Standard of Good Practice

for Information Security 2020

The definitive guide for responding to rapidly evolving threats, technology
and compliance.
The Standard of Good Practice for Information Security 2020 (SOGP 2020) provides comprehensive controls and guidance on
current and emerging information security topics enabling organisations to respond to the rapid pace at which threats, technology
and risks evolve. Implementing the SOGP 2020 helps organisations to:
– 
be agile and exploit new opportunities, while ensuring that associated information risks are managed within acceptable levels
– 
respond to rapidly evolving threats, including sophisticated cyber security attacks, using threat intelligence to increase
cyber resilience
– 
identify how regulatory and compliance requirements can be best met.

The latest edition of the SOGP 2020 includes enhanced coverage of the following hot topics: securing cloud services, running a
Security Operations Centre, protecting mobile devices, security assurance programmes, asset management and managing suppliers.

The ISF SOGP, along with the ISF Benchmark; a comprehensive security control assessment tool, provide complete coverage of
the topics set out in ISO/IEC 27002:2013, NIST Cybersecurity Framework, CIS Top 20, PCI DSS and COBIT 5 for Information Security.
ISF STANDARD OF GOOD PRACTICE FOR INFORMATION SECURITY 2020
AN INFORMATION SECURITY ENABLER
The ISF Standard of Good Practice for Information Security 2020 is the leading authority on information security.
1 | RESILIENCE Its practical and trusted guidance helps organisations to extract relevant good practice to underpin any new 8 | INFORMATION SECURITY
The SOGP provides a ready-made framework that initiative in your information security programme. ASSESSMENT
can help an organisation improve their resilience
The SOGP provides complete coverage of the topics set out in ISO/IEC 27002:2013, NIST Cybersecurity Framework, CIS The SOGP is integrated with the Benchmark,
by preparing for, managing and responding to
providing detailed, mid-level and high-level
major incidents that may have a significant impact Top 20, PCI DSS and COBIT 5 for Information Security. assessments of the strength of information security
on business.
controls – either across an organisation, locally or
To achieve this, SOGP provides extensive coverage against your peers (e.g. organisations in the same
of information security topics including those ISF RESEARCH BENCHMARK RESULTS EXTERNAL DEVELOPMENTS sector or geographic region).
associated with security strategy, incident An extensive research programme The results of the ISF Benchmark, Analysis and coverage of information
Using the SOGP in conjunction with the Benchmark
management, business continuity, cyber resilience into hot topics in information security. which provide valuable insights into security-related standards and
provides meaningful and objective analysis of
and crisis management. Latest research reports include: how information security is applied frameworks, for example:
the true level of security across an organisation
‘on the ground’ in Member – NIST Cybersecurity Framework
Threat Horizon 2022: that can be reported to executive management
Digital and physical worlds collide organisations.
– ISO/IEC 27001/2:2013 and stakeholders.
– CIS Top 20
Using Cloud Service Securely:
Harnessing Core Controls – COBIT 5 for Information Security
Demystifying Artificial Intelligence
in Information Security
Briefing Paper
Human-Centred Security:
2 | RISK ASSESSMENT Addressing psychological vulnerabilities 7 | SECURITY ARRANGEMENTS
Briefing Paper
The SOGP’s current and comprehensive content, The SOGP is a complete and up-to-date reference
Securing the IoT:
when combined with the ISF Information Risk Taming the connected world guide for developing new security arrangements or
Assessment Methodology 2 (IRAM2), can underpin Briefing Paper improving existing ones as circumstances change
an organisation’s risk assessment activities, including (e.g. as a result of increasing cyber threats, use of
Building a Successful SOC: plus legal and regulatory changes,
identifying business impacts, profiling key threats and Detect earlier, respond faster cloud services or reliance on mobile devices in the
for example:
assessing vulnerabilities. workplace). Its straightforward and intuitive security
Establishing a Business-Focused – European Union General Data Topics enable the extraction of relevant good practice
Any risks identified can then be treated using controls Security Assurance Programme: Protection Regulation 2016/679
Confidence in controls to underpin any new initiative in an information
from the SOGP, enabling an organisation to gain (GDPR) security programme.
efficiency savings and deliver consistent protection in Blockchain and Security: MEMBER INPUT
Safety in numbers – PCI DSS
line with their organisational risk appetite. Input from ISF Members, including The SOGP can help an organisation to respond to
Briefing Paper
workshops, online collaboration on changing circumstances by accelerating information
Building Tomorrow’s Security Workforce ISF Live, face-to-face meetings, interviews security initiatives and avoiding potentially costly
Briefing Paper
and academy sessions incidents, operational impact and damage to brand
at the ISF Annual and reputation.
Delivering an Effective
Cyber Security Exercise World Congress.

