IT governance : an international guide to data security and ISO 27001/ISO 27002

Halftitle
Title
Copyright
Table of Contents
About The Authors
Introduction
	The information economy
	What is IT governance?
	Information security
01 Why is information security necessary?
	The nature of information security threats
	Information insecurity
	Impacts of information security threats
	Cybercrime
	Cyberwar
	Advanced persistent threat
	Future risks
	Legislation
	Benefits of an information security management system
02 The Corporate Governance Code, the FRC Risk Guidance and Sarbanes–Oxley
	The Combined Code
	The Turnbull Report
	The Corporate Governance Code
	Sarbanes–Oxley
	Enterprise risk management
	Regulatory compliance
	IT governance
03 ISO27001
	Benefits of certification
	The history of ISO27001 and ISO27002
	The ISO/IEC 27000 series of standards
	Use of the standard
	ISO/IEC 27002
	Continual improvement, Plan–Do–Check Act, and process approach
	Structured approach to implementation
	Management system integration
	Documentation
	Continual improvement and metrics
04 Organizing information security
	Internal organization
	Management review
	The information security manager
	The cross-functional management forum
	The ISO27001 project group
	Specialist information security advice
	Segregation of duties
	Contact with special interest groups
	Contact with authorities
	Information security in project management
	Independent review of information security
	Summary
05 Information security policy and scope
	Context of the organization
	Information security policy
	A policy statement
	Costs and the monitoring of progress
06 The risk assessment and Statement of Applicability
	Establishing security requirements
	Risks, impacts and risk management
	Cyber Essentials
	Selection of controls and Statement of Applicability
	Statement of Applicability Example
	Gap analysis
	Risk assessment tools
	Risk treatment plan
	Measures of effectiveness
07 Mobile devices
	Mobile devices and teleworking
	Teleworking
08 Human resources security
	Job descriptions and competency requirements
	Screening
	Terms and conditions of employment
	During employment
	Disciplinary process
	Termination or change of employment
09 Asset management
	Asset owners
	Inventory
	Acceptable use of assets
	Information classification
	Unified classification markings
	Government classification markings
	Information lifecycle
	Information labelling and handling
	Non-disclosure agreements and trusted partners
10 Media handling
	Physical media in transit
11 Access control
	Hackers
	Hacker techniques
	System configuration
	Access control policy
	Network Access Control
12 User access management
	User access provisioning
13 System and application access control
	Secure log-on procedures
	Password management system
	Use of privileged utility programs
	Access control to program source code
14 Cryptography
	Encryption
	Public key infrastructure
	Digital signatures
	Non-repudiation services
	Key management
15 Physical and environmental security
	Secure areas
	Delivery and loading areas
16 Equipment security
	Equipment siting and protection
	Supporting utilities
	Cabling security
	Equipment maintenance
	Removal of assets
	Security of equipment and assets off-premises
	Secure disposal or reuse of equipment
	Clear desk and clear screen policy
17 Operations security
	Documented operating procedures
	Change management
	Separation of development, testing and operational environments
	Back-up
18 Controls against malicious software (malware)
	Viruses, worms, Trojans and rootkits
	Spyware
	Anti-malware software
	Hoax messages and Ransomware
	Phishing and pharming
	Anti-malware controls
	Airborne viruses
	Technical vulnerability management
	Information Systems Audits
19 Communications management
	Network security management
20 Exchanges of information
	Information transfer policies and procedures
	Agreements on information transfers
	E-mail and social media
	Security risks in e-mail
	Spam
	Misuse of the internet
	Internet acceptable use policy
	Social media
21 System acquisition, development and maintenance
	Security requirements analysis and specification
	Securing application services on public networks
	E-commerce issues
	Security technologies
	Server security
	Server virtualization
	Protecting application services transactions
22 Development and support processes
	Secure development policy
	Secure systems engineering principles
	Secure development environment
	Security and acceptance testing
23 Supplier relationships
	Information security policy for supplier relationships
	Addressing security within supplier agreements
	ICT supply chain
	Monitoring and review of supplier services
	Managing changes to supplier services
24 Monitoring and information security incident management
	Logging and monitoring
	Information security events and incidents
	Incident management – responsibilities and procedures
	Reporting information security events
	Reporting software malfunctions
	Assessment of and decision on information security events
	Response to information security incidents
	Legal admissibility
25 Business and information security continuity management
	ISO22301
	The business continuity management process
	Business continuity and risk assessment
	Developing and implementing continuity plans
	Business continuity planning framework
	Testing, maintaining and reassessing business continuity plans
	Information security continuity
26 Compliance
	Identification of applicable legislation
	Intellectual property rights
	Protection of organizational records
	Privacy and protection of personally identifiable information
	Regulation of cryptographic controls
	Compliance with security policies and standards
	Information systems audit considerations
27 The ISO27001 audit
	Selection of auditors
	Initial audit
	Preparation for audit
	Terminology
Appendix 1 Useful websites
	IT Governance Ltd
	ISO27001 certification-related organizations
	Microsoft
	Information security
Appendix 2 Further reading
	ISO27000 family of standards includes
	Books
	Toolkits
Index