STANDARD OF GOOD PRACTICE FOR

INFORMATION SECURITY 2020

WHAT'S NEW?
The SOGP 2020 includes new and enhanced coverage of the following hot topics: using cloud services securely,
supplier management, running a Security Operations Centre, protecting devices, security assurance programme,
and asset management. Further detail is provided in the table below.

Hot topic and reference in the SOGP 2020 New or enhanced coverage detail

SUPPLY CHAIN MANAGEMENT This Category has been updated and redesigned to both simplify existing content and
SC2: Cloud Services introduce new Topics. The Cloud Services Area has new Topics with enhancements
based on recent ISF research, while the External Supplier Management Area has
SC1: External Supplier Management
been redesigned for enhanced usability and comprehension, including new Topics on
Procurement and Contracts.

SECURITY OPERATION CENTRES A new Topic has been introduced which is dedicated to running Security Operation
SM2.3: Security Operation Centres (SOC) Centres and based on recent ISF research. This same research has enabled the
Security Event Management Topic to be reworked and enhanced.
TM1.3: Security Event Management

MOBILE DEVICES AND APPLICATIONS A new Topic on managing mobile applications has been introduced which draws on
PA2: Mobile Computing recent ISF research. A better distinction between mobile devices and larger, more
static devices, has also been incorporated which has resulted in new Topics on the
PA1.2: Workstation Configuration
configuration of workstations and specialist devices, drawing on recent ISF research
PA1.5: Specialist Computing Equipment and Devices on IoT devices where necessary.

SECURITY ASSURANCE The Security Monitoring and Improvement Category has been renamed Security
AS: Security Assurance Assurance and enhanced to reflect recent ISF research. This includes an overhaul of
the Security Assurance Topic, that was previously located in Security Governance.

ASSET MANAGEMENT Guidance connected to registers for different assets, from across the SOGP 2018, has
SM2.6: Asset Registers been merged into one new Topic which centralises and simplifies good practice.

GENERAL IMPROVEMENTS Every Topic has been reviewed and revised where necessary, to ensure consistency
of content, common use of terminology and to keep technical examples that support
good practice up to date.

Building upon positive Member feedback, the SOGP 2020 has retained the same structure as that introduced in 2016, and
retained in 2018. However, the above-mentioned enhancements have resulted in the SOGP 2020 containing: 17 Categories,
34 Areas and 135 Topics.

For more information on the Standard of Good Practice

for Information Security 2020, join the community on ISF Live.

©2020 Information Security Forum Limited. All rights reserved. | Reference: ISF 20 03 09