to address the need for strong information security in external supplier relationships. Firstly, the CF16 External Supplier Management area of the 2011 Standard will help organisations to ensure that information security requirements become embedded in arrangements for working with external parties. Secondly, the 2011 Standard can be used in its entirety as the basis for understanding or assessing information security of external suppliers. This can be particularly powerful when applied with the ISF’s Benchmark or

Third Party Security Assessment Tool (TPSAT).

• Trust – providing an assurance that your supply chain is subject to a uniform level of information security, whether in-house or outsourced

• Simplifi cation – when issued with the Benchmark or TPSAT tool, it provides assurance that is aligned with the forthcoming ISO 27036 (draft standard covering external suppliers) and the Cloud Security Alliance’s (CSA) Controls Matrix

• Effectiveness – reducing reputational damage or loss of customer support by information security lapses in an external supplier organisation

• Rigour – using the Benchmark offers a well proven solution to external supplier security assessment.

ISO/IEC 27014 (Security Governance)

ISO/IEC 27001 (Requirements of an ISMS) ISO/IEC 27005 (risk-based specification of requirements for information security) ISO/IEC 27002 (Control framework required to implement an ISMS)

ISO/IEC 27036 (Controls relating to third party relationship and supply chain management) COBIT version 4

Other major recognised standards / requirements such as PCI DSS, Sarbanes Oxley Act

Enables compliance / implementation as fully aligned Supports compliance 1 DEFINE 2 IMPLEMENT 3 EVALUATE 4 ENHANCE How the 2011 Standard and other ISF tools improve information security 2 2 2 I

3 EVA EVAALULUATELUATEATE

1 DEFINE

(11)

Intr

o

Information risk assessment helps organisations reduce the frequency and impact of information security incidents and improve information security arrangements. The 2011 Standard has been developed with this in mind, and will support any information risk assessment – but in particular a risk assessment using the ISF’s Information Risk Analysis

Methodology (IRAM). It is designed to address the ‘ISF Threat List’ referenced in IRAM.

The way in which IRAM and the 2011 Standard can be used as part of an information risk assessment process is shown in Figure 4 below.

3 Provide a foundation for your information risk assessment

Figure 4: How IRAM and the 2011 Standard support an Information Risk Assessment

The 2011 Standard is consistent with the risk assessment approaches defi ned in ISO 27001 and ISO 27005, and other relevant authorities including ISACA and NIST, and covers the important topic of ‘information risk treatment’.

The ISF Threat List, embedded in IRAM and Benchmark, is available as Appendix C: Threat types. Business benefi ts provided by use of the 2011 Standard:

• Rigour – identifying key risks and potential business impact

• Effi ciency – avoiding the need to purchase an additional repository of potential controls • Integration – as the 2011 Standard is completely aligned with IRAM’s 50 threat types

• Quality – providing a trusted, standard set of controls for risk assessment across the organisation and enabling control selection and implementation that is commensurate with risk profi le and appetite

• Integration – meeting ISO requirements for risk assessment. Security requirements Control framework PHASE 1 BUSINESS IMPACT ASSESSMENT PHASE 2 THREAT AND VULNERABILITY ASSESSMENT PHASE 3 CONTROL SELECTION 1 DEFINE 2 IMPLEMENT 3 EVALUATE 4 ENHANCE How the 2011 Standard and other ISF tools improve information security 2 2 2 2 IM

3 EVA EVAVAALULUATELUATEATE

1 DEFINE

(12)

Intr

o

4 Form a basis for policies, standards and procedures

The 2011 Standard can be used as the basis for an organisation’s overall information security policy, and a signifi cant number of ISF Members use it in this way. In addition, it is an effective tool for identifying gaps in existing policies, standards and procedures – and for developing new ones. For example, where defi ciencies in policies and procedures for activities such as mobile device confi guration, outsourcing or information leakage protection are identifi ed, the 2011 Standard will be effective in fi lling those gaps.

The 2011 Standard can also be used as the basis for entirely new policies or procedures where they don’t yet exist. Where an organisation has many different departments or business units that have developed their own policies and procedures over time, the 2011 Standard can also provide a sound basis for harmonisation.

• Effi ciency – providing a ‘ready-made’ control framework out of the box upon which policies and procedures can be based, reducing resources required to produce policies / procedures from scratch

• Practical – providing policies / standards that are pragmatic and based on ‘real world’ good practice

• Simplifi cation – harmonising policies throughout the organisation, reducing duplication of effort and delivering a consistent level of protection

• Relevance – highlighting genuine good practice that is applied by ‘real’ global organisations – as it incorporates experiences of major organisations around the world.

