Information Security Risk Management for ISO27001 / ISO17799
Risk assessment is the core competence of information security management. This book provides clear, practical and comprehensive guidance on developing a risk management methodology that meets the requirements of ISO27001, the information security management standard, and how to carry out a risk assessment that will help achieve corporate risk management objectives. While this book's detailed guidance will enable anyone to carry out an ISO27001-compliant risk assessment, it also draws on the complementary guidance of ISO 17799, BS7799-3, ISO 13335-3, NIST SP 800-30 and the UK's Risk Assessment Standard to provide the most comprehensive information security risk assessment, analysis and management manual available.
- Paperback | 196 pages
- 137.2 x 213.4 x 15.2mm | 249.48g
- 01 Apr 2007
- IT Governance Publishing
- Ely, United Kingdom
Table of contents
Introduction... 1 chapter 1: Risk Management... 7 Risk management: two phases... 8 Enterprise Risk Management... 11 chapter 2: Risk Assessment Methodologies... 17 Publicly available risk assessment standards... 18 Qualitative v quantitative... 23 Quantitative risk analysis... 24 Qualitative risk analysis - the ISO27001 approach... 25 Other risk assessment methodologies... 28 chapter 3: Risk management objectives... 33 Risk acceptance or tolerance... 33 Information security risk management objectives... 35 Risk management and PDCA... 39 chapter 4: Roles and Responsibilities... 45 Senior management commitment... 45 The risk assessor... 47 Other roles and responsibilities... 49 chapter 5: Risk Assessment Software... 55 Gap analysis tools... 57 Vulnerability assessment tools... 58 Penetration testing... 59 Risk assessment tools... 60 Risk assessment tool descriptions... 62 chapter 6: Information Security Policy and Scoping 71 Information security policy... 71 Scope of the ISMS... 75 chapter 7: The ISO27001 Risk Assessment... 83 Overview of the risk assessment process... 84 Chapter 8: Information Assets... 91 Assets within the scope... 91 Grouping of assets... 94 Asset dependencies... 95 Asset owners... 96 Sensitivity classification... 97 Are vendors assets?... 98 What about duplicate copies and backups?... 100 chapter 9: Threats and
About Alan Calder
Alan Calder is the founder director of IT Governance Ltd (www.itgovernance.co.uk), an information, advice and consultancy firm that helps companies tackle governance, risk management, compliance and information security issues. He has many years of senior management and board-level experience in the private and public sectors. The company's website is a 'one-stop-shop' for information, books, tools, training and consultancy on governance, risk management, compliance and information security. Steve G Watkins leads the consultancy and training services of IT Governance Ltd. In his various roles in both the public and private sectors he has been responsible for most support disciplines. He has over 17 years' experience of managing integrated management systems, including maintenance of Information Security, Quality, Environmental and Investor in People certifications. As well as being a trained ISO27001 and ISO9000 auditor Steve is a trained EFQM Assessor and holds diplomas in safety and financial management. He is Deputy Chair of the Steering Committee of the DTi ISO/IEC17799 Users Group and also sits on the Management Committee of the British Standards Society where he chairs the Management Systems Special Interest Group.