Information Security Forum
||This article includes a list of references, related reading or external links, but its sources remain unclear because it lacks inline citations. (February 2014)|
|Industry||information security best practice research|
|Founded||London, United Kingdom (1989)|
The Information Security Forum (ISF) is an independent, not-for-profit association of organizations from around the world. It is dedicated to investigating, clarifying and resolving key issues in information security, and developing best practice methodologies, processes and solutions that meet the business needs of its members.
Founded in 1989 (originally as the European Security Forum), the ISF has steadily expanded its mission and membership. It now includes hundreds of members with groups of members organized into regional chapters. The ISF is headquartered in London, United Kingdom, and has staff based in several cities around the world.
In addition to conducting a comprehensive benchmarking program, the ISF runs regional chapter meetings, implementation training workshops, and a large annual conference (called the 'World Congress'), as well as developing and publishing research reports and tools which address a wide variety of subjects. Its research agenda is driven entirely by its member organizations, who govern all ISF activities.
The ISF delivers a range of content, activities, and tools, summarized below.
The ISF is a paid membership organization: all its products and service are included in the membership fee. From time to time, the ISF makes research documents and other papers available to non-members.
The Standard of Good Practice for Information Security
The ISF released its 2012 Standard of Good Practice for Information Security (the 2012 Standard) in July 2012. It is available to ISF members and non-members can purchase copies. The 2012 Standard represents a partial update on the 2011 release of the Standard, and builds upon the previous release to include the most up-to-date controls, approaches and thought leadership in Information Security.
The Standard is a business-focussed, practical and comprehensive guide available for identifying and managing information security risks in organizations.
The 2012 Standard covers current information security 'hot topics' such as consumer devices, critical infrastructure, cybercrime attacks, office equipment, spreadsheets and databases and cloud computing. It can be used to build a comprehensive and effective information security management system. In addition to covering information security-related standards such as COBIT, NIST SP 800-53 and PCI DSS, the 2012 Standard covers ISO/IEC 27001/2, as well as two new draft standards: ISO 27014 (security governance) and 27036 (external suppliers).
The 2012 Standard will undergo a significant update in 2013 to align with changes and trends in Information Security, as well as to deliver greater value to the ISF's Members.
Based on member input, the ISF selects a number of topics for research in a given year. The research includes interviewing member and non-member organizations and thought leaders, academic researchers, and other key individuals, as well as examining the range of approaches to the issue. The resulting reports typically go into depth describing the issue generally, outlining the key information security issues to be considered, and proposing a process to address the issue, based on best practices.
Methodologies and tools
For broad, fundamental areas, such as information risk assessment or return-on-investment calculations, the ISF develops comprehensive methodologies that formalize the approaches to these issues. Supporting the methodology, the ISF supplies Web-based and spreadsheet-based tools to automate these functions.
The ISF's Continuous Benchmarking tools (formerly called the 'Information Security Status Survey') have a well-established pedigree – harnessing the collective input of hundreds of the world's leading organizations for nearly 20 years. Organizations can participate in the Continuous Benchmarking service at any time and can use the tool to: assess their security performance across a range of different environments; compare their security status against other organisations; and measure their performance against the ISF's 2011 Standard of Good Practice, ISO/IEC 27002, and COBIT version 4.1.
Regional chapter meetings and other activities provide for face-to-face networking among individuals from ISF member organizations. The ISF encourages direct member-to-member contact to address individual questions and to strengthen relationships. Chapter meetings and other activities are conducted around the world and address local issues and language/cultural dimensions.
Annual World Congress
The ISF's annual global conference, the 'World Congress', takes place in a different city each year. The 2013 conference will take place in November in Paris, France. The typically three-day conference includes plenary sessions by leaders in information security, personal development, practical workshops conducted by member organizations, an exhibition and a substantial evening social program. The event focuses on information security practitioners; the participation of vendors is limited to an exhibition area and a few invited speakers. The conference is preceded by in-depth workshops.
Web portal (MX)
The ISF's extranet portal, 'Member Exchange' (MX), enables members to directly access all ISF materials, including member presentations, and also includes messaging forums, contact information, webcasts, on-line tools, and other data for member use.
The members of the ISF, through the regional chapters, elect a Council to develop its work program and generally to represent member interests. The Council elects an 'Executive' group which is responsible for financial and strategic objectives.
See Category:Computer security for a list of all computing and information-security related articles.
- Standard of Good Practice
- Information Systems Audit and Control Association
- International Organization for Standardization
- SANS Institute