Skip to content

IT Governance A Manager's Guide to Data Security and ISO 27001/ISO 27002

Spend $50 to get a free DVD!

ISBN-10: 0749452714

ISBN-13: 9780749452711

Edition: 4th 2008

Authors: Alan Calder, Steve Watkins

List price: $90.00
Blue ribbon 30 day, 100% satisfaction guarantee!
Out of stock
what's this?
Rush Rewards U
Members Receive:
Carrot Coin icon
XP icon
You have reached 400 XP and carrot coins. That is the daily max!


Information is widely regarded as the lifeblood of modern business, but organizations are facing a flood of threats to such "intellectual capital" -- from hackers, viruses and online fraud. Increasingly, data protection, privacy regulations, computer misuses and regulations around investigatory powers are part of a complex and often competing range of requirements to which directors must respond. IT Governance will be essential to board members, executives, owners and managers of any business or organization that depends on information, that uses computers on a regular basis or that has an internet aspect to its overall strategy. With coverage of the Turnbull Report and the Combined Code…    
Customers also bought

Book details

List price: $90.00
Edition: 4th
Copyright year: 2008
Publisher: Kogan Page, Limited
Publication date: 6/28/2008
Binding: Paperback
Pages: 384
Size: 6.75" wide x 9.25" long x 1.00" tall
Weight: 1.694
Language: English

Alan Calder is a founder-director of IT Governance Ltd, which provides IT governance and information security services through its website He is the author of Corporate Governance, IT Governance and International IT Governance, all published by Kogan Page.

Why is information security necessary?
The nature of information security threats
The prevalence of information security threats
Impacts of information security threats
Future risks
Benefits of an information security management system
The Combined Code, the Turnbull Report and Sarbanes-Oxley
The Combined Code
The Turnbull Report
The Revised Combined Code
IT governance
Benefits of certification
The history of ISO27001 and ISO27002
The ISO/IEC 27000 series of standards
Use of the standard
ISO/IEC 27002
The Plan-Do-Check-Act and process approach
Structured approach to implementation
Quality system integration
Continual improvement and metrics
Organizing information security
Internal organization
Management review
Information security manager
The cross-functional management forum
The ISO27001 project group
Approval process for information processing facilities
Product selection and the Common Criteria
Specialist information security advice
Contact with authorities and special interest groups
Independent review of information security
Information security policy and scope
Information security policy
A policy statement
Costs and the monitoring of progress
The risk assessment and statement of applicability
Establishing security requirements
Risks, impacts and risk management
Selection of controls and statement of applicability
Gap analysis
Risk assessment tools
Risk treatment plan
Measures of effectiveness
External parties
Identification of risks related to external parties
Types of access
Reasons for access
On-site contractors
Addressing security when dealing with customers
Addressing security in third-party agreements
Asset management
Asset owners
Acceptable use of assets
Information classification
Unified classification markings
Information labelling and handling
Non-disclosure agreements and trusted partners
Human resources security
Job descriptions and competency requirements
Terms and conditions of employment
During employment
Disciplinary process
Termination or change of employment
Physical and environmental security
Secure areas
Public access, delivery and loading areas
Equipment security
Equipment siting and protection
Supporting utilities
Cabling security
Equipment maintenance
Security of equipment off-premises
Secure disposal or reuse of equipment
Removal of property
Communications and operations management
Documented operating procedures
Change management
Segregation of duties
Separation of development, test and operational facilities
Third-party service delivery management
Monitoring and review of third-party services
Managing changes to third-party services
System planning and acceptance
Controls against malicious software (malware) and back-ups
Viruses, worms and Trojans
Anti-malware software
Hoax messages
Anti-malware controls
Airborne viruses
Controls against mobile code
Network security management and media handling
Network management
Media handling
Exchanges of information
Information exchange policies and procedures
Exchange agreements
Physical media in transit
Business information systems
Electronic commerce services
E-commerce issues
Security technologies
Server security
Online transactions
Publicly available information
E-mail and internet use
Security risks in e-mail
Misuse of the internet
Internet acceptable use policy
Access control
Hacker techniques
System configuration
Access control policy
User access management
Clear desk and clear screen policy
Network access control
Network security
Operating system access control
Secure log-on procedures
User identification and authentication
Password management system
Use of system utilities
Session time-out
Limitation of connection time
Application access control and teleworking
Application and information access control
Mobile computing and teleworking
Systems acquisition, development and maintenance
Security requirements analysis and specification
Correct processing in applications
Cryptographic controls
Public key infrastructure
Digital signatures
Non-repudiation services
Key management
Security in development and support processes
System files
Access control to program source code
Development and support processes
Vulnerability management
Monitoring and information security incident management
Information security events
Management of information security incidents and improvements
Legal admissibility
Business continuity management
The business continuity management process
Business continuity and risk assessment
Developing and implementing continuity plans
Business continuity planning framework
Testing, maintaining and reassessing business continuity plans
Identification of applicable legislation
Intellectual property rights
Safeguarding of organizational records
Data protection and privacy of personal information
Prevention of misuse of information processing facilities
Regulation of cryptographic controls
Compliance with security policies and standards, and technical compliance checking
Information systems audit considerations
The ISO27001 audit
Selection of auditors
Initial audit
Preparation for audit
Useful websites
Further reading