You are on page 1of 2

What next?

The ISFs Standard of Good Prac ce for Informa on Security (the Standard), Benchmark, ISF
Risk Manager and Cyber Resilience Framework Diagnos c Tools supported by the wide
range of ISF materials are all available from the ISF website.

ISF reports and tools provide in-depth best prac ce guidance that helps business leaders
and informa on security prac oners to combat the escala ng security threats from
ac vi es such as cybercrime, hack vism, insider crime and espionage by:

describing the similari es and connec ons between cybersecurity and informa on
explaining cyberspace, cybersecurity, the nature of the cyber threat and the concept of
cyber resilience
providing policy and standards-based advice and guidance through the annually updated
Standard of Good Pracce for Informaon Security (the Standard)
introducing the new ISF Benchmark Service which allows organiza ons to assess their
security controls and incidents across a range of dierent environments and ac vi es
using the ISF Risk Manager to analyze business informa on risk across your enterprise
and selec ng eec ve approaches for trea ng these risks
outlining prac cal steps organisa ons can take to customise and implement the ISFs
Cyber Resilience Framework.

Our research and tools are available at no cost to ISF Member companies. Non-Members are
able to purchase reports and use the ISF Benchmark Service and ISF Risk Manager.
Implementing the NIST
The ISF can provide you with the necessary support to carry out a cybersecurity assessment on
your organisa on through our Services to Assist. By using ISF tools, research and analyst support
services ISF Members are able to build a robust cyber resilience capability that is in alignment
Cybersecurity Framework
with the NIST Cybersecurity Framework and other industry standards.

The cyber threat to critical infrastructure continues to grow and represents one of
Contact the most serious national security challenges we must confront.
For more informa on, please contact: US President Barack Obama
Steve Durbin, Managing Director
US Tel: +1 (347) 767 6772 As cybersecurity increasingly becomes a na onal security issue, governments are taking a more ac ve role in defining responses to
UK Tel: +44 (0)20 3289 5884 cyber threats. In an ini a ve to respond to an execu ve order issued by President Obama, the US Na onal Ins tute of Standards and
UK Mobile: +44 (0)7785 953 800 Technology (NIST) has released the first version of its Framework for Improving Crical Infrastructure Cybersecurity.
Web: The framework comprises five Func ons of cybersecurity ac vity, with a strong focus on incident response. These Func ons are
further divided into Categories, which correspond to various domains of informa on security; and Subcategories, which express
various outcomes or control objec ves within these domains.
As a consequence, business execu ves are now asking Does our informa on security program align with the NIST Cybersecurity
About the ISF Framework? You want to answer that ques on, but where do you start? Members of the ISF are equipped to give a comprehensive
Founded in 1989, the Informa on Security Forum (ISF) is an independent, not-for-profit associa on of leading organiza ons from around the world. It is dedicated to inves ga ng, and accurate response.
clarifying and resolving key issues in cyber, informa on security and risk management by developing best prac ce methodologies, processes and solu ons that meet the business
needs of its Members. The ISF has created a mapping between the NIST Cybersecurity Framework and its own Standard of Good Pracce for Informaon
ISF Members benefit from harnessing and sharing in-depth knowledge and prac cal experience drawn from within their organiza ons and developed through an extensive research Security (the Standard) a respected resource that is already implemented by many global organisa ons. Members can use
and work programme. The ISF provides a confiden al forum and framework, which ensures that Members adopt leading-edge informa on security strategies and solu ons. And by the mapping to determine which of their current controls sa sfy the corresponding control objec ves in the NIST Cybersecurity
working together, Members avoid the major expenditure required to reach the same goals on their own.
Framework, and thus demonstrate their alignment with it.
Disclaimer Using the NIST Cybersecurity Framework together with the ISFs Standard of Good Prac ce and other informa on risk management
This document has been published to provide general informa on only. It is not intended to provide advice of any kind. Neither the Informa on Security Forum nor the Informa on tools will enable you to eec vely demonstrate to your stakeholders the progress you have made in building a robust cyber
Security Forum Limited accept any responsibility for the consequences of any use you make of the informa on contained in this document.
resilience approach.

