As previously mentioned, we have updated the SPF Compliance Checklist to make it suitable for use with Version 7 of the Security Policy Framework released a few weeks ago.
The new checklist is now available for free download from our security resources section and provides you with the relevant audit points to assess compliance with the 20 mandatory requirements of the SPF v7.
Although the significant reduction in mandatory requirements (down from 68 in version 6) appears to be a major change, in the majority of cases these have been merged with others rather than removed. At a high level, there does not appear to be any relaxation of security controls, instead they are more logically grouped.
One of the downsides of this reorganisation of the framework is that it is now harder to get a granular feel for your compliance with the requirements. Previous mandatory requirements were fairly straightforward and had a 1:1 relationship with an audit control. Now, most of the mandatory requirements have 4 – 6 audit points that have to be assessed to determine compliance.
As we are aware that some organisations are still contractually bound to using the older version of the SPF, we have left the previous version of the checklist online. You can also use these two documents to assist with any gap analysis work to determine how the change may impact your organisation.