Implementing an Information Security Management System
Security Management Based on ISO 27001 Guidelines
This book is dedicated to my grandfather, the late Kameshwar Chaudhary
Thank you very much for purchasing this book legally. Information security professionals have access to confidential data that belongs to the organization and, therefore, they must possess high ethical standards.
This book begins by discussing the need for information security and accessing the need and scope of the audit. Most of us do not know where to start the implementation in our organizations; hence this book will help guide you step by step. The book covers initial risk assessment and the risk management approach. The controls are each explained in detail so as to make the implementation easy, even for novice readers, per the ISO 27001 standard. The book also covers audit requirements, explains how to conduct the audits, and discusses how to close the gaps/findings.
This book discusses the process of conducting management reviews and best practices to manage and close the audit. Finally, it focuses on continual improvement of the organization’s information security system.
Who This Book Is For
This book is for security professionals who want to implement and manage security framework/controls within their organization. For example, it’s for security managers, IT consultants, IT auditors, management professionals, and anybody else who inspires to work as a security professional. This includes beginners who are seeking to gain knowledge about information security concepts. Anybody with very basic knowledge of security concepts can learn from this book. It does not require expertise with security tools.
The book is organized in such a way that beginners with no prior security experience will also get good insights into the audit cycle. Each chapter has a specific purpose; however, you can skip chapters and read only the ones that meet your needs. For example, if you already know why information security is needed, feel free to move to the next chapter. However, for best results, we do not recommend skipping chapters.
Some of you may have already completed an audit in your organization and you want to focus more on post-audit activities. In that case, we recommend you read all the tips shared in the “Management Review” and “Continual Improvement” chapters (Chapters 8 and 10 ).
I would like to thank all the special people below.
My older sister, Meenakshi Chopra, guided my career path, introduced me to the field of information security, and taught me its importance. My brother-in-law, Rajasekaran Stanley, has been a great support and has always encouraged me to do new things.
Heartfelt respect for my dear friend and brotherly figure Mukund Chaudhary, who inspired me to write my experiences in this book. Special thanks to my mother, Anita Chopra, who is my number one guide and a true inspiration to me. To my colleagues and friends, Anushka and Suchee, thank you for encouraging me and always sharing your best wishes.
—Abhishek Chopra
I would like to thank my organization, which gave me the opportunity to take ownership of the ISO 27001 implementation and supported me with training. I’d also like to express my gratitude to everyone who supported me while I was writing this book. I am thankful to the editors for their inspiring guidance and friendly advice, especially to Nikhil Karkal and Divya Modi.
—Mukund Chaudhary
Table of Contents
About the Authors and About the Technical Reviewer
About the Authors
is a quality professional with more than 14 years of experience implementing CMMi, ISO 9001, ITIL, and ISO 27001. He holds a black belt in Lean Six Sigma and is a certified ISO 27001 lead auditor.
is a certified project management professional with more than a decade of experience in managing software projects, internal audits, CMMI, and ISO 27001. In his leisure time, he can be found reading articles and exploring emerging technologies.
About the Technical Reviewer
Among his strengths are IS audits, project management, team building, and organizational strategy.
Dominic Fernandes is an avid reader of varied content, ranging from leading edge technology to biographies and economy. He loves and appreciates music and languages across cultures and is a nature lover and environmentalist.