|Title:||The ISF Standard of Good Practice|
|Source reference:||http://www.isfsecuritystandard.com/ (Note: this is a link to the ISF page where the standard can be freely downloaded after registration.)|
|Topic:||High level standard disseminating a series of good practice standards in the field of information security.|
|Direct / indirect relevance||Direct. While not legally binding, the text contains direct guidelines for sound information security practices.|
|Scope:||Publicly available standard, drafted and maintained based on biannual surveys by the Information Security Forum (ISF), an international non profit organisation focusing on monitoring, charting and best practices in information security. The standard can be voluntarily adhered to by any interested party.|
|Legal force:||Nonbinding private body standard.|
|Affected sectors:||Generic. The standard can be implemented in any sector confronted by information security. Specific areas of focus in the standard include Computer Installations, Networks (i.e. infrastructure), Critical Business Applications, Systems Development and Security Management.|
|Relevant provision(s):||Given its subject matter, the standard can be considered relevant in its entirety (247p.) to RM/RA practices.
The standard is built around the five main aspects, i.e. Computer Installations, Networks (i.e. infrastructure), Critical Business Applications, Systems Development and Security Management. A sixth aspect, User Environment, has been announced but not yet published at the time of writing.
Each of these is split into a series of areas. E.g. for Networks, areas include Network Management, Traffic Management, Network Operations, Local Security Management, and Voice Networks.
Finally, area is split into sections. E.g. for Traffic Management, sections include Configuring Network Devices, Firewalls, External Access and Wireless Access.
In each section, the standard indicates the key principles and objectives, followed by a series of specific rules in order to adhere to these.
|Relevance to RM/RA:||The standard is a commonly quoted source of good practices, and serves as a resource for the implementation of information security policies and as a yardstick for auditing such systems and/or the surrounding practices.|