Dec 26 2010

Information Security Risk Management for ISO27001/ISO27002

Category: ISO 27k,Security Risk AssessmentDISC @ 8:56 pm

Expert guidance on planning and implementing a risk assessment and protecting your business information. In the knowledge economy, organisations have to be able to protect their information assets. Information security management has, therefore, become a critical corporate discipline. The international code of practice for an information security management system (ISMS) is ISO27002. As the code of practice explains, information security management enables organisations to ‘ensure business continuity, minimise business risk, and maximise return on investments and business opportunities’.

ISMS requirements
The requirements for an ISMS are specified in ISO27001. Under ISO27001, a risk assessment has to be carried out before any controls can be selected and implemented, making risk assessment the core competence of information security management. This book provides information security and risk management teams with detailed, practical guidance on how to develop and implement a risk assessment in line with the requirements of ISO27001.

International best practice
Drawing on international best practice, including ISO/IEC 27005, NIST SP800-30 and BS7799-3, the book explains in practical detail how to carry out an information security risk assessment. It covers key topics, such as risk scales, threats and vulnerabilities, selection of controls, and roles and responsibilities, and includes advice on choosing risk assessment software.

Benefits to business include:

Stop the hacker. With a proper risk assessment, you can select appropriate controls to protect your organisation from hackers, worms and viruses, and other threats that could potentially cripple your business.

Achieve optimum ROI. Failure to invest sufficiently in information security controls is ‘penny wise, pound foolish’, since, for a relatively low outlay, it is possible to minimise your organisation’s exposure to potentially devastating losses. However, having too many safeguards in place will make information security system expensive and bureaucratic; so without accurate planning your investment in information security controls can become unproductive. With the aid of a methodical risk assessment, you can select and implement your information security controls to ensure that your resources will be allocated to countering the major risks to your organisation. In this way, you will optimise your return on investment.

Build customer confidence. Protecting your information security is essential if you want to preserve the trust of your clients and to keep your business running smoothly from day to day. If you set up an ISMS in line with ISO27001, then, after an assessment, you can obtain certification. Buyers now tend to look for the assurance that can be derived from an accredited certification to ISO27001 and, increasingly, certification to ISO27001 is becoming a prerequisite in service specification procurement documents.

Comply with corporate governance codes. Information security is a vital aspect of enterprise risk management (ERM). An ERM framework is required by various corporate governance codes, such as the Turnbull Guidance contained within the UK’s Combined Code on Corporate Governance, and the American Sarbanes-Oxley Act (SOX) of 2002, and standards such as ISO310000.

Order this book for advice on information security management that can really benefit your bottom line! Information Security Risk Management for ISO27001 / ISO27002

About the authors

Alan Calder is the founder director of IT Governance Ltd. He has many years of senior management and board-level experience in the private and public sectors.

Steve G Watkins leads the consultancy and training services of IT Governance Ltd. In his various roles in both the public and private sectors he has been responsible for most support disciplines. He has over 20 years’ experience of managing integrated management systems, and is a lead auditor for ISO27001 and ISO9000. He is now an ISMS Technical Expert for UKAS, and provides them with advice for their assessments of certification bodies offering certification to ISO27001.

4 Responses to “Information Security Risk Management for ISO27001/ISO27002”

  1. Top 5 Cheap Web Hosting Service Features | cheap web hosting uk says:

    […] Information Security Risk Management for ISO27001/ISO27002 […]

  2. Recycle prices: Three Strategies To Detect And Qualify Risk says:

    […] Information Security Risk Management for ISO27001/ISO27002 Recycle   business, finance, management, risk management      Restore Batteries reviewed » […]

  3. Taktika Management ISO 27001 says:

    Information Security Management is indeed a burning issue. That is why at Taktika Management we chose to top up our implementation services with a key standard: the Information Security Management ISO 27001 and the implementation of best practices in order to provide a competitive advantage to a firm.

    Information Security aims to protect information against a whole range of potential threats, in order to maintain the flow of transactions, to reduce as much as possible the risk and to optimize the ROI as well as potential opportunities for the company.

    According to me, ISO 27001 has become a benchmark in terms of Information Security Management systems and Taktika Management (we are based in Montreal) can help you implement this standard.

    As far as I think, the benefits of implementing a standard for Information Security Management are:

     Being certified helps a company to be trustworthy, (from the stakeholders point of view: shareholders, business partners, suppliers, governmental entities…)
     To drop the costs selecting the right security policies to manage your information and to develop a consolidated auditing model

    Thanks again for the post, and feel free to consult our website http://www.taktikamanagement.com!

    Alpha Diallo, Senior IT Consultant, Taktika Management (Montreal).

  4. NABH says:

    I really appreciate your post and you explain each and every point very well.Thanks for sharing this information.And I’ll love to read your next post too.
    Regards:
    NABH

Leave a Reply