Implementing the ISO/IEC 27001 ISMS Standard Second Edition -- Contents -- Acknowledgments -- Introduction -- Chapter 1 Information Security -- 1.1 The Importance of Being Informed -- 1.2 Globally Connected -- 1.3 More Ado About Risks -- 1.4 Decoding the Secret of Information Security Management -- 1.5 Management and Awareness -- 1.6 Legislation, Regulation and Governance -- 1.7 En Route to a Certified Business Environment -- 1.7.1 Processes -- 1.7.2 Controls -- Chapter 2 ISO/IEC 27001 ISMS Family -- 2.1 ISO/IEC Standardisation -- 2.1.1 Overview -- 2.1.2 ISO/IEC JTC 1/SC 27 -- 2.2 Overview -- 2.2.1 International Standards -- 2.2.2 The 27001 ISMS Family -- 2.2.3 Standards Interrelated to 27001 IS -- 2.3 Evolution of the ISO/IEC 27000 Family -- 2.3.1 The Weakest Link -- 2.3.2 Baseline Controls -- 2.3.3 Formative Years-BS 7799 Part 1 and -- 2.3.4 Internationalization -- 2.4 Overview of ISO/IEC 27001: 2013 -- 2.4.1 Introduction -- 2.4.2 ISMS Audience -- 2.4.3 Mandatory Statements -- 2.4.4 Processes -- 2.4.5 ISMS Stages -- 2.4.6 Risk-Based Approach -- 2.4.7 Performance Evaluation -- 2.5 Second Edition of ISO/IEC 27002 -- 2.5.1 Conformance with ISO/IEC 27002 -- 2.5.2 Applying ISO/IEC 27002 -- Chapter 3 ISMS Business Context -- 3.1 Organisational Context -- 3.1.1 Understanding the Business -- 3.1.2 Internal Issues and Context -- 3.1.3 External Issues and Context -- 3.2 Needs and Expectations -- 3.2.1 Interested Parties -- 3.2.2 Requirements Relevant to the ISMS -- 3.2.3 Gathering Requirements Relevant to the ISMS -- 3.3 ISMS Scope -- 3.3.1 What to Consider and What to Include -- 3.3.2 Object of ISMS Scope -- 3.3.3 Defining the ISMS Scope -- 3.3.4 Scope Example -- 3.3.5 External and Internal Connections -- Chapter 4 Managing the ISMS Risks -- 4.1 The Importance of Risk and Opportunity -- 4.1.1 Definition of Risk -- 4.1.2 Opportunity.

4.1.3 Risk Attitude, Tolerance and Appet -- 4.1.4 Information Security Risk Appetite -- 4.1.5 ISMS Risks -- 4.2 Risk Management Process -- 4.2.1 Changes in the Process -- 4.2.2 Risk Assessment -- 4.2.3 Risk Treatment -- 4.2.4 Determine the Controls -- 4.2.5 Statement of Applicability -- 4.2.6 Risk Treatment Plan -- 4.2.7 Risk Owners' Duties -- 4.3 Ongoing Reassessment of Risk -- 4.3.1 Risk Reviews and Reassessments -- 4.3.2 Risk Monitoring -- 4.3.3 Updating the Risk Treatment -- Chapter 5 ISMS Leadership and Support -- 5.1 Management Policy -- 5.1.1 Approval, Communication and Awaren -- 5.1.2 Policy Review -- 5.1.3 Management Policy Sets the Scene -- 5.2 Leadership -- 5.3 Roles and Responsibilities -- 5.4 Resources -- 5.5 Training and Awareness -- 5.5.1 When Should Training Take Place? -- 5.5.2 Training Methods -- 5.5.3 ISMS-Related Topics -- Chapter 6 Controls to Modify the Risks -- 6.1 Determining the Controls -- 6.1.1 Control Framework -- 6.1.2 Process of Determining a Control S -- 6.1.3 Existing Control Sets -- 6.2 System of Controls -- 6.2.1 Control Framework -- 6.2.2 System of Controls -- 6.3 Policies and Procedures -- 6.3.1 General -- 6.3.2 Approval, Communications and Aware -- 6.3.3 Review -- 6.4 Example controls -- 6.4.1 Overview -- 6.4.2 Acceptable Use Policy -- 6.4.3 Information Handling Policy and Pr -- 6.4.4 Access Control Policy, Procedures -- 6.4.5 Human Resource Policies, Procedure -- 6.5 Sector-Specific Controls -- 6.6 Benchmarking with ISO/IEC 27001:2013 -- Chapter 7 ISMS Operations -- 7.1 Operational ISMS Procedures -- 7.1.1 General -- 7.1.2 Example Procedures -- 7.1.3 Training, Awareness and Usage -- 7.2 Ongoing Risk Management -- 7.3 Operational Threats -- 7.3.1 Malware -- 7.3.2 Unauthorised Access -- 7.3.3 Insider Threat -- 7.3.4 System Availability -- 7.3.5 Social Engineering -- 7.4 Operational Processes.

