In the last year, the security of 4,000,000 personal computers was threatened by the TDL botnet. Meanwhile, the explosion of the digital universe is impacting on the ability of organisations to manage their information effectively. The demand for information security continues to rise and is informing many boardroom debates in Europe and USA.
Information risk and security should be a key area of concern to information professionals. It provides us with an opportunity to influence and advise on a critical area of concern to senior managers. However, information security resources can often be highly technical and can exclude readers who are not steeped in the subject.
'Timely and expert'
Information Security Risk Management for ISO 27001/27002 is a new book from Alan Calder and Steve Watkins. It is a timely and expert resource for any information and knowledge professional seeking to improve information security management. Previous publications by the authors have set the context for the new threats and risks facing any organisation this new book provides an overview of the ISO 27000 security guidance.
The authors clarify that ISO 27001 is the international standard for information security management and provides an approach to risk management that can support organisational improvement. ISO 27002 is the supporting code of practice, containing detailed guidance on how to deliver security standards within an organisation.
A corporate approach to risk management
The key chapters outline how these standards outline a corporate approach to risk management that is flexible yet delivers high performance in key areas of information security management. There are superb illustrations and examples provided to clarify how risk management needs to designed to deal with specific circumstances in which organisations operate. There is also a concise overview of the need for good governance and oversight to ensure that risk management delivers the results required, with a summary of recent guidance including the Turnbull Report and Basel II.
Often there is some confusion as to how standards interlink but the authors are able to navigate this problem with clearly defined methods and tools across the sixteen chapters which are appended by tools, additional resources and templates that can be immediately adopted.
Avoiding pitfalls and upgrading processes
There is a detailed exploration of the problems of implementing the standards and suggestions of lessons to learn to avoid the common pitfalls of information security management. Chapter three also clarifies the potential return of investment for information security management which could persuade reluctant senior management to invest in this vital area.
The most illuminating chapter reviews risk management software and how they can be adopted to accelerate risk processes. This is a valuable resource for any information professional considering upgrading current systems and processes.
Real information risk management in a recession
Additional chapters on policy development and the range of threats that could face an organisation make this an essential resource for any information professional. The authors have managed to balance technical expertise with the realities of delivering services in a recession.
This book is published by IT Governance which develops and publishes a range of resources for different audiences interested in this area.
As information professionals seek to improve ways of working the investment in security management could establish services that are essential to improvement of services in tough times.
Book details: Information Security Risk Management for ISO 27001/27002
Authors: A Calder & S G Watkins
Publisher: IT Governance
Robin Smith is the Head of Information Governance at Northampton General Hospital
Image by Flattop341 via Flickr.