Book review: '27001 for SMEs
Go home

Buy me from ISOBook review

 

ISO/IEC 27001 for Small Businesses:
Practical Advice

 

Author: Edward Humphreys

Publisher: ISO/IEC, 2010

Length: 138 pages

ISBN: 978-92-67-10517-8

Price: CHF50 from ISO

 

Scope and purpose

According to the marketing blurb, this book “takes the mystery out of information security and presents a practical,  clearly explained step-by-step approach for SMEs [Small to Medium-sized Enterprises] to implementing an ISMS based on ISO/IEC 27001.” 

Author

Professor Ted Humphreys is regarded as the grandfather of the BS7799 and ISO27k standards.  Ted has led the national and international committees responsible for their development from the outset.

Audience

Whereas the ISO27k standards and other books are mostly aimed at relatively large organizations, this one is unusual in that it is primarily intended for owners/general managers and those tasked with managing and implementing information security in SMEs.  SMEs face unique challenges, for example hardly any have information security professionals on the payroll - many don’t even have their own IT people.  Nevertheless, they may be every bit as reliant on their information assets as larger organizations.

Content

The book primarily achieves its aim by working systematically through the information security risk management process recommended by ISO/IEC 27001.  It covers:

  • Introduction - to information security, Information Security Management Systems (ISMSs) and the Plan-Do-Check-Act approach recommended by ISO/IEC 27001;
  • Scoping the ISMS - an important consideration for a larger organization but generally self-evident for SMEs (normally, the ISMS scope covers the entire organization).  In fact, the author stresses the need to consider the key information processing processes and systems, and determine any legal and regulatory compliance requirements for information security;
  • Documentation - i.e. writing down the security policies and procedures;
  • Information security management responsibilities - essentially about governing information security through a management function, suitably resourced;
  • Information security policy - with a simple and succinct model policy that SMEs might usefully customize and adopt;
  • Information security risk management - suggestions on how to measure and assess the risks;
  • Information security risk treatment - selecting mitigating controls drawing on Annex A of ISO/IEC 27001, barely hinting at the much more detailed advice available in ISO/IEC 27002;
  • ISMS implementation -  a very brief outline of the activities likely to be required to establish an ISMS in an SME;
  • Monitoring and review - about reviewing the operational effectiveness of the ISMS to determine whether improvements are necessary;
  • ISMS internal audits - ditto;
  • Management review - ditto;
  • Improving and maintaining the ISMS - ditto;
  • Demonstrating conformity - through self assessment, independent review and/or  certification by an accredited certification body;
  • Annexes - covering other management systems (e.g. ISO 9001 for quality management), additional resources, business continuity (enough useful content here to merit this being in the main body of the book), a catalog of common information security threats and incidents, HR issues (again, enough meat to have been a main-body chapter), and software vulnerability management (patching etc.).

SWOT analysis

Strengths

Weaknesses
  • Short, clear and easy to read
  • Well structured - tells a story
  • Simplifies the process without losing the guts of it
  • Limited guidance in some areas (e.g. ISMS implementation)
  • Minimal reference to other ISO27k standards
  • Few diagrams
  • Could have said more about promoting the business vale of information security

Opportunities

Threats
  • A decent introductory text for SME managers who are not familiar with information security management per se
  • Should encourage more SMEs to adopt ISO27k
  • May set unrealistic management expectations if it appears too easy and straightforward to implement an ISMS

Style

The format is an A5-sized ring-bound book, similar to a lab notebook.  Its 50,000 words are quite quick to read and easy to absorb.

Each subsection is titled with a question e.g. “7.3  Has your organization considered the costs and benefits of implementing information security?  Yes: go to next question (7.4).  No: see guidance below.”  In theory, following the guidance, readers can skim over things that they already do or know about, but of course they could do that anyway.  Personally I found the questions unnecessary and a little distracting but maybe that’s just me.

Conclusion

If you work for an SME that is coming under pressure from customers, business partners, owners or regulators to improve your information security (perhaps as a result of an incident or to manage their risks), this book gives you a starting point - the basic background information and the bare bones of an action plan.  You will need the standards as well if you pick up the task to ‘make it so’, but be sure to pass the book on to the MD or CEO with your investment proposal or project plan.

Copyright © 2013 IsecT Ltd.