‘The Case for ISO27001:2013’ Review by Mike Smith

Mike Smith, an independent consultant for information security management systems with a background in financial systems, has kindly reviewed The Case for ISO27001:2013 for IT Governance.

Overview: “A concise, readable overview of things to consider when putting together a convincing proposal for an ISMS.”

“This is not a book that will take the reader through the detailed steps for implementing an ISO27001 information security management system (ISMS).  It is a concise and clear outline of the numerous factors that need to be considered when influencing and engaging all levels of management to “sell” the concepts and needs for an effective ISMS.  This easy-to-read guide is an update of the author’s first edition that dealt with the 2005 version of ISO27001, and the author, Alan Calder, has taken the opportunity to address the latest developments in information security.  In particular, he points to the need to recognise the emerging and increasingly sophisticated threats that must be countered if the confidentiality, integrity and availability of information resources are to be safeguarded.

Chapter 1 highlights the increasing importance of information as a business asset that needs to be protected, while Chapter 2 draws attention to such assets being a cornerstone of competitive advantage.  This represents a shift in thinking as, with traditional tangible assets no longer the only ones requiring protection, the security aspects of information pose an even more demanding challenge for management.

Chapters 3 through 9 outline the key threats and their impacts on information security, clearly stating the different types of threat and the risks that they pose.  Some interesting statistics are presented to illustrate the changing threat landscape and the consequences of some of the newer threats that are now recognised.  Topics covered as individual chapters include “traditional” threats, organised crime and cyber terrorism and the author has illustrated each of these with some examples that the reader will be able to relate to.

Compliance, legislation and regulation issues relevant to information security are outlined in Chapters 10 to 15, with specific comment on data protection, anti-spam, computer misuse, human rights and the retention of records and their destruction.

The remainder of the book deals with the practicalities of information security governance and discussions regarding the benefits of implementing an ISMS that complies with ISO27001:2013.  While this cannot be regarded as a “how to” manual, it does clearly set out the advantages of such a system, its relevance to the organisation’s operational context and the considerations and implications of going the full certification route.

“It is stressed that the successful implementation of an ISMS requires commitment at all levels within the organisation”

Throughout this book it is stressed that the successful implementation of an ISMS requires commitment at all levels within the organisation, from top management down.  It’s also stressed that the nature and range of threats now facing organisations require a mix of technical, procedural and people-focused practices.  With the 2013 version of ISO27001 now aligned to the structure and format of other ISO-based management systems, the ISMS can be readily integrated into an organisation’s overall management framework.  Indeed, this compatibility is a major feature of ISO27001:2013.

“This concise publication will help you put together a convincing proposal”

Don’t expect a technically-orientated book aimed solely at information security or IT professionals.  If you’re putting together a case for designing and implementing an ISO27001:2013 compliant system, however, this concise publication will help you put together a convincing proposal!”

The Case for ISO270012013 is available to purchase from IT Governance.