In today’s information economy, the development, exploitation, and protection of information and associated assets are key to the long-term competitiveness and survival of corporations and entire economies. The protection of information and associated assets – information security – is therefore overtaking physical asset protection as a fundamental corporate governance responsibility.
ISO 27000, which provides an overview for the family of international standards for information security, states that “An organization needs to undertake the following steps in establishing, monitoring, maintaining and improving its ISMS: […] assess information security risks and treat information security risks”. The requirements for an ISMS are specified in ISO 27001. Under this standard, a risk assessment must be carried out to inform the selection of security controls, making risk assessment the core competence of information security management and a critical corporate discipline.
Information Security Risk Management for ISO 27001/ISO 27002:
Ideal for risk managers, information security managers, lead implementers, compliance managers, and consultants, as well as providing useful background material for auditors, this book will enable readers to develop an ISO 27001-compliant risk assessment framework for their organization and deliver real, bottom-line business benefits.
Alan Calder is the Group CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. Alan is an acknowledged international cybersecurity guru, and a leading author on information security and IT governance issues. He has been involved in the development of a wide range of information security management training courses that have been accredited by IBITGQ (International Board for IT Governance Qualifications). Alan has consulted for clients in the UK and abroad, and is a regular media commentator and speaker.
Steve Watkins is an executive director at GRC International Group plc. He is a contracted technical assessor for UKAS – advising on its assessments of certification bodies offering ISMS/ISO 27001 and ITSMS/ISO 20000-1 accredited certification. He is a member of ISO/IEC JTC 1/SC 27, the international technical committee responsible for information security, cybersecurity and privacy standards, and chairs the UK national standards body’s technical committee IST/33 (information security, cybersecurity and privacy protection) that mirrors it. Steve was an active member of IST/33/-/6, which developed BS 7799-3.