What do you think?
Rate this book
Information Security Risk Management for ISO 27001/ISO 27002
Ideal for risk managers, information security managers, lead implementers, compliance managers and consultants, as well as providing useful background material for auditors, this book will enable readers to develop an ISO 27001-compliant risk assessment framework for their organisation and deliver real, bottom-line business benefits.
194 pages, Paperback
Published September 10, 2019
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 of 1 review
June 12, 2024
I'm studying for the ISC2 Governance, Risk, and Compliance Certification (CGRC), a professional certification in cybersecurity. This book was recommended as a useful study guide. I accessed the book through a ten-day free trial at O'Reilly, a technical training and publishing company, using their O'Reilly Learning portal.
From what I can determine through professional channels, the CGRC is based mainly on U.S. standards and guidance in information security risk management. This book focuses on the international standards for information security, ISO 27001 and ISO 27002. The two approaches, American and international, are not wildly different, and this book gives a good counterbalance to the American perspective.
The authors, Alan Calder and Steve Watkins, focus here specifically on the risk assessment process as defined in the ISO 27000 family of standards and guides. ISO 27000 does not prescribe a particular risk assessment methodology, but it does identify some key steps that any acceptable methodology should have:
- Establish risk criteria
- Identify information security risks
- Analyze risks
- Evaluate risks
The book fleshes out those steps with further guidance drawn from other sources, mainly ISO 27005, British Standard BS 7799-3, and U.S. guidance in NIST's Special Publication 800-30. There is a brief comparison of qualitative and quantitative methodologies and a separate, short chapter on risk assessment software. The meat of the book is what I would consider a generic treatment of risk assessment, with discussion about assets, threats, vulnerabilities, and risks. The authors discuss impact and likelihood, the two main factors that go into determining risk. The concluding chapters deal with risk treatment (or what North Americans would call risk mitigation or risk remediation) and continuous risk assessments.
The book covers a lot of ground in describing what seems to me, with 35 years of cybersecurity experience, to be a process that is easy to describe but complex to perform. Somehow, the book manages to feel like an overview despite its length and the breadth of its coverage. The writing is dense, but not overly technical (at least not if you have experience in this field). It could have benefited from some charts or diagrams to help illustrate the processes it describes.
I'm not sure that I learned anything new by reading this, but I think it did help reinforce the knowledge I'd already gained through experience and through other reading, including Official (Isc)2 Guide to the Cap Cbk and Risk Management Framework for Information Systems and Organizations: NIST SP 800-37 Revision 2.
From what I can determine through professional channels, the CGRC is based mainly on U.S. standards and guidance in information security risk management. This book focuses on the international standards for information security, ISO 27001 and ISO 27002. The two approaches, American and international, are not wildly different, and this book gives a good counterbalance to the American perspective.
The authors, Alan Calder and Steve Watkins, focus here specifically on the risk assessment process as defined in the ISO 27000 family of standards and guides. ISO 27000 does not prescribe a particular risk assessment methodology, but it does identify some key steps that any acceptable methodology should have:
- Establish risk criteria
- Identify information security risks
- Analyze risks
- Evaluate risks
The book fleshes out those steps with further guidance drawn from other sources, mainly ISO 27005, British Standard BS 7799-3, and U.S. guidance in NIST's Special Publication 800-30. There is a brief comparison of qualitative and quantitative methodologies and a separate, short chapter on risk assessment software. The meat of the book is what I would consider a generic treatment of risk assessment, with discussion about assets, threats, vulnerabilities, and risks. The authors discuss impact and likelihood, the two main factors that go into determining risk. The concluding chapters deal with risk treatment (or what North Americans would call risk mitigation or risk remediation) and continuous risk assessments.
The book covers a lot of ground in describing what seems to me, with 35 years of cybersecurity experience, to be a process that is easy to describe but complex to perform. Somehow, the book manages to feel like an overview despite its length and the breadth of its coverage. The writing is dense, but not overly technical (at least not if you have experience in this field). It could have benefited from some charts or diagrams to help illustrate the processes it describes.
I'm not sure that I learned anything new by reading this, but I think it did help reinforce the knowledge I'd already gained through experience and through other reading, including Official (Isc)2 Guide to the Cap Cbk and Risk Management Framework for Information Systems and Organizations: NIST SP 800-37 Revision 2.
Displaying 1 of 1 review