informa
Products & Releases

Information Security Forum Releases Standard of Good Practice 2014

Annual Update Provides Guidance on the Implementation of the NIST Cybersecurity Framework

NEW YORK – September 16, 2014 ––  The Information Security Forum (ISF), a global, independent information security body considered the world's leading authority on cyber security and information risk management, has created a mapping between the US National Institute of Standards and Technology (NIST) Cybersecurity Framework and its annual Standard of Good Practice (The Standard) for IT security professionals. The Standard enables organizations to meet the control objectives set out in the NIST Cybersecurity Framework and extends well beyond the topics defined in the framework to include coverage of essential and emerging topics such as information security governance, supply chain management (SCM), data privacy, cloud security, information security audit and mobile device security.

“With the newly created mapping between the NIST Cybersecurity Framework and The Standard, ISF members can now determine which of their current controls satisfy the corresponding control objectives in the NIST Cybersecurity Framework, and thus demonstrate their alignment with it,” said Steve Durbin, Managing Director, ISF. “Using the NIST Cybersecurity Framework, together with The Standard and other information risk management tools, enables organizations of all sizes to effectively demonstrate to their stakeholders the progress they’ve made in building a robust cyber resilience approach.”

As cybersecurity increasingly becomes a national security issue, governments are taking a more active role in defining responses to cyber threats. In an initiative to respond to an executive order issued by President Barack Obama, NIST has released the first version of its Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity. The framework comprises five functions of cybersecurity activity, with a strong focus on incident response. These functions are further divided into categories, which correspond to various domains of information security; and subcategories, which express various outcomes or control objectives within these domains.

“Although the NIST Cybersecurity Framework is voluntary and intended for guidance rather than as a formal standard, one of its goals was to provide security practitioners with a common language for cybersecurity,” continued Durbin. “This common language makes use of familiar topics in information security and clearly-expressed control objectives within those topics.”

Updated annually to reflect the latest findings from the ISF’s research program, input from global member organizations, trends from the ISF Benchmark and major external developments including new legislation and other requirements, The Standard is used by many global organizations as their primary reference for information security. The Standard addresses the rapid pace at which threats and risks evolve and an organizations’ need to respond to escalating security threats from activities such as cybercrime, ‘hacktivism’, insiders and espionage. As a result, The Standard helps the ISF and its members maintain their position at the leading edge of good practice in information security.

Available at no cost to ISF member companies, The Standard can also be purchased by non-members. For more information on The Standard or any aspect of the ISF, please contact Steve Durbin at [email protected].

 

Recommended Reading: