ISO 27001 Risk Management in Plain English: A Step-by-Step Handbook for Information Security Practitioners in Small Businesses
4/5
()
About this ebook
“Risk management is the central idea of ISO 27001. And, the way ISO 27001 tells you to achieve this tailor-made suit is to perform risk assessment and risk treatment.” This book, ISO 27001 Risk Management in Plain English, is a quick read for people who are focused solely on risk management. It has one aim in mind: to give you the knowledge and practical step-by-step process you need to successfully implement ISO 27001 risk assessment and treatment – without struggle, stress, or headaches.
ISO 27001 Risk Management in Plain English is written primarily for beginners in this field and for people with moderate knowledge about risk assessment and treatment. It is structured in such a way that someone with no prior experience or knowledge about information security can quickly understand what it is all about, and how to implement the whole risk management project. However, if you do have experience with ISO 27001, but feel that you still have gaps in your knowledge, you’ll also find this book very helpful.
This book will give you a complete overview of risk management according to ISO 27001. It will also explain the differences between risk management in ISO 27001 and other risk-oriented standards, such as ISO 27005 and ISO 31000. You will learn the five main steps in the risk management process, the purpose of risk assessment, and how to perform it.
“In my experience, the employees (and the organization as a whole) are usually aware of only 25 to 40% of risks,” says author Dejan Kosutic. “Therefore, a thorough and systematic process needs to be carried out to find out everything that could endanger the confidentiality, integrity, and availability of their information.”
This book will serve as your complete guide to ISO 27001 risk management. From the simple explanation of requirements, steps in risk management, development of methodology, and which documents are required for risk management – you will quickly see that this is the only book you’ll ever need on the subject.
Read more from Dejan Kosutic
Secure & Simple – A Small-Business Guide to Implementing ISO 27001 On Your Own: The Plain English, Step-by-Step Handbook for Information Security Practitioners Rating: 0 out of 5 stars0 ratings
Related to ISO 27001 Risk Management in Plain English
Titles in the series (6)
ISO 27001 Annex A Controls in Plain English: A Step-by-Step Handbook for Information Security Practitioners in Small Businesses Rating: 0 out of 5 stars0 ratings
Related ebooks
ISO 27001 Annex A Controls in Plain English: A Step-by-Step Handbook for Information Security Practitioners in Small Businesses Rating: 0 out of 5 stars0 ratingsISO27001/ISO27002:2013: A Pocket Guide Rating: 4 out of 5 stars4/5ISO 27001 Controls – A guide to implementing and auditing Rating: 5 out of 5 stars5/5Information Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5Risk Management and ISO 31000: A pocket guide Rating: 0 out of 5 stars0 ratingsRisk Management Simplified: A Definitive Guide For Workplace and Process Risk Management Rating: 5 out of 5 stars5/560 Minute Operational Risk Management Rating: 5 out of 5 stars5/5Guide to effective risk management 3.0 Rating: 0 out of 5 stars0 ratingsThe Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security Rating: 0 out of 5 stars0 ratingsISO IEC 27001 Lead Implementer A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsNine Steps to Success: An ISO27001:2013 Implementation Overview Rating: 3 out of 5 stars3/5ISO IEC 27001 Lead Implementer A Clear and Concise Reference Rating: 0 out of 5 stars0 ratingsImplementing an Integrated Management System (IMS): The strategic approach Rating: 5 out of 5 stars5/5Adaptive Business Continuity: A New Approach Rating: 0 out of 5 stars0 ratingsApplication security in the ISO27001:2013 Environment Rating: 4 out of 5 stars4/5ISO/IEC 27001:2022: An introduction to information security and the ISMS standard Rating: 5 out of 5 stars5/5ISO 27001 Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsISO 27005 A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsISO 27001 A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsAn Introduction to Information Security and ISO27001:2013: A Pocket Guide Rating: 4 out of 5 stars4/5ISO 27005 A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsISO/IEC 27701:2019: An introduction to privacy information management Rating: 4 out of 5 stars4/5ISO IEC 27001 2013 Standard Requirements Rating: 0 out of 5 stars0 ratingsApplication Security in the ISO27001 Environment Rating: 0 out of 5 stars0 ratingsISO 27001 A Complete Guide - 2019 Edition Rating: 0 out of 5 stars0 ratingsISO IEC 27001 Lead Auditor A Complete Guide - 2019 Edition Rating: 5 out of 5 stars5/5ISO 31000 Risk Management Best Practice A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratings
