Information Security Forum
||This article includes a list of references, but its sources remain unclear because it has insufficient inline citations. (February 2014) (Learn how and when to remove this template message)|
|Industry||information security best practice research|
|Founded||London, United Kingdom (1989)|
The Information Security Forum (ISF) is an independent, not-for-profit association of organizations from around the world. It is dedicated to investigating, clarifying and resolving key issues in information security, and developing best practice methodologies, processes and solutions that meet the business needs of its members.
Founded in 1989 (originally as the European Security Forum), the ISF has steadily expanded its mission and membership. It now includes hundreds of members with groups of members organized into regional chapters. The ISF is headquartered in London, United Kingdom, and has staff based in several cities around the world.
In addition to conducting a comprehensive benchmarking program, the ISF runs regional chapter meetings, implementation training workshops, and a large annual conference (called the 'World Congress'), as well as developing and publishing research reports and tools which address a wide variety of subjects. Its research agenda is driven entirely by its member organizations, who govern all ISF activities.
The ISF delivers a range of content, activities, and tools. The ISF is a paid membership organization: all its products and service are included in the membership fee. From time to time, the ISF makes research documents and other papers available to non-members.
The Standard of Good Practice for Information Security
The ISF released its 2014 Standard of Good Practice for Information Security in June 2014. It is available to ISF members and non-members can purchase copies. The 2014 Standard represents an update on the 2013 release of the Standard, and builds upon the previous release to include the most up-to-date controls, approaches and thought leadership in information security.
The standard is a business-focussed, practical and comprehensive guide available for identifying and managing information security risks in organizations.
The 2014 standard covers current information security 'hot topics' such as consumer devices, critical infrastructure, cybercrime attacks, office equipment, spreadsheets and databases and cloud computing. It can be used to build a comprehensive and effective information security management system. In addition to covering information security-related standards such as COBIT, NIST SP 800-53 and PCI DSS, the 2014 standard covers ISO/IEC 27001/2, as well as PCI DSS 3.0 and the NIST cyber security framework.
Based on member input, the ISF selects a number of topics for research in a given year. The research includes interviewing member and non-member organizations and thought leaders, academic researchers, and other key individuals, as well as examining a range of approaches to the issue. The resulting reports typically go into depth describing the issue generally, outlining the key information security issues to be considered, and proposing a process to address the issue, based on best practices.
Methodologies and tools
For broad, fundamental areas, such as information risk assessment or return-on-investment calculations, the ISF develops comprehensive methodologies that formalize the approaches to these issues. Supporting the methodology, the ISF supplies web and spreadsheet-based tools to automate these functions.
The ISF's Benchmark (formerly called the 'Information Security Status Survey') has a well-established pedigree – harnessing the collective input of hundreds of the world's leading organizations for nearly 25 years. Organizations can participate in the Benchmark service at any time and can use the web based tool to assess their security performance across a range of different environments, compare their security strengths and weaknesses against other organizations, and measure their performance against the ISF's 2013 Standard of Good Practice, ISO/IEC 27002, and COBIT version 5 for information security. The Benchmark provides a variety of data export functionality that can be used for analyzing and presenting data for management reporting and the creation of security improvement programs. It is updated on a biennial basis to align with the latest thinking in information security and provide the ISF Members with improved user experiences and added value.
Regional chapter meetings and other activities provide for face-to-face networking among individuals from ISF member organizations. The ISF encourages direct member-to-member contact to address individual questions and to strengthen relationships. Chapter meetings and other activities are conducted around the world and address local issues and language/cultural dimensions.
Annual World Congress
The ISF's annual global conference, the 'World Congress', takes place in a different city each year. The 2014 conference will take place in November in Copenhagen, Denmark. The typically three-day conference includes plenary sessions by leaders in information security, personal development, practical workshops conducted by member organizations, an exhibition and a substantial evening social program. The event focuses on information security practitioners; the participation of vendors is limited to an exhibition area and a few invited speakers. The conference is preceded by in-depth workshops.
Web portal (ISF Live)
The ISF's extranet portal, ISF Live, enables members to directly access all ISF materials, including member presentations, messaging forums, contact information, webcasts, online tools, and other data for member use.
The members of the ISF, through the regional chapters, elect a Council to develop its work program and generally to represent member interests. The Council elects an 'Executive' group which is responsible for financial and strategic objectives.
See Category:Computer security for a list of all computing and information-security related articles.
- Standard of Good Practice
- Information Systems Audit and Control Association
- International Organization for Standardization
- SANS Institute