5 Raise information security awareness

The 2011 Standard includes content aimed at improving security awareness, but can also be used in its entirety to support security awareness activities. The 2011 Standard also addresses how information security should be applied in local environments – largely an awareness-driven activity.

• Effi ciency – reducing the need to purchase a specifi c security awareness solution, and contributing to reducing costly damage to an organisation’s reputation

• Credibility – this authoritative 2011 Standard raises understanding across the organisation of the importance of information security – and what it includes – to a consistent level and delivers heightened levels of protection overall.

(13)

Intr

o

6 Form the basis of a detailed or high-level information security assessment

The 2011 Standard is integrated tightly with the ISF’s Benchmark, which enables detailed or higher level assessments of the strength of information security across the enterprise (or locally) – activity that is important to sound Security Assurance. Additionally, Members using the Benchmark can draw meaningful comparisons with the status of information security in other like organisations (eg in the same sector).

• Rigour – underpins (with the Benchmark) an organisation’s Security Assurance programme – and supports both internal and external audits of key information assets

• Effi ciency – provides the foundation for a comprehensive programme of context-rich security assessments without incurring any additional external cost – as ISF full Membership already includes free access to the widely used Benchmark service

• Trust – providing higher levels of confi dence from executive management and stakeholders – as the organisation is able to provide accurate, quantitative reporting on the true security maturity level of the organisation in a way that is objective and transparent.

7 Develop or improve specific information security arrangements

Where an organisation needs to develop new (or improve existing) information security arrangements to react to a specifi c circumstance, the 2011 Standard is an ideal reference. For example, an organisation may use the 2011 Standard to address the use of consumer-focused devices (such as tablets) in the workplace. Equally, it might be used as a key input to a systems development project or when defi ning policy for new ventures or external supply arrangements (eg through the use of cloud computing).

As the 2011 Standard is separated into intuitive topics, extracting relevant good practice to form the basis of a new information security procedure is straightforward.

Once new information security arrangements have been introduced, or existing ones improved, their effectiveness should be assessed and reported. As the Benchmark is founded on the 2011 Standard, including topics covering security audit, security monitoring and information risk reporting, it provides a sound basis for this activity.

• Trusted – it provides rigorously developed controls information to solve new challenges, such as the need to secure cloud computing and address consumer devices (such as tablets or smartphones) in the workplace

• Effectiveness – reducing the frequency and magnitude of potentially costly incidents in terms of impact on cost and reputation

• Effi ciency – producing cost savings as the need to develop controls ‘from the ground up’ is eliminated

• Responsiveness – providing a platform to rapidly secure new initiatives and offerings that rely on sound information security.

(14)

Intr

o

New and updated content

Prior to 2011, the Standard was normally updated every two years. From 2011, to ensure that the Standard addresses the latest ‘hot’ topics and challenges, it will be updated annually. As each annual iteration of the Standard incorporates the results of the ISF’s latest research work, this approach ensures that the ISF and its Members are kept ‘ahead of the curve’ in delivering comprehensive, up-to-date good practice. The annual update approach also ensures that the Standard refl ects the latest emerging threats highlighted in the ISF’s annual Threat Horizon report.

A list of new topics in the 2011 Standard is shown in the table below, along with a summary of the degree of content change compared with the 2007 version.

Features of the 2011 Standard

Modular and Aspect-based formats

The default format for the 2011 Standard – as presented in this publication – is ‘Modular’. However the 2011 Standard is also available in its previous ‘Aspect-based’ format if required. The two approaches to structure are explained below.

Modular format

The ‘Modular’ format structure sets out statements of good practice as a series of 118 ‘topics’ or business activities,

which are grouped into 26 higher level ‘areas’ and then 4 high level ‘categories’. Each topic is designed to ‘stand alone’ and addresses that particular aspect of business activity from an information security perspective. This approach is summarised in Figure 5 on page 9. The categories refl ect the typical approach taken to Security Governance (shown in blue) and Security Assurance (shown in green) in many organisations.