Reference: ISF 14 NIST Copyright 2014 Information Security Forum Limited. All rights reserved. Classification: Public
The ISF Standard of Good Practice
your route to alignment with the NIST Cybersecurity Framework
The NIST Cybersecurity Framework organizes cybersecurity ac vi es into five Func ons, ISFs Standard of Good Pracce for Informaon Security (the Standard) provides a
which are further subdivided into a structured set of Categories and Subcategories which comprehensive control set which will enable you to meet the control objec ves set out in the
The NIST Cybersecurity Framework
are equivalent to control objec ves. Although the framework is voluntary and intended NIST Cybersecurity Framework. The Standard extends well beyond the topics defined in the The Standard of Good Practice
as guidance rather than a formal standard, one of its development goals was to provide framework to include coverage of essen al and emerging topics such as informa on security for Information Security
security prac oners with a common language for cybersecurity. This common language governance, supply chain management, data privacy, cloud security, informa on security
makes use of familiar topics in informa on security, and clearly-expressed control audit, and mobile device security. ne
objec ves within those topics.
Features of the ISFs Standard of Good Pracce
The ISF has created a mapping between the NIST Cybersecurity Framework and its own
Standard of Good Pracce for Informaon Security (the Standard). Members can use A comprehensive control set covering all topics of informa on security
the mapping to determine which of their current controls sa sfy the corresponding A twenty-year history of frequent updates including the latest emerging topics and issues
control objec ves in the NIST Cybersecurity Framework, and thus demonstrate their Based on real-world experiences of Members as well as other interna onal standards
alignment with it. Scalable, so it can be implemented by organiza ons of all sizes
Prac cal control statements providing specific guidance on what to do Comprehensive
e coverage
coverage of:
2014 Standard of Good Practice for Information Security:
The ISF Standard of Good Pracce for Informaon Security mapping Categories and Topics List

to the NIST Cybersecurity Framework Benefits of using the ISFs Standard of Good Pracce to implement the NIST Cybersecurity
Type Type Type

SG1 Security Governance Approach CF7 System Management CF15 Electronic Communications
SG1.1 Security Governance Framework F CF7.1 Computer and Network Installations F CF15.1 Email F

SG1.2 Security Direction F CF7.2 6HUYHU&RQguration F CF15.2 Instant Messaging S

SG2 Security Governance Components CF7.3 Virtual Servers S CF16 External Supplier Management
CF7.4 Network Storage Systems S

SG2.1 Information Security Strategy S CF16.1 External Supplier Management Process F

SG2.2 Stakeholder Value Delivery S CF7.5 Backup F CF16.2 Hardware/Software Acquisition F

Information Security Assurance CF7.6 Change Management F CF16.3 Outsourcing S

SG2.3 F
Programme CF7.7 Service Level Agreements F

The Cybersecurity Framework from the US Natio

ational Institute for Standards and Technology
CF16.4 Cloud Computing Policy F

CF8 Technical Security Infrastructure CF16.5 Cloud Service Contracts F

CF8.1 Security Architecture S CF17 System Development Management

Cover age by
by Top
ics iin
n the ISF Standard of Good Practice
Pr for Information Security
SR1 Information Risk Assessment CF8.2 Identity and Access Management S CF17.1 System Development Methodology F
SR1.1 Managing Information Risk Assessment F CF8.3 Critical Infrastructure S CF17.2 System Development Environments F
Information Risk Assessment CF8.4 Cryptographic Solutions S
SR1.2 F CF17.3 Quality Assurance F
CF8.5 Cryptographic Key Management S
SR1.3 &RQdentiality Requirements F CF18 Systems Development Lifecycle

