Information Security Risk Management for ISO 27001/ISO 27002, third edition

Information Security Risk Management for ISO 27001/ISO 27002, third edition

by Alan Calder, Steve Watkins
Released August 2019
Publisher(s): IT Governance Publishing
ISBN: 9781787781382

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Ideal for risk managers, information security managers, lead implementers, compliance managers and consultants, as well as providing useful background material for auditors, this book will enable readers to develop an ISO 27001-compliant risk assessment framework for their organisation and deliver real, bottom-line business benefits.

Table of contents

  1. Cover
  2. Title
  3. Copyright
  4. About the Author
  5. Contents
  6. Introduction
  7. Chapter 1: Risk management
    1. Risk management: two phases
    2. Enterprise risk management
  8. Chapter 2: Risk assessment methodologies
    1. Publicly available risk assessment standards
    2. Qualitative versus quantitative
    3. Quantitative risk analysis
    4. Qualitative risk analysis
  9. Chapter 3: Risk management objectives
    1. Risk acceptance or tolerance
    2. Information security risk management objectives
    3. Risk management and process models
  10. Chapter 4: Roles and responsibilities
    1. Senior management commitment
    2. The (lead) risk assessor
    3. Other roles and responsibilities
  11. Chapter 5: Risk assessment software
    1. Gap analysis tools
    2. Vulnerability assessment tools
    3. Penetration testing
    4. Risk assessment tools
    5. Risk assessment tool descriptions
  12. Chapter 6: Information security policy and scoping
    1. Information security policy
    2. Scope of the ISMS
  13. Chapter 7: The ISO 27001 risk assessment
    1. Overview of the risk assessment process
  14. Chapter 8: Information assets
    1. Assets within the scope
    2. Grouping of assets
    3. Asset dependencies
    4. Asset owners
    5. Sensitivity classification
    6. Are vendors assets?
    7. What about duplicate copies and backups?
    8. Identification of existing controls
  15. Chapter 9: Threats and vulnerabilities
    1. Threats
    2. Vulnerabilities
    3. Technical vulnerabilities
  16. Chapter 10: Scenario-based risk assessment
  17. Chapter 11: Impact, including asset valuation
    1. Impacts
    2. Defining impact
    3. Estimating impact
    4. The asset valuation table
    5. Business, legal and contractual impact values
    6. Reputational damage
  18. Chapter 12: Likelihood
    1. Risk analysis
    2. Information to support assessments
  19. Chapter 13: Risk level
    1. The risk scale
    2. Boundary calculations
    3. Mid-point calculations
  20. Chapter 14: Risk treatment and the selection of controls
    1. Types of controls
    2. Risk assessment and existing controls
    3. Residual risk
    4. Risk sharing
    5. Optimising the solution
  21. Chapter 15: The Statement of Applicability
    1. Drafting the Statement of Applicability
  22. Chapter 16: The gap analysis and risk treatment plan
    1. Gap analysis
    2. Risk treatment plan
  23. Chapter 17: Repeating and reviewing the risk assessment
  24. Appendix 1: vsRisk Cloud
  25. Appendix 2: ISO 27001 implementation resources
  26. Appendix 3: Books by the same authors
  27. Further reading

Product information

  • Title: Information Security Risk Management for ISO 27001/ISO 27002, third edition
  • Author(s): Alan Calder, Steve Watkins
  • Release date: August 2019
  • Publisher(s): IT Governance Publishing
  • ISBN: 9781787781382