ISO27k book reviews
Go home

Further help is available for those implementing the information security management standards ISO/IEC 27001 and ISO/IEC 27002 in the form of a small but growing collection of books and other written materials. This page gives brief outlines and links to more information and places to buy them*.

The standards themselves

As noted in the FAQ, the best books about ISO/IEC 27001, ISO/IEC 27002 and the other standards are ... the standards themselves. Read the FAQ for details of where to buy the standards, how much they cost etc. If you are seriously interested in information security management, you must buy the ISO standards. Read them carefully, cover to cover, several times. Your knowledge will be invaluable during the the months and years ahead.

Information security books

Neil Hare-Brown's book Review added March 22 Information Security Incident Management - A Methodology by Neil Hare-Brown draws on ISO/IEC 27002 section 13 and other sources. Buy this book if you are designing or reviewing information security incident management processes, perhaps as part of implementing ISO/IEC 27002, and if you work in a government or large commercial organization that needs a comprehensive, well-structured incident management process. Read our in-depth book review for more.

 

There are of course many books on information security in general as well as specialist titles covering narrower aspects in greater depth. Amazon lists around 4,500 information security books. With such a diversity of books, it is largely a matter of personal choice but if you can’t browse the bookshelf, we’d recommend taking independent advice such as the Amazon reader feedback comments or Rob Slade’s excellent reviews before parting with your money.

Study prep guides for qualifications such as CISSP and CISM have reasonably broad coverage of information security albeit not directly aligned with ISO/IEC 27001, ISO/IEC 27002 etc. They arguably lack the depth necessary to implement information security controls sufficiently well.

Textbooks such as Hal Tipton's Information Security Management Handbook and Mark Stamp's Information Security: Principles and Practice look good on the information security manager’s bookshelf and, again, provide broad coverage in more depth than the exam prep guides.

Books about implementing the standards

BSI BIP 0071 coverGuidelines on Requirements and Preparation for ISMS Certification based on ISO/IEC 27001. Provides guidance on ISO/IEC 27001 and ISO/IEC 27002. Provides industry accepted best practice methods for providing and demonstrating the evidence required by an assessment auditor. Includes references and definitions, additional information about the latest developments regarding certification criteria and other related standards. Includes an example policy statement and a breakdown of the differences between ISO/IEC 27001:2005 and its precursor BS 7799-2:2002

Authors: Ted Humphreys & Angelika Plate.

Published by: British Standards Institute in 2005. 49 pages. 

ISBN: 0 580 46002 9. 

Price ~£25 from BSI (ref: BIP 0071) .

 

BSI BIP 0072 coverAre You Ready for an ISMS audit based on BS ISO/IEC 27001? This Guide is intended primarily for use by organizations seeking to prepare for certification to ISO/IEC 27001. The pre-certification assessment is best carried out under the supervision of the person responsible for information security in the organization or by internal audit staff. System developers may also find it a useful reference document when considering the security aspects of new systems. Includes an ISMS process check and a gap analysis workbook.

Authors: Ted Humphreys & Angelika Plate

Published by: British Standards Institute in 2005. 123 pages

ISBN: 0 580 46003 7

Price: ~£40 from BSI (ref: BIP 0072)

Other resources

Numerous Internet sites are listed on the links page. Check em out!

 

 

Note to publishers and authors: we are more than happy to review and publicize new books in this area, provided you are willing to accept our brutally-honest no-holds-barred review comments. If that hasn’t put you off, please contact us for details of where to send your preview copies.

 

* We earn a little commission if you follow the Amazon links above and purchase stuff, “little” being the operative word unfortunately (just a few percent). The commission goes towards buying yet more information security books from Amazon which we then review and add to this list. If you begrudge us earning commission, feel free to visit www.Amazon.com or their competitors independently and search for the books yourself. We don’t earn a penny from the other publishers/suppliers :-(

Copyright © 2008 IsecT Ltd.