v. 1

ISO27001

by Steve Watkins

Published 1 March 2007
This book is intended to meet the needs of two groups: Individual readers who have turned to it as an introduction to a topic that they know little about; and organizations implementing, or considering implementing, some sort of information security management regime, particularly if using ISO/IEC 27001:2005. In either case, the book furnishes readers with an understanding of the basics of information security, including: a definition of what information security means; how managing information security can be achieved using an approach recognised world-wide; the sorts of factors that need to be considered in an information security regime, including how the perimeters of such a scheme can be properly defined; how an information security management system can ensure it is maximising the effect of any budget it has; what sort of things resources might be invested in to deliver a consistent level of assurance; and how organizations can demonstrate the degree of assurance they offer with regards to information security, how to interpret claims of adherence to the ISO 27001 standard and exactly what it means.
Corporate bodies will find this book useful at a number of stages in any information security project, including: at the decision-making stage; to ensure that those committing to an information security project do so from a truly informed position; at project initiation stage, as an introduction to information security for the project board, project team members and those on the periphery of the project; and as part of an on-going awareness campaign, being made available to all staff[1] and to new starters as part of their introduction to the company. Corporate users may find they get the most benefit from making the Pocket Guide available and adding a small flyer inside the book which explains how various sections relate to their own specific environment, or where they are addressed in their information security management system (ISMS). The book is designed to be read without having to frequently break from the text, but there is a list of abbreviations along with terms and definitions in chapter 7 for easy reference.
Where footnotes have been added they are not essential reading, and it is recommended you ignore these on your first read through if you are new to the subject - on a second reading they will be of more relevance, and particularly if you are involved in an information security project or decision at any stage. On finishing your initial read through it is suggested you keep a copy for easy reference. This is not an implementation or 'How to do it' guide. Implementing an ISO 27001 compliant information security management system (ISMS) requires more advice than a Pocket Guide such as this is designed to offer. The project is in most cases likely to equate to a significant business change project, and will require all the project governance arrangements that suit such an undertaking. There are books available which offer suitably detailed advice, such as "IT Governance: A Manager's Guide to Data Security and BS 7799/ISO 17799" (3rd edition) and they can be obtained along with numerous other helpful advice, tools and other related information from the sources signposted in chapter 7.

v. 1

ISO27001 a Pocket Guide

by Steve Watkins

Published 1 March 2007
This book is intended to meet the needs of two groups: Individual readers who have turned to it as an introduction to a topic that they know little about; and organizations implementing, or considering implementing, some sort of information security management regime, particularly if using ISO/IEC 27001:2005. In either case, the book furnishes readers with an understanding of the basics of information security, including: a definition of what information security means; how managing information security can be achieved using an approach recognised world-wide; the sorts of factors that need to be considered in an information security regime, including how the perimeters of such a scheme can be properly defined; how an information security management system can ensure it is maximising the effect of any budget it has; what sort of things resources might be invested in to deliver a consistent level of assurance; and how organizations can demonstrate the degree of assurance they offer with regards to information security, how to interpret claims of adherence to the ISO 27001 standard and exactly what it means.
Corporate bodies will find this book useful at a number of stages in any information security project, including: at the decision-making stage; to ensure that those committing to an information security project do so from a truly informed position; at project initiation stage, as an introduction to information security for the project board, project team members and those on the periphery of the project; and as part of an on-going awareness campaign, being made available to all staff[1] and to new starters as part of their introduction to the company. Corporate users may find they get the most benefit from making the Pocket Guide available and adding a small flyer inside the book which explains how various sections relate to their own specific environment, or where they are addressed in their information security management system (ISMS). The book is designed to be read without having to frequently break from the text, but there is a list of abbreviations along with terms and definitions in chapter 7 for easy reference.
Where footnotes have been added they are not essential reading, and it is recommended you ignore these on your first read through if you are new to the subject - on a second reading they will be of more relevance, and particularly if you are involved in an information security project or decision at any stage. On finishing your initial read through it is suggested you keep a copy for easy reference. This is not an implementation or 'How to do it' guide. Implementing an ISO 27001 compliant information security management system (ISMS) requires more advice than a Pocket Guide such as this is designed to offer. The project is in most cases likely to equate to a significant business change project, and will require all the project governance arrangements that suit such an undertaking. There are books available which offer suitably detailed advice, such as "IT Governance: A Manager's Guide to Data Security and BS 7799/ISO 17799" (3rd edition) and they can be obtained along with numerous other helpful advice, tools and other related information from the sources signposted in chapter 7.

All organizations face risks to information and information assets. Many organizations seek to identify and control those risks, usually as part of a structured approach to information security risk management. ISO/IEC27001:2005 is an international standard specification for an Information Security Management System (or 'ISMS'). Organizations that develop an ISMS in line with the specification of ISO27001 can receive external, third-party certification that their ISMS conforms to the standard, and such a certificate can have significant commercial, financial and compliance benefits. ISO/IEC17799:2005 is the international Code of Practice for information security; it provides detailed guidance to support the specification contained in ISO27001 but is not, itself, a specification. Risk assessment is at the heart of risk management, and the two together form the core competences of information security management. ISO27001 specifies a series of steps that must form part of the risk assessment. While a number of people in the organization will have a role to play in respect of risk assessment, these steps include a specific role for what the standard describes as 'asset owners'.
This Pocket Guide to the ISO27001 risk assessment is designed to assist asset owners and others who are working within an ISO27001/ISO17799 framework to deliver a qualitative risk assessment. It also conforms with the guidance provided in BS7799-3:2006 and NIST SP 800-30.

v. 3

This pocket book explains what an assessment is, why organisations bother with them, and what individual staff should do and, perhaps as importantly, not do if an auditor chooses to question them. The fact that your organisation has made this available to you suggests you are seeking, or have, ISO 27001 certification. It is therefore worth reading through this short introduction to understand: what an assessment is; why information security is important; what happens during an assessment; what to consider when answering an auditor's questions; what happens when an auditor finds something wrong; your policies and how to prepare; further information: who to ask; and finally there is an appendix explaining some of the terms used in this pocket book.