Degree of change Number of topics New 35* Extensive 24 Moderate 14 Minimal 45

Summary of new topics

SECURITY GOVERNANCE CONTROL FRAMEWORK (Continued)

Security Governance Framework Critical Infrastructure

Security Direction Information Leakage Protection Information Security Strategy Digital Rights Management Stakeholder Value Delivery Cybercrime Attacks Information Security Assurance Programme Local Environment Profile SECURITY REQUIREMENTS Office Equipment Information Risk Treatment Mobile Device Connectivity CONTROL FRAMEWORK Consumer Devices

Security Awareness Messages External Supplier Management Process Document Management Cloud Computing Policy

Information Validation Cloud Service Contracts Customer Access Arrangements Business Continuity Programme Customer Contracts SECURITY MONITORING AND

IMPROVEMENT

Customer Connections Security Audit Process – Planning Access Control Mechanisms – Password Security Audit Process – Fieldwork Access Control Mechanisms – Token Security Audit Process – Reporting Access Control Mechanisms – Biometric Security Audit Process – Monitoring Virtual Servers Information Risk Reporting

Network Storage Systems Monitoring Information Security Compliance

A full list of topics can be found in Appendix A:

Categories and topics.

* In addition to new topics, seven topics from the 2007 Standard have been broken down into separate topics as a result of being updated.

(15)

Intr

o

Features of the 2011 Standard

Figure 5: Overview of the Modular structure of the 2011 Standard

The modular format is suited to most organisations and supports improving information security arrangements ‘across the board’ – or in a particular business unit or initiative (such as an online banking or a sales order processing application). It is also the most suitable format for those organisations that wish to ‘dip’ into the Standard to address specifi c areas of concern (such as Information Classifi cation or Offi ce Equipment). The modular format is also consistent with the structure and fl ow of the ISO 27000 ‘suite’ of standards, and is appropriate for those organisations that wish to use the Standard as an enabler to ISO compliance or certifi cation, or to implement one or more Information Security Management Systems (ISMS).

The structure of the ISF’s Benchmark is tightly aligned to the 2011 Standard in modular format, so this format is likely to be well suited for organisations that aim to use the 2011 Standard to underpin an evaluation of the strength of information security controls. The 2011 Standard also lends itself well to customisation, for example as a basis for topic-specifi c checklists.

Aspect-based format

The ‘Aspect-based’ format was the default format for previous versions of the Standard of Good Practice (2007 and earlier). It evolved from the ISF’s original ‘Survey’ (the predecessor to the ISF’s current Benchmark) and groups statements of good practice by IT subject or environment (eg networks, critical business applications, computer installations) rather than by information security topic. This Aspect approach is shown in Figure 6.

While the Aspect-based format may be very effective when reviewing controls relating to specifi c types of technical or business function, it includes a substantial amount of duplication for many topics (ie change management and access control) across the Aspects. This duplication can make the format complex to use when taking a more holistic approach to information security across an entire organisation or business unit. The Aspect-based format is suitable for those

organisations that have used the Standard over a number of years and have a strong desire for comparability. It may also be useful for organisations wishing to apply the Standard to only a single computer installation, network or business application.

The topics relating to each of the six aspects are presented in Appendix D: The 2011 Standard in Aspect

format.

Figure 6: Overview of the Aspect-based Standard

Categories Areas Topics

Categories SECURITY GOVERNANCE

SECURITY REQUIREMENTS

CONTROL FRAMEWORK

Areas 2 Areas 2 Areas 20 Areas 2 Areas Topics 5 Topics 8 Topics 97 Topics 8 Topics

(16)

Intr

o

Relationship between the 2011 Standard and other major information security standards

The 2011 Standard is closely aligned with the ISO 27000 ‘suite’ of information security-related standards. As such, the 2011 Standard is a powerful tool to support ISO compliance and certifi cation activities. The relationship between the 2011 Standard and the relevant ISO information security-related standards is shown in Figure 7, with an explanation of the purpose of each ISO standard:

Figure 7: How the 2011 Standard is aligned with the ISO 27000 ‘suite’ of standards

Standard Description

ISO/IEC 27001

Information technology – Security techniques – Information security management systems – Requirements

A normative standard providing a mandatory set of steps as part of an Information Security Management System (ISMS), against which an organization can certify its security arrangements (eg ‘Define target environment’, ‘Assess risks’ and ‘Select appropriate controls’).

ISO/IEC 27002

Information technology – Security techniques – Code of practice for information security management

An informative standard providing a framework of security controls which can be used to help select the controls required within an ISMS.

ISO/IEC 27005

Information technology – Security techniques – Information security risk management

A normative standard detailing the mandatory steps required to perform an information security risk assessment, as part of an ISMS (eg ‘Identify possible business impact’, ‘Evaluate threats and vulnerabilities’, and ‘Create a risk treatment plan’). ISO/IEC 27014*

Information technology – Security techniques – Governance of information security

An informative standard that defines the governance of information security, explains the relationship with other types of governance (and with an ISMS) and details how information security governance can be applied in practice.

