|
Further help is available for those implementing the information security management standards ISO/IEC 27001 and ISO/IEC 27002 in the form of a small but growing collection of books and other written materials. This page gives brief outlines and links to more information and places to buy them*.
The standards themselves
As noted in the FAQ, the best books about ISO/IEC 27001, ISO/IEC 27002 and the other standards are ... the standards themselves. Read the FAQ for details of where to buy the standards, how much they cost etc. If you are seriously interested in information security management, you must buy the definitive ISO27k standards. Read them carefully, cover to cover, several times. Your knowledge will be invaluable during the the months and years ahead.
Books about implementing the ISO27k standards
  How to Achieve 27001 Certification - An Example of Applied Compliance Management by Sigurjon Thor Arnason and Keith D. Willett (Auerbach, 2007 - US$57 from Amazon) is one of a number of books currently available online as a free service to ISACA members. The book aims to provide a foundation for understanding and creating a security management framework and ISMS, with guidance on evaluating and selecting ISMS and compliance management tools and processes based on ISO/IEC 27001 and 27002. It covers planning and implementing an ISMS, through to certification.
Implementing ISO27001 in a Windows environment by Brian Honan (~US$70 from IT Governance) gives implementation advice on the technical controls recommended by ISO/IEC 27001 and ISO/IEC 27002 for organizations with Microsoft Windows systems. [I’ve known Brian for several years and respect his technical expertise so although I haven’t read this one myself, I’m happy to recommend it. Brian’s day-job involves forensic analyses, in other words he knows Windows inside-out.]
 Guidelines on Requirements and Preparation for ISMS Certification based on ISO/IEC 27001. Provides guidance on ISO/IEC 27001 and ISO/IEC 27002. Provides industry accepted best practice methods for providing and demonstrating the evidence required by an assessment auditor. Includes references and definitions, additional information about the latest developments regarding certification criteria and other related standards. Includes an example policy statement and a breakdown of the differences between ISO/IEC 27001:2005 and its precursor BS 7799-2:2002
Authors: Ted Humphreys & Angelika Plate.
Published by: British Standards Institute in 2005. 49 pages.
ISBN: 0 580 46002 9.
Price ~£25 from BSI (ref: BIP 0071) .
 Are You Ready for an ISMS audit based on BS ISO/IEC 27001? This Guide is intended primarily for use by organizations seeking to prepare for certification to ISO/IEC 27001. The pre-certification assessment is best carried out under the supervision of the person responsible for information security in the organization or by internal audit staff. System developers may also find it a useful reference document when considering the security aspects of new systems. Includes an ISMS process check and a gap analysis workbook.
Authors: Ted Humphreys & Angelika Plate
Published by: British Standards Institute in 2005. 123 pages.
ISBN: 0 580 46003 7
Price: ~£40 from BSI (ref: BIP 0072)
 Guide to the implementation and auditing of ISMS controls based on ISO/IEC 27001. Lays out the requirements that auditors must address when certifying organizations against ISO/IEC 27001, along with guidance on the implementation, checking and auditing of the controls.
Author: Ted Humphreys
Published by British Standards Institute in 2005. 130 pages.
ISBN: 0 580 46004 5
Price: ~£50 from BSI (ref: BIP 0073)
 Measuring the effectiveness of your ISMS implementations based on ISO/IEC 27001. With increasing international interest in the field of ISMS metrics and measurements, this publication brings together the different methods that are currently in use to measure controls and/or processes. In addition, it gives further information and guidance about various methods to measure the success of security arrangements in place.
Author: Ted Humphreys & Angelica Plate
Published by British Standards Institute in 2005/6. 68 pages.
ISBN: 0 580 46015 0
Price: ~£35 from BSI (ref: BIP 0074)
ISO27k-related information security books
 Information Security Incident Management - A Methodology by Neil Hare-Brown draws on ISO/IEC 27002 section 13 and other sources. Buy this book if you are designing or reviewing information security incident management processes, perhaps as part of implementing ISO/IEC 27002, and if you work in a government or large commercial organization that needs a comprehensive, well-structured incident management process. Read our in-depth book review for more.
There are of course many books on information security in general as well as specialist titles covering narrower aspects in greater depth. Amazon lists around 4,500 information security books. With such a diversity of books, it is largely a matter of personal choice but if you can’t browse the bookshelf, we’d recommend taking independent advice such as the Amazon reader feedback comments or Rob Slade’s excellent reviews before parting with your money.
Study prep guides for qualifications such as CISSP and CISM have reasonably broad coverage of information security albeit not directly aligned with ISO/IEC 27001, ISO/IEC 27002 etc. They arguably lack the depth necessary to implement information security controls sufficiently well.
Textbooks such as Hal Tipton's Information Security Management Handbook and Mark Stamp's Information Security: Principles and Practice look good on the information security manager’s bookshelf and, again, provide broad coverage in more depth than the exam prep guides.
Other resources
There are many Internet sites of interest to fellow ISO27k fans listed on the links page. Check ’em out!
Note to publishers and authors: we are more than happy to review and publicize new books in this area, provided you are willing to accept our brutally-honest no-holds-barred review comments. If that hasn’t put you off, please contact us for details of where to send your preview copies.
* We earn a little commission from Amazon but nil from the other publishers and distributors noted here :-(
|