7.4.1 Protecting Information in the Operational Environment -- 7.4.2 Backups -- 7.4.3 Capacity Planning -- 7.4.4 Change Management -- 7.4.5 Third-Party Services -- 7.5 Incident Management -- 7.5.1 Events That Compromise -- 7.5.2 Use Cases -- 7.5.3 Processes -- 7.5.4 Incident Management Team -- 7.5.5 Standards -- 7.6 ISMS Availability and Business Conti -- 7.6.1 Value and Importance -- 7.6.2 Business Impact -- 7.6.3 Plans -- 7.6.4 Processes -- 7.6.5 Standards -- 7.7 ISMS Use Examples -- 7.7.1 SME Design Services -- 7.7.2 Legal Services -- 7.7.3 Electronic Accounting System -- 7.7.4 Government Payment System -- 7.7.5 Outsourcing Call Centre Operations -- 7.7.6 Manufacturing Systems -- 7.7.7 Supply Chain Management -- Chapter 8 Performance Evaluation -- 8.1 Performance, Change and Improvement -- 8.1.1 How Effective, Adequate and Suitab -- 8.1.2 Change and the Certainty of Change -- 8.1.3 Change Management -- 8.1.4 Tracking and Reviewing Ongoing Cha -- 8.1.5 Informed Decision Making -- 8.2 Monitoring and Operational Reviews -- 8.2.1 Monitoring -- 8.2.2 Monitoring and Review of Staff Awareness, Competency and Use of the ISMS -- 8.2.3 Monitoring and Review of Information Security Processes -- 8.2.4 Monitoring and Review of Information Security Controls -- 8.2.5 Monitoring and Review of IT and Network Services and Infrastructure -- 8.2.6 Monitoring and Reviewing Third Party Contracts and Services -- 8.2.7 Monitoring and Review of Legal and Contractual Compliance -- 8.3 ISMS Measurements Programme -- 8.3.1 ISMS Metrics and Measurements -- 8.3.2 Measurement Programme -- 8.4 Ongoing Risk Management -- 8.4.1 Risk Responsiveness and Commitment -- 8.4.2 Regular Risk Assessments -- 8.4.3 Risk Measurements and Metrics -- 8.5 ISMS Internal Audits -- 8.6 Management Reviews of the ISMS -- 8.6.1 Management Review -- 8.6.2 Input for the Management Review.

8.6.3 Output of the Management Review -- 8.7 Awareness and Communications -- Chapter 9 Improvements to the ISMS -- 9.1 Continual Improvement -- 9.1.1 Improvement -- 9.1.2 Maintaining Effectiveness, Suitabi -- 9.1.3 Holistic Effectiveness -- 9.2 Conformance and Nonconformance -- 9.2.1 Nonconformity -- 9.2.2 Corrections -- 9.2.3 Corrective Actions and Root Causes -- 9.2.4 Some Common Causes of Nonconformit -- 9.2.5 Case Study One -- 9.2.6 Case Study Two -- 9.2.7 Case Study Three -- 9.3 Making Improvements -- 9.3.1 Planning and Implementing Improvem -- 9.3.2 Improvements to Processes -- 9.3.3 Improvements to Policies and Proce -- 9.3.4 Implementing Improvements to Aware -- Chapter 10 Accredited ISMS Certification -- 10.1 Overview -- 10.2 International Certification -- 10.2.1 Global Take Up -- 10.2.2 Motivation -- 10.2.3 Costs and Resources -- 10.3 Certification and Accreditation -- 10.3.1 Interested Parties -- 10.3.2 Accreditation -- 10.3.3 Certification -- 10.4 Standards Involved -- 10.4.1 Accreditation -- 10.4.2 Certification -- 10.4.3 End-User Organisations (ISMS Owne -- 10.5 ISMS Audits -- 10.5.1 Certification Scope -- 10.5.2 Audit Process -- 10.5.3 Nonconformities -- 10.5.4 Audit Report -- 10.5.5 Surveillance Audits -- 10.5.6 Recertification -- 10.5.7 Audit Trails -- 10.5.8 Competence -- Chapter 10 Accredited ISMS Certification -- 10.1 Overview -- 10.2 International Certification -- 10.2.1 Global Take Up -- 10.2.2 Motivation -- 10.2.3 Costs and Resources -- 10.3 Certification and Accreditation -- 10.3.1 Interested Parties -- 10.3.2 Accreditation -- 10.3.3 Certification -- 10.4 Standards Involved -- 10.4.1 Accreditation -- 10.4.2 Certification -- 10.4.3 End-User Organisations (ISMS Owners) -- 10.5 ISMS Audits -- 10.5.1 Certification Scope -- 10.5.2 Audit Process -- 10.5.3 Nonconformities -- 10.5.4 Audit Report -- 10.5.5 Surveillance Audits.

10.5.6 Recertification -- 10.5.7 Audit Trails -- 10.5.8 Competence -- Chapter 11 Epilogos (snrdrv) -- 11.1 The ISMS-A Living System -- 11.2 ISMS: The Business Enabler -- Bibliography -- About the Author -- Index.

Description based on publisher supplied metadata and other sources.

Electronic reproduction. Ann Arbor, Michigan : ProQuest Ebook Central, 2025. Available via World Wide Web. Access may be limited to ProQuest Ebook Central affiliated libraries.

Licensed e-book