The principles provide advice to security professionals to help govern their behaviour, objectives, approach and activities in order to promote good practice in information security.
Working Together
ISF and (ISC)², together with ISACA, have worked closely together over the past 12 months to create these principles for two important reasons. First, to promote good practice guidelines for information security professionals worldwide who may not be affiliated with any professional organisation. Second, to offer clear, practical advice to all professionals on how information security can best support business objectives agreed upon by key players in the security profession.
There are other security standards and frameworks around, like SOGP, COBIT and ISO27002, which are aimed at organisations. As industry bodies representing our members, however, we felt there was a need for something akin to a code of conduct for individuals to adopt. The business environment is changing all the time, while the information security profession is still not fully mature, and traditionally, has had a bias toward technology. As a result, we all need to be much more risk focused when it comes to rapidly evolving threats.
The role of information security professionals is constantly evolving too. For many years security was not a priority, but it has gradually made its way up the corporate agenda. We believe it is the responsibility of the entire business, not just security practitioners, to be vigilant and responsive.
Secret of security success
Today, the success of security within organisations – both large and small – is highly dependent upon how closely aligned security is with the business. These principles are designed to be accessible to everyone working in information security, whatever their level, qualification or affiliation. This is what makes them so relevant and unique.
Security professionals now have a common framework for truly risk-based security management. Plus, we believe they will become a real asset to businesses, which will be able to refer to them as pillars of ‘good business practice’.
| "Today, the success of security within organizations – both large and small – is highly dependent upon how closely aligned security is with the business" |
Importantly, they will also help information security professionals convince management of their strategic significance in managing business risk and to continue to enhance the quality and visibility of the information security profession throughout the world.
Even though best practice guidelines are made with good intentions, they can sometimes be forgotten. Despite this, they can have a tremendous impact on organisations, not to mention people new to the security profession.
Complimentary
This set of principles also complements other guidelines and models provided by each of the individual security organisations, including (ISC)²’s own professional Code of Ethics, which gives assured reliance on the character, ability, strength, or truth of a fellow (ISC)² member and provides a suggested framework for the security management of an organisation.
The principles also complement the ISF’s Guidelines for Information Security, a high-level framework comprising 21 statements and objectives covering the full spectrum of information security, which provide the basis for implementing information security across an organisation. Finally, they support ISACA’s Business Model for Information Security (BMIS), which provides an approach for describing the information security ecosystem and a common language for information security and business management to improve information protection.
12 security principles
The principles for information security practitioners are outlined under three main categories: support the business; defend the business; and promote responsible security behaviour. Each principle has an objective and detailed description.
Available as a poster and downloadable from the ISF, (ISC)² and ISACA websites, the principles are aimed at all individuals working within the information security community, including those responsible for developing, supplying and managing security systems, and those influencing legal or regulatory requirements for security and others educating tomorrow’s workforce.
Jason Creasey is global alliances leader, Information Security Forum (ISF), and John Colley is managing director EMEA, (ISC)².