Information Security Forum

{{AfDM|page=Information Security Forum (2nd nomination)|year=2025|month=April|day=14|substed=yes|origtag=afdx|help=off}}

{{Multiple issues|

}}

{{Infobox company

| name = Information Security Forum

| logo = Simplelowrez.png

| foundation = London, United Kingdom (1989)

| industry = information security best practice research

| homepage = [http://www.securityforum.org/ SecurityForum.org]

}}

The Information Security Forum (ISF) is an independent information security body.

Activities and publications

The ISF delivers a range of content, activities, and tools. It is a paid membership organisation: all its products and services are included in the membership fee. From time to time, the ISF makes research documents and other papers available to non-members.

=Standard of Good Practice=

The ISF released the updated Standard of Good Practice for Information Security in 2018. The 2018 version builds upon the 2016 release and includes updated controls, approaches, and developments in information security.

The standard is intended to help organisations manage information security risks.{{cite web |url=https://www.securityforum.org/tools/sogp/ |title=Information Security Forum : The Standard of Good Practice for Information Security |accessdate=2014-10-13 |url-status=dead |archiveurl=https://web.archive.org/web/20141018220906/https://www.securityforum.org/tools/sogp/ |archivedate=2014-10-18 }}

The 2016 standard covers current information security topics such as threat intelligence, cyber attack protection, and industrial control systems, as well as significant enhancement of existing topics including Information Risk Assessment, Security Architecture and Enterprise Mobility Management. It can be used to build a framework for developing an information security management system. In addition to covering information security-related standards such as COBIT 5 for Information Security, The CIS Critical Security Controls for Effective Cyber Defense, the 2016 standard covers ISO/IEC 27002 as well as PCI DSS 3.1 and the NIST Cybersecurity Framework.

In 2014, Infosecurity Magazine reported that the ISF had mapped its Standard of Good Practice to the NIST Cybersecurity Framework, providing a reference point for organizations seeking to align with NIST control objectives. According to the article, the ISF standard also addresses additional topics such as information security governance, supply chain management, data privacy, and mobile device security, and is updated annually based on member feedback, benchmarking, and developments in global legislation and standards.{{Cite web |date=22 September 2014 |title=ISF Maps NIST's Cybersecurity Framework |url=https://www.infosecurity-magazine.com/news/isf-maps-nists-cybersecurity/ |access-date=16 April 2025 |website=Infosecurity Magazine}}

A 2013 report commissioned by the UK Department for Business, Innovation and Skills identified the ISF’s Standard of Good Practice for Information Security as a widely used cyber security standard. According to the report, it “covers the complete spectrum of information security arrangements that need to be made to keep the business risks associated with information systems within acceptable limits, and presents good practice in practical, clear statements”.{{Cite web |title=UK Cyber Security Standards: Research Report November 2013 |url=https://assets.publishing.service.gov.uk/media/5a7cead540f0b6629523c97f/bis-13-1294-uk-cyber-security-standards-research-report.pdf |access-date=16 April 2025 |website=U.K. Department for Business, Innovation and Skills}}

In a 2006 report, Carnegie Mellon University's Software Engineering Institute described the ISF as an international association of over 280 organizations that cooperate on practical research in information security. The report noted that the ISF’s Standard of Good Practice for Information Security is a guideline organized into six aspects: security management, critical business applications, computer installations, networks, systems development, and end user environment. Each aspect includes multiple areas and detailed practices.{{Cite web |date=October 2006 |title=Navigating the Security Practice Landscape |url=https://insights.sei.cmu.edu/documents/451/2013_019_001_299133.pdf |access-date=17 April 2025 |website=Software Engineering Institute, Carnegie Mellon University}}

=Research projects=

Based on member input, the ISF selects a number of topics for research in a given year. The research includes interviewing member and non-member organizations and thought leaders, academic researchers, and other key individuals, as well as examining a range of approaches to the issue. The resulting reports typically go into depth describing the issue generally, outlining the key information security issues to be considered, and proposing a process to address the issue, based on best practices.

In 2020, Security Magazine reported that the ISF had released a paper titled Deploying Open Source Software: Challenges and Rewards, aimed at helping security professionals understand the benefits and perceived challenges of using open source software (OSS). The article described OSS as “a core part of IT infrastructure and applications” and noted that the ISF's guidance helps organizations “set up a program of protective measures to effectively manage OSS.” The publication also highlighted that the rise of agile and DevOps methodologies has driven increased OSS adoption.{{Cite web |date=25 June 2020 |title=Information Security Forum explores the risks and challenges of open source software |url=https://www.securitymagazine.com/articles/92688-information-security-forum-explores-the-risks-and-challenges-of-open-source-software |access-date=16 April 2025 |website=Security Magazine}}

=Benchmarking program=

The ISF's Benchmark (formerly called the 'Information Security Status Survey') has been developed using input from member organisations over a 25-year period. Organizations can participate in the Benchmark service at any time and can use the web-based tool to assess their security performance across a range of different environments, compare their security strengths and weaknesses against other organizations, and measure their performance against the ISF's 2016 Standard of Good Practice, ISO/IEC 27002:2013, and COBIT version 5 for information security. The Benchmark provides a variety of data export functionality that can be used for analyzing and presenting data for management reporting and the creation of security improvement programs. It is updated on a biennial basis to align with the latest thinking in information security and to reflect changes in the information security landscape.

=Events=

The ISF's annual global conference, the 'World Congress', takes place in a different city each year. The 2017 conference took place in October in Cannes, France. The event features sessions on information security topics and organisational practices and includes presentations and discussions with information security professionals from various sectors. Over 1,000 global senior executives attend. The event includes a series of keynote presentations, workshops and networking sessions, best practices and thought leadership.{{cite web |url=https://www.securityforum.org/events/isf-annual-world-congress/ |title=Information Security Forum : 25th ISF Annual World Congress |accessdate=2014-10-13 |url-status=dead |archiveurl=https://web.archive.org/web/20141018222734/https://www.securityforum.org/events/isf-annual-world-congress/ |archivedate=2014-10-18 }}

=Online portal=

The ISF's extranet portal, ISF Live, enables members to directly access all ISF materials, including member presentations, messaging forums, contact information, webcasts, online tools, and other data for member use.{{cite web |url=https://www.securityforum.org/membership/isflive/ |title=Information Security Forum : ISF Live: Collaborate, Contribute and Participate |accessdate=2014-10-13 |url-status=dead |archiveurl=https://web.archive.org/web/20141018220958/https://www.securityforum.org/membership/isflive/ |archivedate=2014-10-18 }}