Implementing an Information Security Management System

Discover the simple steps to implementing information security standards using ISO 27001, the most popular information security standard across the world. You'll see how it offers best practices to be followed, including the roles of all the stakeholders at the time of security framework implementation, post-implementation, and during monitoring of the implemented controls. Implementing an Information Security Management System provides implementation guidelines for ISO 27001:2013 to protect your information assets and ensure a safer enterprise environment.

This book is a step-by-step guide on implementing secure ISMS for your organization. It will change the way you interpret and implement information security in your work area or organization.

You will:

• Discover information safeguard methods
• Implement end-to-end information security
• Manage risk associated with information security
• Prepare for audit with associated roles and responsibilities
• Identify your information risk
• Protect your information assets

1. The Need for Information Security
• What Is Information Security?
• Data
• Information
• How ISO 27001 Applies to You
• ISO 27001: Information Security Management System
• Why Is It Important to Safeguard Information?
• Yahoo
• Marriott International
• eBay
• Heartland Payment Systems
• Uber
• NHS Cyberattack
• Safeguarding Summary
• Scenario 1: Banking
• Scenario 2: Trade Secrets
• Scenario 3: Healthcare
• Scenario 4: Manufacturing
• Scenario 5: Information Technology
• Summary
2. Assessing Needs and Scope
• Assessing Business Needs
• Scope and High-level Timeframe for Implementation
• What’s Covered in the Scope Document?
• What Is the Statement of Applicability (SOA)?
• High-Level Timeframe
• Senior Management Support
• Summary
• Reference
3. Project Kick-Off
• Presenting a High-Level Plan
• Setting Up the Project Taskforce
• Administration Department
• Chief Information Security Officer (CISO)
• System Admin or IT Manager
• Information Security Management (ISM) Team
• Human Resources Management
• Getting Commitment
• Summary
4. Initial Risk Assessment
• Meeting the Team
• Annex 5: Information Security Policies
• Annex 6: Organization of Information Security
• Annex 7: Human Resources Security
• Annex 8: Asset Management
• Annex 9: Access Control
• Annex 10: Cryptographic Control
• Annex 11: Physical and Environmental Security
• Annex 12: Operations Security
• Annex 13: Communications Security
• Annex 14: Security Requirements of Information Systems
• Annex 15: Supplier Relationships
• Annex 16: Information Security Incident Management
• Annex 17: Information Security Aspects of Business Continuity Management
• Annex 18: Compliance
• Preparing the Analysis Report
• Presenting the Report to Management/Teams
• Summary
5. Risk Management Approach
• Defining and Finalizing the Risk Assessment Framework
• Risk Components
• What Are Threats?
• What Are Vulnerabilities?
• What Is a Security Risk?
• What Is a Risk Ranking?
• Risk Prioritization
• Risk Owner Identification
• Risk Treatment
• What Is Acceptable Risk?
• Risk Monitoring and Review
• Identifying Assets
• Asset Value
• Asset Classification
• Asset Labeling
• Asset Register
• Asset Disposal
• Asset Register Examples
• Managing Risks
• Identifying Security Controls
• Revisiting the Statement of Applicability (SoA)
• Summary
6. Execution
• Information Security Awareness
• An Emphasis on Training Content
• Awareness Quiz
• Policies and Procedures
• Who Defines the Policies?
• Who Reviews and Approves the Policies?
• Which Policies and Procedures Are Covered?
• Understanding and Implementing Controls
• A.5 Information Security Policies
• A.6 Organization of Information Security
• A.7 Human Resources Security
• A.8 Asset Management
• A.9 Access Control
• A.10 Cryptography
• A.11 Physical and Environmental Security
• A.12 Operations Security
• A.13 Communication Security
• A.14 System Acquisition, Development, and Maintenance
• A.15 Supplier Relationships
• A.16 Information Security Incident Management
• A.17 Information Security Aspects of Business Continuity Management
• A.18 Compliance
• Summary
• References
7. Internal Audit
• Preparing an Internal Audit Team
• Conducting Audits
• Audit Plan
• Pre-Audit Meeting/Briefing
• Opening Meeting
• Audit’s Finding Report
• Closing the Findings and Gaps
• Planning Improvement
• Eliminating Gaps
• Can You Eliminate All Gaps?
• Communicating
• Summary
8. Management Review
• Conducting the Review
• What Is Expected from Department Heads/Stakeholders?
• Scheduling the Management Review Meeting
• Items To Be Covered in the Presentation
• Conducting the Review Meeting
• Plan Improvement
• What Do You Improve?
• How Do You Know if You Have Improved?
• Communicate
• Summary
9. External Audit
• Audit Preparation
• Stage 1 Audit
• Stage 2 Audit
• Stage 3 Audit
• Best Practices
• Audit Closure
• Audit Report
• Executive Summary
• SWOT Analysis
• Scope Description Control by Control
• Finding Summary
• Evidence Summary
• Lead Auditor Recommendation
• Front Page
• Summary
10. Continual Improvement
• Areas of Improvement
• Monthly KPIs/Reports
• Employee Observations
• Periodic Internal Audits
• Management Review Meetings
• Customers/Clients
• New Tools/Technology
• Regulatory/Governmental Laws
• Execution Plan
• Pilot the Improvement First
• Measure Success
• Performing Regular Audits/Reviews
• Summary

A good book that in reality addresses all the ISO 27001 requirements and explains how to address them.

Not groundbreaking but it is still a good read.