New SME infosec standard

A new draft information security standard for Small to Medium-Sized Enterprises has been released for comment by my friends in ISSA-UK.

The standard, called "ISSA 5173", is short - just 4 pages plus 6 pages of preamble (!). It promotes a structured, risk-based approach to managing information security, not altogether unlike ISO27k.  It offers high level advice rather than listing lots of specific controls: the idea is basically that SMEs need to figure out their security requirements and then put them in place.  The management system it promotes is essentially about 'figuring out security requirements and putting them in place'.  Information security requirements derive from some understanding of the risks facing the SME, plus compliance obligations.

I will be fascinated to see how this develops over the next few months and, time permitting, I'll contribute my ideas too. I encourage you to at least download and read the draft but by all means join the ensuing discussion on the ISO27k Forum and through your local ISSA chapter.