Book review: IS risk mgmt
Go home

Cover shotBook review

 

Information Security Risk Management:
Handbook for ISO/IEC 27001

 

Author: Edward Humphreys

 

Publisher: BSI (London), 2010

 

Length: 165 pages

 

ISBN: 978-0-580-60745-5

 

Price: ~£40 from BSI Shop

 

 

Executive summary

The book is primarily a guide to implementing the ISO27k standards, particularly the formal Information Security Management System specification ISO/IEC 27001.  It covers some aspects of information security risk management, which of course is the purpose of the ISMS once implemented, but not in as much detail as other information security risk management books.  The book works well as an ISO/IEC 27001 implementation guide.

Scope and purpose

The scope of the book covers the implementation process from initial justification of an ISMS project through to normal operation and certification of the ISMS against ISO/IEC 27001, including periodic recertification and ongoing preventive and corrective actions. 

While the title specifically notes risk management, the book is not solely concerned with activities such as risk analysis/risk assessment and the selection of risk treatments, but naturally these are important parts of any ISMS implementation and are well described.  It addresses information security risk management in a more general, all-encompassing sense.

The key process of selecting appropriate controls to address unacceptable information security risks is outlined, listing common controls only briefly.  ISO/IEC 27002 offers a lot more advice in this area, particularly in respect of technological (IT) security controls.

Author

Professor Ted Humphreys is regarded as the grandfather of the BS7799 and ISO27k standards.  Ted has led the national and international committees responsible for their development from the outset. 

Audience

The book is primarily intended for business managers and staff responsible for ISMSs in all kinds and sizes of organization.  The limited technical content and business focus is well suited to general business managers who want or need to know about managing their information security risks.  The clear writing style will also suit non-native English speakers better than many other ISO27k or information security books.

Content

The book covers:

  • An introduction to risks of various kinds, information security risks in particular;
  • An outline of the ISO27k approach to managing information security risks in the context of an ISMS;
  • An illustration of one risk assessment/scoring method (chapter 4);
  • Brief introductions to deciding how to treat risks, and selecting mitigating information security controls;
  • Advice on monitoring, reviewing and improving the treatment of risks, plus on the documentation and auditing of an ISO27k ISMS;
  • An outline of the ISO27k standards.

Among other things, chapter 4 describes a qualitative information security risk assessment and scoring method, variants of which are widely used in practice.  The basic idea is to rate threats, vulnerabilities, asset values and impacts on simple 1-9 scoring scales, then combine them through two tables, ending up with risk scores that can be used to rank the risks.  The description is much shorter and simpler than that in ISO/IEC 27005, and does not even mention other ways of assessing and ranking information security risks, such as quantitative risk analysis methods, which is odd given that risk management is supposedly the core topic of the book.

There is a golden nugget on page 52: the list of seven ‘considerations’ would form an excellent basis for a job description for the Information Security Manager.  The first point is especially beneficial: “The principal role of those managing and treating information security risks is to convince colleagues across the business to deliver security through their everyday actions and decisions - not to carry out information security for the company”.  Many an overloaded ISM would appreciate more emphasis on holding business people accountable for securing their assets, and on supporting them in fulfilling their security responsibilities.

SWOT analysis

Strengths

Weaknesses
  • Clearly and straightforwardly written, making the advice equally accessible to readers for whom English is or is not their first language
  • Offers consistently ISO27k-aligned advice in all the main areas
  • Goes a little beyond ISO27k in describing a typical numeric method for scoring risks
  • Mentions some soon-to-be-published ISO27k standards
  • Approximately 50,000 words: about the right length for the subject matter and intended audience
  • Gives an excellent description of the Information Security Manager’s role
  • Promotes somewhat bureaucratic structures and approaches that are arguably better suited to larger organizations than small to medium-sized enterprises (as indeed is ISO27k)
  • The book does not go much beyond the advice given in the ISO27k standards ISO/IEC 27001 and 27002, making limited reference to other ISO27k standards such as ISO/IEC 27003 and 4, and other information security or risk management standards, most notably ISO/IEC 27005
  • Introduces the concept of “risk of exposure” as an interim step in the risk scoring process but doesn’t explain or develop the concept much

Opportunities

Threats
  • Useful for those new to ISO27k, and can be used by management to re-assess or re-invigorate an ISO27k implementation project
  • Useful also for management to consider ISO27k project proposals prior to authorizing them
  • Suffers from “ISO27k myopia”: approaches to managing information security risks other than ISO27k (such as information security baselines and quantitative risk analysis) are not described or promoted, even though they may support or complement the ISO27k way

Style

The author’s writing style is clear and easy to read (even for non-English readers), an important benefit given that the subject matter is potentially rather complicated and involved. 

The content is quite action-oriented, often blankly stating that various things ‘should’ happen without always explaining why, or considering alternative approaches.  If you have already decided to implement ISO27k, that’s fine - just go ahead, use the book plus the standards to get on with it.  However, if you are still trying to decide what to do and how to do it, or if you are finding that the ISO27k way does not in fact entirely suit your particular situation, you may not find quite as much value in the book.

The author has to some extent missed the opportunity to discuss practical implementation issues that he has no doubt experienced in his work as an ISO27k consultant.  The numerous “Case study” asides throughout the book are almost completely generic and rather bland in style - some don’t quite ring true, and most essentially state what ISO27k would advise under those circumstances without much discussion of the practicalities.  They are not especially illuminating or informative.

Conclusion

If you are about to implement ISO27k, or if you are a manager responsible for funding an ISO27k implementation project, this book provides a decent description of an ISMS that fulfils the requirements of the standards.  If you already have ISO27k experience, or wider experience of managing information security risks, you may quarrel with some of the assertions and recommendations ... but then this book is not really aimed at you.

Copyright © 2012 IsecT Ltd.