An Introduction to Information Security and ISO27001:2013

An Introduction to Information Security and ISO27001:2013: A Pocket Guide

STEVE G WATKINS
Copyright Date: 2013
Edition: 2
Published by: IT Governance Publishing
Pages: 52
https://www.jstor.org/stable/j.ctt5hh3wf
  • Cite this Item
  • Book Info
    An Introduction to Information Security and ISO27001:2013
    Book Description:

    Written by an acknowledged expert on the new ISO27001 standard, An Introduction to information security and ISO27001:2013 is the ideal resource for anyone wanting a clear, concise and easy-to-read primer on information security. It will ensure the systems you put in place are effective, reliable and auditable. This pocket guide will help you to: Make informed decisions, use this guide will enable the key people in your organisation to make better decisions before embarking on an information security project, Ensure everyone is up to speed, Use this guide to give the non-specialists on the project board and in the project team a clearer understanding of what the project involves, Raise awareness among staff, Use this guide to make sure your people know what is at stake with regard to information security and understand what is expected of them, Enhance your competitiveness, Use this guide to let your customers know that the information you hold about them is managed and protected appropriately.

    eISBN: 978-1-84928-527-8
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 2-4)
  2. ABOUT THE AUTHOR
    (pp. 5-6)
  3. Table of Contents
    (pp. 7-8)
  4. INTRODUCTION
    (pp. 9-12)

    This pocket guide is intended to meet the needs of two groups:

    1. Individual readers who have turned to it as an introduction to a topic that they know little about.

    2. Organisations implementing, or considering implementing, some sort of information security management regime, particularly if using ISO/IEC 27001:2013, who wish to raise awareness.

    In either case the guide furnishes readers with an understanding of the basics of information security, including:

    A definition of what information security means.

    How managing information security can be achieved using an approach recognised worldwide.

    The factors that need to be considered in an information...

  5. CHAPTER 1: INFORMATION SECURITY — WHAT’S THAT?
    (pp. 13-17)

    To develop an understanding of what information security means, let’s consider something that we all understand the value of: money.

    Considering the various aspects of how you look after and use your money, the following emerge as valuable and worthy of note:

    You do not want other people spending your money, or at least anyone not given your permission to spend it. This means limiting access to your money, or, when considering information instead of money, keeping it confidential.

    This makes good sense, and at first pass may seem to be the only thing that matters. However, if restricting access...

  6. CHAPTER 2: IT’S NOT IT
    (pp. 18-20)

    The key message in this chapter is that an effective Information Security Management System (ISMS) needs to address issues relating to personnel, facilities, suppliers and cultural issues, in addition to the obvious area of information technology, and so information security is a topic that goes well beyond the remit of IT, whether that be the equipment, department or service¹.

    Having identified what information security is, and recognising it as something worth being concerned about, the next stage is to determine exactly what areas and aspects of the organisation will be affected.

    Starting with the source of the challenge, we need...

  7. CHAPTER 3: ISO27001 AND THE MANAGEMENT SYSTEM REQUIREMENTS
    (pp. 21-25)

    As with most topics, there are international standards that deal with information security management, and the main one is ISO27001: 2013.¹

    This Standard is structured in a linear fashion, from the establishment of the ISMS through to the review and adaptation of the ISMS. However, addressing the requirements in that order is not a requirement in itself. In the previous edition, the Standard defined the project approach as the well-recognised Plan–Do–Check–Act model (P-D-C-A) to structure the tasks required to introduce an effective ISMS. While this is no longer strictly mandated by ISO27001, it remains a valid and...

  8. CHAPTER 4: LEGAL, REGULATORY AND CONTRACTUAL REQUIREMENTS AND BUSINESS RISK
    (pp. 26-31)

    The specific security requirements of an ISMS are determined in light of the purpose of the organisation and its objectives. To achieve this it is required that those with an interest in the performance of the organisation, and their information security specific requirements are identified. These requirements, together with the specific legal, regulatory and contractual obligations on the organisation form the starting point of the ISMS security arrangements, and these are combined with the results of an information security risk assessment to determine the blend of security controls on which the organisation will rely.

    ISO27001 does not dictate a particular...

  9. CHAPTER 5: INFORMATION SECURITY CONTROLS
    (pp. 32-38)

    Having now gained an appreciation of the methodical approach to the selection of information security controls and other ways of addressing risks, it is time to examine the security controls defined in the international ISMS Standards.

    The Standards themselves emphasise that the controls they detail are to be used to ensure that none have been inappropriately omitted and that they are not a default control set to build upon. Typically an organisation would start with sector and contract specific requirements and then consider others. There will also be technological developments that introduce risks which are not covered to a suitable...

  10. CHAPTER 6: CERTIFICATION
    (pp. 39-42)

    As with many other management system standards, there is a scheme that can be used by organisations to demonstrate their compliance with the internationally recognised Standard for information security management, ISO27001.

    Companies wishing to use this scheme to demonstrate the robustness of their information security management arrangements need to subject themselves to an external audit.

    For the assurance provided by the outcome of the audit to be recognised¹, the audit needs to be conducted in compliance with the recognised scheme; that is, the ‘accredited certification scheme’. This is administered by the United Kingdom Accreditation Service (UKAS) in the UK and...

  11. CHAPTER 7: SIGNPOSTING
    (pp. 43-48)
  12. ITG RESOURCES
    (pp. 49-52)