Quiz Entry - updated: 2026.06.04
What is the ISF Standard of Good Practice for Information Security?
A business-focused guide for identifying and managing information security risks, distilled from the experience of 260+ large global organizations.
Published by the Information Security Forum (ISF) — a member-funded, independent association of (mostly large) organizations.
Key characteristics:
- Business-focused: written from the perspective of managing business risk, not technical checklists
- Based on the collective practice of over 260 large, internationally active member organizations — peer experience rather than government mandate
- Incorporates other standards: aligned with COBIT, PCI DSS, ISO 27001/27002, SOX, etc., so it can serve as an umbrella
- Can serve as the foundation for building an ISMS — an alternative or complement to ISO 27001
Tip: Position it mentally: ISO 27001 = certifiable requirements; NIST CSF = free public framework; ISF SoGP = members' best-practice playbook. Companies often use SoGP internally for depth while certifying against ISO 27001 for the market signal.