Further help is available for those implementing the information security management standards ISO/IEC 27001 and ISO/IEC 27002 in the form of a small but growing collection of books and other written materials. This page gives brief outlines and links to more information and places to buy them*.
The ISO27k standards
As noted in the FAQ, the best books about ISO/IEC 27001, ISO/IEC 27002 and the other standards are ... the standards themselves. Read the FAQ for details of where to buy the standards, how much they cost etc. If you are seriously interested in information security management, you must buy and study the definitive ISO27k standards. Read them carefully, cover to cover, several times. Make notes, draw mind maps, discuss them with colleagues, write policies and guidelines, go on courses, review them, suggest improvements, chat about them on the ISO27k Forum, whatever helps really. Your detailed knowledge of the standards will be invaluable during the the months and years ahead.
Books about implementing the ISO27k standards
IT governance - an international guide to data security and ISO27001/ISO27002 by Alan Calder and Steve Watkins may not the best governance book but it is excellent on the information security controls in ISO/IEC 27002. Review here.
ISO/IEC 27001 for Small Businesses - Practical Advice by Ted Humphreys gives a straightforward introduction to ISMSs, and lays out the main steps involved in designing, implementing and operating one. Book review here.
Information Security Risk Management - Handbook for ISO/IEC 27001 by Professor Edward Humphreys (BSI, 2010 - ~£40 from BSI Shop) is more about implementing and using ISO/IEC 27001 than using ISO/IEC 27005, contrary to what is implied by the title and stated in the BSI sales blurb. Read our book review.
Implementing the ISO/IEC 27001 Information Security Management System Standard by Professor Edward Humphreys (Artech House, 2007 - ~US$68 from Amazon) is an authoritative guide from “the father of the ISO27k standards”, covering business risks to governance and compliance, from ISMS design and deployment through to system monitoring, reviewing and updating.
How to Achieve 27001 Certification - An Example of Applied Compliance Management by Sigurjon Thor Arnason and Keith D. Willett (Auerbach, 2007 - ~US$57 from Amazon) is one of a number of books currently available online as a free service to ISACA members. The book aims to provide a foundation for understanding and creating a security management framework and ISMS, with guidance on evaluating and selecting ISMS and compliance management tools and processes based on ISO/IEC 27001 and 27002. It covers planning and implementing an ISMS, through to certification.
Implementing ISO27001 in a Windows environment by Brian Honan (~US$70 from IT Governance) gives implementation advice on the technical controls recommended by ISO/IEC 27001 for organizations with Microsoft Windows systems. Read our review of the book here.
Guidelines on Requirements and Preparation for ISMS Certification based on ISO/IEC 27001. Provides guidance on ISO/IEC 27001 and ISO/IEC 27002. Provides industry accepted best practice methods for providing and demonstrating the evidence required by an assessment auditor. Includes references and definitions, additional information about the latest developments regarding certification criteria and other related standards. Includes an example policy statement and a breakdown of the differences between ISO/IEC 27001:2005 and its precursor BS 7799-2:2002
Authors: Ted Humphreys & Angelika Plate.
Published by: British Standards Institute in 2005. 49 pages.
ISBN: 0 580 46002 9.
Price ~£25 from BSI (ref: BIP 0071) .
Are You Ready for an ISMS audit based on BS ISO/IEC 27001? This Guide is intended primarily for use by organizations seeking to prepare for certification to ISO/IEC 27001. The pre-certification assessment is best carried out under the supervision of the person responsible for information security in the organization or by internal audit staff. System developers may also find it a useful reference document when considering the security aspects of new systems. Includes an ISMS process check and a gap analysis workbook.
Authors: Ted Humphreys & Angelika Plate
Published by: British Standards Institute in 2005. 123 pages.
ISBN: 0 580 46003 7
Price: ~£40 from BSI (ref: BIP 0072)
Guide to the implementation and auditing of ISMS controls based on ISO/IEC 27001. Lays out the requirements that auditors must address when certifying organizations against ISO/IEC 27001, along with guidance on the implementation, checking and auditing of the controls.
Author: Ted Humphreys
Published by British Standards Institute in 2005. 130 pages.
ISBN: 0 580 46004 5
Price: ~£50 from BSI (ref: BIP 0073)
Measuring the effectiveness of your ISMS implementations based on ISO/IEC 27001. With increasing international interest in the field of ISMS metrics and measurements, this publication brings together the different methods that are currently in use to measure controls and/or processes. In addition, it gives further information and guidance about various methods to measure the success of security arrangements in place.
Author: Ted Humphreys & Angelica Plate
Published by British Standards Institute in 2005/6. 68 pages.
ISBN: 0 580 46015 0
Price: ~£35 from BSI (ref: BIP 0074)
ISO27k-related information security books
PRAGMATIC Security Metrics: Applying Metametrics to Information Security by Krag Brotby and Gary Hinson describes a systematic approach for assessing and scoring metrics being considered to support information security.
Provided you are not expecting detailed guidance on how to raise security awareness, Asset Protection through Security Awareness gives reasonable introductory-level coverage of network/ICT security including some aspects that are barely mentioned in similar texts.
If you are tasked with preparing, reviewing or approving information security strategies and policies in the context of an ISMS, or if you have governance or management responsibilities in this area, Information Security Governance by Krag Brotby will help you make practical sense of the confusing morass of advice regarding governance.
Information Security Management Metrics by Krag Brotby covers the difficult topic of designing a system of metrics that form a vital part of an Information Security Management System. This is arguably the most complicated and challenging area to get right. Krag’s book lays the groundwork necessary to appreciate the range of possible metrics, and then to select the most appropriate ones. Read our book review for more.
The ITIL v3 security book extensively revises the v2 predecessor book and is now much better aligned with the ISO27k ISMS standards. Read our full review here.
Information Security Incident Management - A Methodology by Neil Hare-Brown draws on ISO/IEC 27002 section 13 and other sources. Buy this book if you are designing or reviewing information security incident management processes, perhaps as part of implementing ISO/IEC 27002, and if you work in a government or large commercial organization that needs a comprehensive, well-structured incident management process. Read our in-depth book review for more.
There are of course many books on information security in general as well as specialist titles covering narrower aspects in greater depth. Amazon lists thousands of information security books. With such a diversity of books, it is largely a matter of personal choice but if you can’t browse the information security bookshelf at a technical bookstore, we’d recommend taking independent advice such as the Amazon reader feedback comments or Rob Slade’s excellent reviews before parting with your money.
Study prep guides for qualifications such as CISSP and CISM have reasonably broad coverage of information security albeit not directly aligned with ISO/IEC 27001, ISO/IEC 27002 etc. They arguably lack the depth necessary to implement information security controls sufficiently well.
Textbooks such as Hal Tipton's Information Security Management Handbook and Mark Stamp's Information Security: Principles and Practice look good on the information security manager’s bookshelf and, again, provide broad coverage in more depth than the exam prep guides.
There are many Internet sites of interest listed on the links page. Check ’em out!
Note to publishers and authors: we are more than happy to review and publicize new books in this area, provided you are willing to accept our brutally-honest no-holds-barred review comments. If that hasn’t put you off, please contact us for details of where to send your preview copies.
* We earn a little sales commission from Amazon if you follow the links and buy stuff from Amazon - little being the operative word unfortunately. It’s barely enough to buy a cup of coffee. If you begrudge us our commission, don’t follow the links.