You can rely on a well-established, robust control set with sucient detail to address the
CF8.6 Public Key Infrastructure S
SR1.4 Integrity Requirements F CF18.1 Specications of Requirements F
egories off the
the NIST
NIST Cybersecurity
Cybe rsecurity
ecurity Framework.
Framework. The
The Subcategories
egories off the
the Framework
mework can be unde
ood as
as control vves.
es. The
T references in the ISF Standard of Func on
on Category Subcategory ISF Standard of Good Prac cce
e References CF8.7 Information Leakage Protection S
pic names in the Standard of Good Pra ce. These topics provide control guidance which will help members achieve the corresponding control objec ve,, and thus demonstrate
dem their SR1.5 Availability Requirements F CF18.2 System Design F
Con nued) PR.IP-9: Response plans (Incident Response and Business Con nuity) and recovery CF20.1 Business Con nuity Strategy, CF20.2 Business Con nuity Programme, CF20.3 Resilience, CF20.4 Crisis CF8.8 Digital Rights Management S
ype should be considered the primary references for each subcategory; other Topics may include supplemental material relevant to the subcategory. While
hile not
no every SR1.6 Information Risk Treatment F CF18.3 System Build F
CF9 Network Management
SR2 Compliance CF18.4 Systems Testing F
CF9.1 1HWZRUN'HYLFH&RQguration F CF18.5 Security Testing F
SR2.1 Legal and Regulatory Compliance F

control objec ves in the framework

CF9.2 Physical Network Management F CF18.6 System Promotion Criteria F
SR2.2 Information Privacy F
CF9.3 External Network Connections F CF18.7 Installation Process F
CF9.4 Firewalls F
CONTROL FRAMEWORK Type CF18.8 Post-implementation Review F
CF9.5 Remote Maintenance F
CF19 Physical and Environmental Security
CF1 Security Policy and Organisation
CF9.6 Wireless Access F
CF19.1 Physical Protection F
CF1.1 Information Security Policy F
CF9.7 Voice over IP (VoIP) Networks S

The Standard of Good Prac ce controls cover not just technical topics, but includes
CF19.2 Power Supplies F
CF1.2 Information Security Function F
CF9.8 Telephony and Conferencing S
CF19.3 Hazard Protection F
CF2 Human Resource Security
CF10 Threat and Vulnerability Management CF20 Business Continuity
CF2.1 Staff Agreements F
System and Software Vulnerability CF20.1 Business Continuity Strategy S
CF10.1 F
CF2.2 Security Awareness Programme F Management
CF20.2 Business Continuity Programme S
CF2.3 Security Awareness Messages F CF10.2 Malware Awareness F
CF20.3 Resilience S
CF2.4 Security Education/Training F CF10.3 Malware Protection Software F

opera onal and governance controls necessary to maintain a resilient informa on

CF20.4 Crisis Management F
CF2.5 Roles and Responsibilities F CF10.4 Security Event Logging F
CF20.5 Business Continuity Planning F
CF10.5 System/Network Monitoring F
CF3 Asset Management
CF20.6 Business Continuity Arrangements F
CF10.6 Intrusion Detection F
CF3.1 Information Classication S
CF20.7 Business Continuity Testing F
CF3.2 Document Management S CF11 Incident Management

CF3.3 Sensitive Physical Information F Information Security Incident

CF11.1 F

security program
CF3.4 Asset Register F
CF11.2 Cybercrime Attacks S IMPROVEMENT
CF4 Business Applications CF11.3 Emergency Fixes F
SI1 Security Audit
CF4.1 Application Protection F CF11.4 Forensic Investigations S
SI1.1 Security Audit Management F
CF4.2 Browser-based Application Protection F
CF12 Local Environments SI1.2 Security Audit Process Planning F
CF4.3 Information Validation F
CF12.1 /RFDO(QYLURQPHQW3URle S SI1.3 Security Audit Process Fieldwork F

