Information Systems Security Assessment Framework (ISSAF)


     Download the available ISSAF releases:

      ISSAF version 0.2.1    ( Full release )
      ISSAF version 0.2.1 A ( Non Technical chapters)
      ISSAF version 0.2.1 B ( Technical chapters )



The Information Systems Security Assessment Framework (ISSAF) seeks to integrate the following management tools and internal control checklists:

  • Evaluate the organizations information security policies & processes to report on their compliance with IT industry standards, and applicable laws and regulatory requirements
  • Identify and assess the business dependencies on infrastructure services provided by IT
  • Conduct vulnerability assessments & penetration tests to highlight system vulnerabilities that could result in potential risks to information assets
  • Specify evaluation models by security domains to :
    • Find mis-configurations and rectify them
    • Identifying risks related to technologies and addressing them
    • Identifying risks within people or business processes and addressing them
    • Strengthening existing processes and technologies
    • Provide best practices and procedures to support business continuity initiatives

Business Benefits of ISSAF

  • The ISSAF is intended to comprehensively report on the implementation of existing controls to support IEC/ISO 27001:2005(BS7799), Sarbanes Oxley SOX404, CoBIT, SAS70 and COSO, thus adding value to the operational aspects of IT related business transformation programmes.
  • Its primary value will derive from the fact that it provides a tested resource for security practitioners thus freeing them up from commensurate investment in commercial resources or extensive internal research to address their information security needs.
  • It is designed from the ground up to evolve into a comprehensive body of knowledge for organizations seeking independence and neutrality in their security assessment efforts.

It is the first framework to provide validation for bottom up security strategies such as penetration testing as well as top down approaches such as the standardization of an audit checklist for information policies.



History and Overview of ISSAF
ISSAF is constantly evolving a framework that can model the internal control requirements for information security. By defining the tests along with the domains to be tested, it seeks to unify management policies with technical operations to ensure there is complete alignment between all levels in between.

ISSAF covers major information technology platforms, most high level IT related operational processes, and is intended to be applicable to major industry verticals such as banking, manufacturing and services. This ubiquity of ISSAF is intended to ease it's adoption as the preferred security assessment framework by IT departments worldwide. In the process of this adoption OISSG seeks to position it as the basis for accrediting an organization's information security systems at the level of technical specifications that have been tried and tested by leading security practitioners worldwide.

ISSAF version 0.2 is being released to the industry on the basis of extensive testing by a number of information security specialists working across the world, on different platforms for security assessments at organizations in different vertical markets. It is being released for use by organizations and assurance professionals, subject to appropriate open licensing terms.