: Dejan Kosutic
: Secure& Simple - A Small-Business Guide to Implementing ISO 27001 On Your Own The Plain English, Step-by-Step Handbook for Information Security Practitioners
: Advisera Expert Solutions Ltd
: 9789535745259
: 1
: CHF 30.20
:
: Sonstiges
: English
: 326
: DRM
: PC/MAC/eReader/Tablet
: ePUB

InSe ure& Simple Dejan Kosutic, an author and experienced information security consultant, is giving away all his practical know-how on successful ISO 27001 implementation. Whether you're new or experienced in the field, this book gives you everything you will ever need to implement ISO 27001 on your own.


Dejan provides examples of implementing the standard in small and medium-sized organizations (i.e. companies with up to 500 employees). It is written primarily for beginners in the field and for people with moderate knowledge of ISO 27001. Even if you do have experience with the standard, but feel that there are gaps in your knowledge, you'll find this book very helpful.


Secure& Simple is the definitive guide for implementing and maintaining the most popular information security standard in the world. The author leads you, step-by-step, from an introduction to ISO 27001 to the moment your company passes the certification audit. During that journey you will learn:


  • The most common ISO 27001 myths, like 'The standard requires xyz;' 'We'll let the IT department handle it;' 'We'll implement it in a couple of months;' and others.
  • How to convince your top management to implement ISO 27001. 'If you think that your management loves to listen to your great idea about a new firewall, or the perfect tool you've discovered for handling incidents, you're wrong - they just don't care.' This book will help you speak the language they want to hear.
  • How to write the Risk Assessment Methodology plus other policies and procedures.
  • How to identify potential risks. 'Employees (and the organization as a whole) are usually aware of only 25 to 40% of risks - therefore, a thorough and systematic process needs to be carried out...' Learn how to identify all potential risks that could endanger the confidentiality, integrity, and availability of organization's information.
  • What are the most important steps in order to prepare a company for the certification, and much more.

Written in plain English with a lot of practical examples, charts and diagrams, it is the only book you'll need on the subject of ISO 27001 implementation.

1
INTRODUCTION


 

Why would your company need to keep its information safe? How can ISO 27001 help you achieve information security? And, is this book the right choice for you?

 

1.1 Why information security? Why ISO 27001?


Information security, cybersecurity, or data protection are not the things that are reserved any more for IT geeks only – this is something that concerns virtually any person on this planet, as well as any company.

If you were an executive in an organization 10 years ago, you probably would not be so concerned with any of these things. Today, you are in the second decade of the third millennium and you cannot ignore threats to your data anymore. What's more, in the future you will need even more protection. Why? Because the majority of organizations are now in the business of processing information.

Most of us imagine that a bank handles large amounts of cash every day. While the banks still conduct many cash transactions, the fact is electronic money transactions far outweigh cash transactions – in some cases by more than a million to one. So, this means that a typical bank is in the business of processing information – it is one large factory of information. And, guess what: For some time now, robbing a bank by hacking is far more profitable than walking in with a mask over your face and robbing the tellers. And, hacking is far less risky, too.

Think about your business; are you an information factory, too?  Chances are, your business is, if not completely, then in most part about processing information. This means your business is more vulnerable. Your information, your knowledge, your know-how, and your intellectual property are all at risk. And now the one-million-dollar question, or if you are in a larger business this might be a one-billion-dollar question: What do you need to do to protect the information in your company, and where do you start?

The problem nowadays is there is an abundance of information about information security; you are probably bombarded with information about new firewalls, anti-virus software, frameworks, methodologies, legislation, and so on. Many companies offer services claimed to be the solution to all of your security problems. Yet, these individual solutions aren't going to protect you completely. For instance, you cannot solve the problem of a disgruntled employee with a firewall, the same way you cannot solve the problem of a hacker just by complying with a law.

So, it's obvious you need something more, something comprehensive. But, the challenge is where to even begin, what steps to take that will best protect your business.

This is where ISO 27001 comes in – as explained throughout this book, it provides a comprehensive framework that will help you with this crucial process. It gives you the necessary guidance and building blocks for protecting your company. ISO 27001 tells you where to start from, how to run your project, how to adapt the security to the specifics of your company, how to control what the IT and security experts are doing, and much more.

So, the point is – ISO 27001 doesn’t have to be just another bureaucratic compliance job – if implemented properly, it can be a very efficient tool not only to protect your company, but also to achieve some business benefits.

 

1.2 Basic information security principles


First, let us define what information is. Information is an asset of the organization, which has value to the organization and needs to be protected appropriately. Information can have various forms and can be stored on different media.

On the other hand, information security can be defined as protecting the confidentiality, integrity, and availability of information in various forms, such as written, spoken, printed, electronic, and so on.

Let’s see the official definitions of these terms from ISO 27000:confidentiality is “property that information is not made available or disclosed to unauthorized individuals, entities, or processes,”integrity is “property of accuracy and completeness,” andavailability is “property of being accessible and usable upon demand by an authorized entity.”

Yes, sometimes it is difficult to understand this ISO terminology, so here is an easy explanation of these basic concepts: if I come to a bank and deposit $10,000, first of all I do not