You can assess your exis ng security arrangements against the Standard of Good Prac ce
CF5 Customer Access CF12.2 Local Security Co-ordination S SI1.4 Security Audit Process Reporting F
CF5.1 Customer Access Arrangements F CF12.3 Ofce Equipment S SI1.5 Security Audit Process Monitoring F
CF5.2 Customer Contracts S
CF13 Desktop Applications SI2 Security Performance
CF5.3 Customer Connections F
CF13.1 Inventory of Desktop Applications S SI2.1 Security Monitoring F
CF6 Access Management CF13.2 Protection of Spreadsheets S SI2.2 Information Risk Reporting S
CF6.1 Access Control F

controls to determine how well you are currently sa sfying the control objec ves in
CF13.3 Protection of Databases S Monitoring Information Security
SI2.3 S
CF6.2 User Authorisation F Compliance
CF13.4 Desktop Application Development S
CF6.3 Access Control Mechanisms F
CF14 Mobile Computing
CF6.4 Access Control Mechanisms Password S
CF14.1 Remote Environments S
CF6.5 Access Control Mechanisms Token S Warning
CF14.2 0RELOH'HYLFH&RQguration F This document is confidential and is intended for the attention of and use by either
organisations that are Members of the Information Security Forum (ISF) or by persons
CF6.6 Access Control Mechanisms Biometric S who have purchased it from the ISF direct. If you are not a Member of the ISF or
CF14.3 Mobile Device Connectivity F

the framework
have received this document in error, please destroy it or contact the ISF on info@
CF6.7 Sign-on Process F Any storage or use of this document by organisations which are not
CF14.4 Portable Storage Devices F Members of the ISF or who have not validly acquired the report directly from the ISF is
not permitted and strictly prohibited. This document has been produced with care and to
CF14.5 Consumer Devices and BYOD F the best of our ability. However, both the Information Security Forum and the Information
Security Forum Limited accept no responsibility for any problems or incidents arising
KEY F Fundamental topic S Specialised topic from its use.
Classification: Restricted to ISF Members, ISF Service Providers and non-Members
who have acquired the document from the ISF.

Reference: ISF 14 06 03 Copyright 2014 Information Security Forum Limited. All rights reserved.

Additional ISF solutions

ability Management, CF18.7 Installa o
n Process on SSecurity Funcc on, CF11.1

Func on Category Subcategory ISF Standard of Good Prac ce References ernal Supplier Management Process
About the ISF
that meet the business needs of its Membe
ISF Member
methodollogies, processes
processses and solu o

ng-edge info
leading o

on security
strategies and solu


Asset Management (ID.AM): The data, ID.AM-1: Physical devices and systems within the organiz on are inventoried CF3.4 Asset Register, CF7.1 Computer and Network Installa o&D&Kce Equipment, This document has been published to p ained in this
this document.

Research Program and ISF Accelerator Tools

Reference: ISF 14 MKG NIST/STANDARD Copyright 2014 Information Security Forum Limited. All rights reserved. Classi

personnel, devices, systems, and fa es that CF20.5 Business Con nuity Planning
enable the organiz on to achieve business
ID ware pla o ons within the organiz on are inventoried CF3.4 Asset Register, CF7.6 Change Management, CF13.1 Inventor ons, CF20.5 Business Con nuity
purposes are iden ed and managed consistent
with their r ve importance to business
ves and the organiz ons risk strategy. ID.AM-3: Organiz onal communica on and dataow is mapped CF3.1 Informa on Classic
Network Management
on, CF8.7 Info on Leakage Protec on, CF8.8 Digital Rights Management, CF9.2 Physical Organiza ons use the ISFs extensive Research Program and Accelerator Tools to improve
I ID.AM-4: External info on systems are catalogued CF16.1 External Supplier Management Process, CF16.3 Outsourcing resilience and compe veness as the business environment con nues to change.
D ID.AM-5: Resources (e.g., hardware, devices, data, and so ware) are
based on their classic on, cri cality, and business value
zed CF3.1 Informa on Classic on, CF3.4 Asset Register, SR1.3 Conden ality Requirements, SR1.4 Integrity Requirements,
SR1.5 Availability Requirements Topics covered include: Cyber Security Strategies, Engaging with The Board, Securing the
E ID.AM-6: Cybersecurity roles and re es f re workforce and third-
party stakeholders (e.g., suppliers, customers, partners) are established
CF2.5 Roles and Responsibili es, CF2.1 St Agreements
Supply Chain, Informaon Security Governance, Managing BYOD Risk, Cloud, Big Data
Business Environment (ID.BE): The
organiz ons mission, objec ves, stakeholders,
ID.BE-1: The organiz
ID.BE-2: The organiz on
ons r ed and communicated
cal infrastructure and its industry sector is
CF16.1 External Supplier Mangement Process, CF16.2 Hardware / So ware Acquisi on, CF16.3 Outsourcing
SG2.1 Informa on Security Strategy, SR2.1 Legal and Regulatory Compliance, cal Infrastructure
and the Threat Horizon series.
v es are understood and priori zed;
iden ed and communicated
T this informa on is used to inform cybersecurity
roles, r es, and risk management ID.BE- es for organiz
and communicated
o ves, and ac v es are established SG1.2 Security Dir on, SG2.1 Info on Security Strategy, SG2.2 Stakeholder Value Delivery
cal func ons for delivery of cri cal services are CF12.1 Local Environment Prle, CF1.2 Informa on Security Func on, CF2.5 Roles and R
Architecture cal Infrastructure
es, CF8.1 Security