3 | SUPPLY CHAIN 4 | COMPLIANCE 5 | POLICIES, STANDARDS 6 | AWARENESS

MANAGEMENT The SOGP is an ideal tool to help prepare for ISO/IEC AND PROCEDURES Adopting the SOGP reduces the need to develop
27001:2013 certification, and achieve compliance security awareness content from scratch. The
The SOGP offers an easy-to-implement solution to The SOGP can be adopted directly as the basis of a
with other relevant standards (e.g. PCI DSS). It is SOGP covers topics that can be used to improve
ensure that an organisation’s supply chain incorporates new or existing information security policy. It is an
aligned with key information security standards in the security awareness and achieve expected security
a risk-based approach to information security. It effective tool for identifying gaps and reduces the
ISO/IEC 27000 suite including security governance behaviour amongst many different audiences across
can also be used as the basis for understanding and time and effort required to produce information
and supplier relationships. an organisation, including business users, technical
assessing the level of information security implemented security policies, standards and procedures.
specialists, senior management, systems developers
by external suppliers, including cloud services providers. The SOGP covers hot topics not found in ISO/IEC 27002
The harmonisation of internal policies throughout an and IT service providers.
including securing cloud services, running a Security
Used in combination with ISF Supply Chain organisation helps deliver a consistent and balanced
Operations Centre or protecting mobile devices. It also addresses how information security should be
accelerator tools and the Benchmark, the SOGP level of information protection.
applied in local business environments that typically
enables an organisation to implement protection that
require tailored awareness activities.
is fully aligned with ISO/IEC 27036-3:2013 (covering
supplier relationships).
WHERE NEXT?
The Standard of Good Practice for Information Security 2020 (SOGP 2020) is the most comprehensive and
current source of information security controls. The SOGP is updated on a biennial basis to reflect the evolving
international landscape of information security-related legislation and standards.

These updates include the latest findings from the ISF’s research programme, input from our Member
organisations, trends from the ISF Benchmark and major external developments including new legislation,
changes in regulation and the releases of other information security-related standards.

Good practice described in the SOGP will typically be incorporated into an organisation’s business processes,
information security policy, risk management and compliance arrangements. Consequently, the SOGP is valuable
to a range of key individuals or external parties, including Chief Information Security Officers (or equivalent),
information security managers, risk management specialists, business managers, IT managers and technical
specialists, internal and external auditors, IT service providers and procurement and vendor management teams.

The ISF encourages collaboration on its research and tools. Members are invited to join The Standard of Good
Practice for Information Security community on ISF Live to share their experience.

Consultancy services from the ISF provide Members and non-Members with the opportunity to purchase
short-term, professional support activities to supplement the implementation of ISF products.

The report is available free of charge to ISF Members, and can be downloaded from the ISF Member
website www.isflive.org. Non-Members interested in purchasing the report should contact Steve Durbin
at [email protected].

CONTACT
For further information contact:
Steve Durbin, Managing Director
US: +1 (347) 767 6772
UK: +44 (0)20 3289 5884
UK Mobile: +44 (0)7785 953 800
[email protected]
securityforum.org

INFORMATION SECURITY FORUM (ISF)

Founded in 1989, the ISF is an independent, not-for-profit association of leading organisations from around the world. The organisation
is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best
practice methodologies, processes and solutions that meet the business needs of its Members.
ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and
developed through an extensive research and work programme. The ISF provides a confidential forum and framework, which ensures that
Members adopt leading-edge information security strategies and solutions.
By working together, ISF Members avoid the major expenditure required to reach the same goals on their own.
Consultancy services are available to support the implementation of ISF Products.

DISCLAIMER
This document has been published to provide general information only. It is not intended to provide advice of any kind. Neither the
Information Security Forum nor the Information Security Forum Limited accept any responsibility for the consequences of any use you
make of the information contained in this document.

REFERENCE: ISF 20 03 10 | CLASSIFICATION: Public, no restrictions ©2020 Information Security Forum Limited