The Standard of Good Practice for Information Security

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free

The Standard of Good Practice
for Information Security

by James G. Barr

rights reserved.

Docid: 00011343

Publication Date: 1912

Publication Type: STANDARD


The Standard of Good Practice for Information Security "provides
comprehensive controls and guidance on current and emerging information security
topics." Produced by the Information Security Forum and updated
on a biennial basis, the 2018 edition of the Standard features improved guidance
on agile system development, alignment of information risk with operational
risk, collaboration platforms, industrial control systems, information privacy,
and threat intelligence.

Report Contents:

Executive Summary

[return to top of report]

The Standard of Good Practice for Information Security "provides
comprehensive controls and guidance on current and emerging information
security topics." Enterprises around the world use the Standard
and related tools and services to:

  • Securely adopt new and emerging technologies by managing
    their associated risks.
  • Respond to rapidly evolving threats, using current information to
    increase cyber resilience.
  • Exploit business
    opportunities while not exceeding the enterprise’s "risk appetite."
  • Increase confidence in the enterprise’s ability to meet legal, regulatory, and contractual obligations.
  • Prepare for and manage major incidents that
    can have a significant impact on the enterprise.

A product of the Information Security Forum (ISF), the 2018 Standard
is available free of charge to ISF members and may be purchased by

The Standard is updated on a biennial basis, owing to the rapid emergence and
evolution of today’s cyber threats.

Recent Updates

The 2016 update provided systematic coverage of four IT life cycles that often require significant information security

  1. Employment life cycle
    – Recruitment, induction, development, retention of employees and termination of their employment.
  2. Information life cycle – Creation, processing, transmission, storage, and destruction of all types of information (electronic, printed, or spoken), including confidential or mission-critical information.
  3. Hardware life cycle – Acquisition (purchase or lease), maintenance, and disposal of physical equipment and devices.
  4. System development life cycle
    – Mainly focused on the design and development of critical business applications but applicable to all types of system development (e.g., for IT infrastructure).

The 2018 update provides enhanced coverage of the following:

  1. Agile system development
  2. Alignment of information risk with operational risk
  3. Collaboration platforms
  4. Industrial control systems
  5. Information privacy
  6. Threat intelligence

Legal/Regulatory Compliance

The Standard
helps enterprises comply with prominent security and
privacy regimens, specifically:

  • ISO/IEC 27002:2013
  • NIST Cybersecurity
  • Center for Internet
    Security (CIS) Top 20 Critical Security Controls
  • COBIT 5 for Information Security

The Standard & Risk Management

According to Steve Durbin, managing director of the Information Security
Forum, "Managing risk is vital for organizations to deliver their strategies,
initiatives and goals. Consequently, information risk management is relevant
only if it enables the organization to achieve these objectives, ensuring it is
well positioned to succeed and is resilient to unexpected events, such as those
caused by sophisticated cyber attacks.

"Effective implementation depends on strong information risk assessment, so
that controls described in The Standard are applied in line with risk. The best practices defined in The Standard will typically be
incorporated into an organization’s information security policy, business
processes, environments and applications, and should be of great interest and
relevance to a range of individuals within the organization as well as external

Information Security Forum

Founded in 1989, the Information Security Forum (ISF) is an
independent, not-for-profit organization with a membership comprising
many of the world’s leading organizations. The ISF is "dedicated
to investigating, clarifying, and resolving key issues in cyber,
information security and risk management and developing best practice
methodologies, processes, and solutions that meet the business needs of
its members.
" A truly inclusive group, the ISF boasts members from the following industry sectors:

  • Air and transport
  • Banking, financial services, and insurance
  • Chemicals, healthcare, and manufacturing
  • Government agencies
  • Media, postal and telecommunications, and education
  • Retail, lottery, and hospitality
  • Power, energy, and mineral resources
  • IT consultancy and professional services


[return to top of report]

Great Expectations

The Standard of Good Practice for Information Security is another in
a long line of "comprehensive" security standards, including
those developed and promoted by the International Organization for Standardization (ISO)
and the US National Institute of Standards and Technology (NIST). Since the ISF acknowledges
that many of its members are also adherents to other standards, especially ISO
27001 and 27002, enterprise officials are expected to comply with
multiple "comprehensive" standards. Such great expectations can
leave chief security officers (CSOs) exposed to criticism
if a security incident occurs and all relevant recommendations – from all
relevant standards – have not
been implemented.