ISO/IEC 27036*

Information technology – Security techniques – Information security for supplier relationships

An informative standard that outlines information security for external parties for both the acquirer and supplier. It supports organizations in implementing information security controls related to supplier relationships.

*In Draft

SECURITY GOVERNANCE

SECURITY REQUIREMENTS

CONTROL FRAMEWORK

ISO 27001 (ISMS)

ISO 27014 (Draft) ISO 27005 ISO 27036 (Draft) ISO 27002

Structure of the 2011 Standard

The ISF has ‘Liaison’ status (category C) with the ISO SC27 steering group – which is responsible for overseeing development of the ISO 27000 ‘suite’ of information security-related standards. This enables the ISF to represent Member needs and infl uence enhancement of existing, and development of new ISO standards. This also ensures that the ISF’s 2011 Standard accurately refl ects both the latest and up-and-coming international standards.

The 2011 Standard also provides coverage of COBIT version 4 (and an early draft of COBIT version 5), and will be a useful aid to organisations implementing this framework.

(17)

Intr

o

While the 2011 Standard is not mapped to the full content of other recognised information security-related standards, directives or legislation (such as PCI DSS, the Sarbanes Oxley Act, NIST SP 800-53, Basel III and HIPAA), there is a high degree of correlation between their information security-related elements and the 2011 Standard – and thus the content in the 2011 Standard will be a useful resource to support compliance or certifi cation.

Fundamental and specialised controls

For the fi rst time, the 2011 Standard now makes a distinction between those topics that are ‘Fundamental’ and those that are ‘Specialised’. This classifi cation is used to make it easier to identify essential security arrangements for all organisations separate from those that depend on other factors that are not universal.

FUNDAMENTAL topics are the information security arrangements that are generally applied by Members to form the foundation of their information security programme.

SPECIALISED topics are those that depend on how the business operates and are not typically relevant to every organisation, or topics that do not apply to all environments – such as Server Virtualisation or Cloud Computing. A clear indicator at the top of each topic page in the 2011 Standard shows whether the controls presented in that topic are ‘Fundamental’ or ‘Specialised’.

Important note: The extent to which an organisation applies ‘Specialised’ controls in addition to those classifi ed as ‘Fundamental’ will depend on a variety of organisational factors. However, as an indication, the results of a risk assessment are likely to be helpful in determining higher risk systems that should be subjected to ‘Specialised’ controls.

Comparing the 2011 Standard with previous versions

The 2011 Standard represents a very signifi cant update, with revisions made ‘from the ground up’ in terms of structure and content. The table below highlights the main differences between the 2011 Standard and previous versions.

Characteristic 2007 Standard and previous 2011 Standard (and beyond)

Default format Aspect-based Modular

Default structure Mapped to six distinct types of environment (Aspects)

Presented as standalone topics mapped to a typical security assurance approach

Update frequency Every 2 years “planned” Annual Duplication of topics Yes – by design No

Aligned with ISO 27001 (ISMS) No Yes

Mapped to ISO 27002 and COBIT Yes Yes

Mapped directly to ISF Benchmark Yes Yes, but also enables easier tailoring of results

Highlights Fundamental and Specialised Controls

No Yes

Provides pointers to related ISF reports and tools

The 2011 Standard of Good Practice for Information Security. June 2011

June 2011

The 2011 Standard of

Good Practice

for Information Security

Acknowledgements

Principal authors

Mark Chaplin

Jason Creasey

The ISF 2011 Standard of Good Practice

The ISF Security Model

Contents

Introduction to the 2011 Standard

How the 2011 Standard can help you

Features of the 2011 Standard

Structure and layout

The 2011 Standard

Appendix A: Categories and topics

Appendix B: Sources used in developing the 2011 Standard

Appendix C: Threat types

Appendix D: The 2011 Standard in Aspect format

The ISF Information Risk Management Business Cycle

Intr

o

About the 2011 Standard of Good Practice

Basis for the 2011 Standard

Introduction to the 2011 Standard

Intr

o

Target audience

Intr

o

How the 2011 Standard can help you

Using the 2011 Standard

Intr

o

Intr

o

Intr

o

Intr

o

Intr

o

New and updated content

Features of the 2011 Standard

Modular and Aspect-based formats

Intr

o

Intr

o

Relationship between the 2011 Standard and other major information security standards

Intr

o

Fundamental and specialised controls

Comparing the 2011 Standard with previous versions