F ID.BE-5: Resilience requirements to support delivery of cri cal services are

CF20.1 Business Con nuity Strategy, CF20.2 Business Con nuity Programme, CF20.3 Resilience Informaon Risk Analysis Methodology (IRAM) Benchmark
Y Governance (ID.GV): The policies, procedures,
and processes to manage and monitor
ID.GV-1: Organiz onal info on security policy is established CF1.1 Informa on Security Policy
ISFs Informa on Risk Analysis Methodology (IRAM) The ISF Benchmark tool provides an objec ve assessment
the organiz ons regulatory, legal, risk, ID.GV-2: Informa on security roles & r es are coordinated and aligned SG1.2 Security Dir on, CF1.2 Informa on Security Func on, CF2.5 Roles and Re es, SG1.1 Security
with internal roles and external partners Governance Framework
environmental, and oper onal requirements
are understood and inform the management of ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy SR2.1 Legal and Regulatory Compliance, SR2.2 Informa on Privacy, SI2.3 Monitoring Info on Security Compliance
is a comprehensive risk management tool that your approach that enables you to measure the eec veness
cybersecurity risk. es oblig ons, are understood and managed
ID.GV-4: Governance and risk management processes address cybersecurity risks SG1.1 Security Governance Framework, SR1.1 Managing Informa on Risk Assessment, SG2.3 Info on Security
organiza on can use to evaluate threats and vulnerabili es, of your security investments, and compare your security
I Assurance Programme, SR1.2 Info on Risk Assessment Methodologies, SR1.3 Conden ality Requirements, SR1.4
Integrity Requirements, SR1.5 Availability Requirements, SR1.6 Informa on Risk Treatment, SI2.2 Info on Risk and priori ze and validate investments in posture against that of hundreds of other
Re ng
D Risk Assessment (ID.RA): The organiz on ID.RA-1: Asset vulner es are ed and documented SR1.1 Managing Informa on Risk Assessment, CF3.4 Asset Register, CF10.1 System and So ware Vulnerability informa on security ini a ves accordingly. organiza ons.
understands the cybersecurity risk to Management, SI2.2 Info on Risk Repor ng
organiz onal oper ons (including mission,
ons, image, or reput on), organiz onal
ID.RA-2: Threat and vulnerability info
forums and sources
on is received from informa on sharing SG2.3 Informa on Security Assurance Programme, SR1.1 Managing Info on Risk Assessment, SR1.2 Informa on-Risk
Assessment Methodologies, CF10.1 System and So ware Vulnerability Management
assets, and individuals.
ID.RA-3: Threats, both internal and external, are iden ed and documented SG2.3 Informa on Security Assurance Programme, SR1.1 Managing Info on Risk Assessment, SR1.2 Informa on-Risk
Assessment Methodologies
ID.RA-4: Poten al business impacts and likelihoods are ed SR1.3 Conden ality Requirements, SR1.4 Integrity Requirements, SR1.5 Availability Requirements

Information Security Forum Implementing the NIST Cybersecurity Framework Implementing the NIST Cybersecurity Framework Information Security Forum