Physical Security Concerns

Not surprisingly, most modern security standards focus on
information security. While these standards normally provide for the
physical security of information and information systems, they sometimes fall
short in terms of overall physical security concerns, failing, for example, to
address issues relevant to the security of:

  • Manufacturing facilities
  • Product distribution centers
  • Research and development laboratories
  • Transportation assets

Non-Electronic Information Security

In addition to physical security, many information
security standards omit or offer token consideration of
non-electronic information security – the protection of information
preserved in paper or hardcopy form. Thus, information security
best practices should be supplemented with protocols and procedures for:

  • Converting paper into digital information (through document
    imaging or other means)
  • Securely storing and destroying (as appropriate) hardcopy records

Signs of Surrender

While enterprise security officials are showing a
renewed interest in information security standards, their business
counterparts are pursuing information management strategies that effectively decrease, rather than increase, information security
levels. These strategies include:

  • Outsourcing, where critical information systems are run from third-party data
    centers, an early manifestation of infrastructure-as-a-service (IaaS).
  • Managed Security
    , where the responsibility for enterprise information
    security is delegated to a managed security services provider (MSSP).
  • Cloud Computing, where the provisioning of customer relationship management (CRM)
    and other major applications is moved "off-premise" to a cloud
    services provider – a delivery vehicle known as software-as-a-service
  • Consumer Device Connections, where consumer
    devices like iPads and smartphones are authorized to connect to the
    enterprise network, even though these devices complicate – and, in some cases,
    compromise – endpoint security.

Collectively, these trends tend to diminish information
security, even as they improve business operations. In this
environment, adopting – and implementing – strong information security
standards is vital to safeguarding enterprise information and
information systems.


[return to top

of report]

Select a
Comprehensive Security Standard

As ISF managing director Steve Durbin states, “Transparent governance and clear lines of responsibility are essential in this day and age. Organizations will be required to identify the steps they have taken to protect data
– its gathering, access, storage and disposal – and also to explain the rationale behind their decisions."

To affect maximum security, enterprise officials should select a recognized security
standard, like:

  • The Standard of Good Practice for Information Security
  • The Control Objectives for Information and related Technology
    (COBIT) 5
  • ISO 27001/2

The choice is normally governed by a variety of factors,

  • Business needs
    Enterprises, for example, with a large mobile population should
    select a standard which boasts a robust mobile and wireless security
  • Regulatory requirements
    Enterprises, for example, seeking to comply with Sarbanes-Oxley should probably
    choose COBIT, which is both a security and information technology
    governance standard.
  • Industry standards
    Enterprises within a particular industry sector, like Finance or
    Manufacturing, should probably embrace the same standard (or
    standards) as their industry partners.
  • Geographic boundaries – Enterprises operating
    within Europe should probably adopt ISO 27001/2, which are well-established

With respect to regulatory requirements, enterprise officials should always
be cognizant of recently-enacted statutes, in particular, GDPR and CCPA.

GDPR – As of May 25, 2018, any organization responsible for
collecting, processing, or storing data belonging to the citizens of the
European Union must comply with the EU General Data Protection Regulation (GDPR).

Analyst Andrada Coos cautions that "companies that process EU data subjects’
personal information have very clear obligations as data controllers and
processors. Prior authorization for processing is needed from data controllers
and can only be done as per the documented instructions provided by them.
Confidentiality is imposed on personnel processing sensitive data. Clear
measures to protect personal data must be adopted and sub-processors cannot be
engaged without the explicit authorization of data controllers.

"The GDPR also requires a very clear and specific statement of consent from
EU data subjects. Customers must give explicit consent to concisely formulated
requests. They also have the right to revoke that consent at any time and
request that their data be destroyed by the data controller and, implicitly, the
data processor."2

CCPA – Commencing
January 1, 2020, the California Consumer Privacy Act (CCPA) of 2018 grants consumers various
increased rights with regard to personal information held by a business. Among
the expanded rights are the right to request a business
to delete any personal information that is collected by the business, and the
business is required to comply with such a verifiable consumer request unless
the data is necessary to carry out specified acts.

Develop a Phased
Implementation Plan 

Most IT/security standards
are, of necessity, wide-ranging and complex, often consisting of dozens or hundreds of discrete controls spread over
multiple categories. The only way to implement
such elaborate protocols is incrementally, i.e., in phases.

In selecting what to implement – and when – business should conduct a
security risk assessment, identifying those areas that are most vulnerable
to attack
(like computer networks), and focusing on the relevant risk reduction
strategies, such as implementing a patch management program.

Implementing a security standard (or standards)
takes money (for software, hardware, training, etc.). Be sure to
budget for standards-related activities to guarantee adequate funding.

Provide for Frequent Updates

The Standard of Good Practice
for Information Security is updated regularly. While frequent
updates ensure currency, they also impose a burden on security
departments to comply with the latest guidance. As a practical
matter, one member of the security team should be assigned the
responsibility for determining:

  • What’s different between successive generations of the Standard.
  • What needs to be done in terms of
    implementing new or improved security policies, protocols, and procedures.


1 "Information Security Forum Releases Standard of Good Practice 2018." DARK
Reading | Informa PLC. October 3, 2018.

2 Andrada Coos. "Shadow IT in the Age of GDPR Compliance."
Endpoint Protector. February 15, 2018.

[return to top of report]

About the Author

[return to top of report]

James G. Barr is a leading business continuity analyst and

business writer with more than 25 years’ IT experience. A member of

"Who’s Who in Finance and Industry," Mr. Barr has designed,

developed, and deployed business continuity plans for a number of Fortune

500 firms. He is the author of several books, including How to

Succeed in Business BY Really Trying, a member of Faulkner’s Advisory

Panel, and contributing editor for Faulkner’s Security Management

Practices. Mr. Barr can be reached via email at

[return to top of report]