Today I came across the The Standard of Good Practice for Information Security which has been produced by the Information Security Forum (ISF), an international association of over 260 leading organisations which fund and co-operate in the development of a practical research programme in information security.

The ISF’s work probably represents the most comprehensive and integrated set of material anywhere in the world in the area of information risk management.

The main aspects of security which are covered by the standard are :

• Security Management - Security management at enterprise level.
• Critical Business Applications – A business application that is critical to the success of the enterprise.
• Computer Installations - A computer installation that supports one or more business applications.
• Networks -A network that supports one or more business applications.
• Systems Development - A systems development unit/department or a particular systems development project.

An examination of the main sections of The Standard of Good Practice will show that it covers the entire spectrum of arrangements that need to be made to keep the business risks associated with information systems within acceptable limits. It is a major tool in improving the quality and efficiency of security controls applied by an organisation.

You can get it for free (reg. required) here