Information Security Risk Management for ISO27001 / ISO27002 (Paperback) (ISO27001 / ISO27002 資訊安全風險管理)

Alan Calder, Steve G Watkins

  • 出版商: IT Governance Ltd
  • 出版日期: 2010-04-21
  • 售價: $1,880
  • 貴賓價: 9.5$1,786
  • 語言: 英文
  • 頁數: 198
  • 裝訂: Paperback
  • ISBN: 1849280436
  • ISBN-13: 9781849280433
  • 相關分類: 資訊安全
  • 海外代購書籍(需單獨結帳)

買這商品的人也買了...

相關主題

商品描述

Expert guidance on planning and implementing a risk assessment and protecting your business information. In the knowledge economy, organisations have to be able to protect their information assets. Information security management has, therefore, become a critical corporate discipline. The international code of practice for an information security management system (ISMS) is ISO27002. As the code of practice explains, information security management enables organisations to ensure business continuity, minimise business risk, and maximise return on investments and business opportunities . ISMS requirements The requirements for an ISMS are specified in ISO27001. Under ISO27001, a risk assessment has to be carried out before any controls can be selected and implemented, making risk assessment the core competence of information security management. This book provides information security and risk management teams with detailed, practical guidance on how to develop and implement a risk assessment in line with the requirements of ISO27001. International best practice Drawing on international best practice, including ISO/IEC 27005, NIST SP800-30 and BS7799-3, the book explains in practical detail how to carry out an information security risk assessment. It covers key topics, such as risk scales, threats and vulnerabilities, selection of controls, and roles and responsibilities, and includes advice on choosing risk assessment software. Benefits to business include: * Stop the hacker. With a proper risk assessment, you can select appropriate controls to protect your organisation from hackers, worms and viruses, and other threats that could potentially cripple your business. * Achieve optimum ROI. Failure to invest sufficiently in information security controls is penny wise, pound foolish , since, for a relatively low outlay, it is possible to minimise your organisation s exposure to potentially devastating losses. However, having too many safeguards in place will make information security system expensive and bureaucratic; so without accurate planning your investment in information security controls can become unproductive. With the aid of a methodical risk assessment, you can select and implement your information security controls to ensure that your resources will be allocated to countering the major risks to your organisation. In this way, you will optimise your return on investment. * Build customer confidence. Protecting your information security is essential if you want to preserve the trust of your clients and to keep your business running smoothly from day to day. If you set up an ISMS in line with ISO27001, then, after an assessment, you can obtain certification. Buyers now tend to look for the assurance that can be derived from an accredited certification to ISO27001 and, increasingly, certification to ISO27001 is becoming a prerequisite in service specification procurement documents. * Comply with corporate governance codes. Information security is a vital aspect of enterprise risk management (ERM). An ERM framework is required by various corporate governance codes, such as the Turnbull Guidance contained within the UK s Combined Code on Corporate Governance, and the American Sarbanes-Oxley Act (SOX) of 2002, and standards such as ISO310000. As the authors point out, Just because a threat has not occurred yet does not mean that it never will .

商品描述(中文翻譯)

專家指導如何規劃和實施風險評估,並保護您的業務信息。在知識經濟中,組織必須能夠保護其信息資產。因此,信息安全管理已成為一項關鍵的企業紀律。信息安全管理系統(ISMS)的國際實踐準則是ISO27002。正如實踐準則所解釋的那樣,信息安全管理使組織能夠確保業務連續性,最小化業務風險,並最大化投資回報和業務機會。ISMS要求ISMS的要求在ISO27001中指定。根據ISO27001,在選擇和實施任何控制之前必須進行風險評估,使風險評估成為信息安全管理的核心能力。本書提供了詳細的實用指南,以便信息安全和風險管理團隊根據ISO27001的要求開發和實施風險評估。國際最佳實踐本書借鑒了國際最佳實踐,包括ISO/IEC 27005、NIST SP800-30和BS7799-3,詳細解釋了如何進行信息安全風險評估。它涵蓋了關鍵主題,如風險等級、威脅和漏洞、控制選擇以及角色和責任,並提供了選擇風險評估軟件的建議。對業務的好處包括:*阻止駭客。通過適當的風險評估,您可以選擇適當的控制措施,以保護您的組織免受可能使您的業務癱瘓的駭客、蠕蟲和病毒等威脅。*實現最佳投資回報。不足夠投資於信息安全控制措施是愚蠢的,因為只需相對較低的支出,就可以將您的組織暴露於潛在的巨大損失。然而,過多的保障措施將使信息安全系統變得昂貴和繁瑣;因此,如果沒有準確的計劃,您對信息安全控制措施的投資可能會變得無效。通過有系統的風險評估,您可以選擇和實施信息安全控制措施,以確保您的資源將用於對抗組織的主要風險。這樣,您將優化您的投資回報。*建立客戶信心。如果您希望保持客戶的信任並使業務順利運行,保護您的信息安全至關重要。如果您按照ISO27001建立ISMS,然後在評估後獲得認證,購買者現在傾向於尋求可以從ISO27001的認證中獲得的保證,並且越來越多地,ISO27001的認證已成為服務規範採購文件中的先決條件。*遵守企業治理準則。信息安全是企業風險管理(ERM)的重要方面。各種企業治理準則,如英國《企業治理綜合守則》中包含的Turnbull指南和2002年的美國Sarbanes-Oxley法案(SOX),以及ISO310000等標準,都要求建立ERM框架。正如作者所指出的,僅僅因為威脅尚未發生,並不意味著它永遠不會發生。