Security For You
CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Cybersecurity For Dummies Rating: 4 out of 5 stars4/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5Hacking For Dummies Rating: 4 out of 5 stars4/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsCodes and Ciphers - A History of Cryptography Rating: 4 out of 5 stars4/5How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5Remote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5CompTIA Network+ Practice Tests: Exam N10-008 Rating: 0 out of 5 stars0 ratingsThe Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers Rating: 4 out of 5 stars4/5Navigating the Cybersecurity Career Path Rating: 0 out of 5 stars0 ratingsPractical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5The Mathematics of Secrets: Cryptography from Caesar Ciphers to Digital Encryption Rating: 0 out of 5 stars0 ratingsThrough the Firewall: The Alchemy of Turning Crisis into Opportunity Rating: 0 out of 5 stars0 ratingsThe Art of Attack: Attacker Mindset for Security Professionals Rating: 0 out of 5 stars0 ratingsCompTIA CySA+ Cybersecurity Analyst Certification Passport (Exam CS0-002) Rating: 5 out of 5 stars5/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5How to Hack Like a Pornstar Rating: 5 out of 5 stars5/5CompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsCybersecurity for Beginners : Learn the Fundamentals of Cybersecurity in an Easy, Step-by-Step Guide: 1 Rating: 0 out of 5 stars0 ratingsSecurity+ Boot Camp Study Guide Rating: 5 out of 5 stars5/5Ultimate Guide for Being Anonymous: Hacking the Planet, #4 Rating: 5 out of 5 stars5/5
Reviews for ISO 27001 Risk Management in Plain English
8 ratings2 reviews
- Rating: 4 out of 5 stars4/5The author broke down the process of implementing ISO 27001 in a manner that is quite easy to understand. Well written.
- Rating: 4 out of 5 stars4/5The given guide and examples of risk guidance much practical.
Book preview
ISO 27001 Risk Management in Plain English - Dejan Kosutic
ISO 27001
Risk Management in Plain English
Also by Dejan Kosutic:
Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own
9 Steps to Cybersecurity: The Manager’s Information Security Strategy Manual
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
Dejan Kosutic
ISO 27001
Risk Management in Plain English
Step-by-step handbook for information security practitioners in small businesses
Advisera Expert Solutions Ltd
Zagreb, Croatia
Copyright ©2016 by Dejan Kosutic
All rights reserved. No part of this book may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without written permission from the author, except for the inclusion of brief quotations in a review.
Limit of Liability / Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representation or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. This book does not contain all information available on the subject. This book has not been created to be specific to any individual’s or organization’s situation or needs. You should consult with a professional where appropriate. The author and publisher shall have no liability or responsibility to any person or entity regarding any loss or damage incurred, or alleged to have been incurred, directly or indirectly, by the information contained in this book.
First published by Advisera Expert Solutions Ltd
Zavizanska 12, 10000 Zagreb
Croatia
European Union
http://advisera.com/
ISBN: 978-953-57452-8-0
First Edition, 2016
ABOUT THE AUTHOR
Dejan Kosutic is the author of numerous articles, video tutorials, documentation templates, webinars, and courses about information security and business continuity management. He is the author of the leading ISO 27001 & ISO 22301 Blog, and has helped various organizations including financial institutions, government agencies, and IT companies implement information security management according to these standards.
Click here to see his LinkedIn profile
TABLE OF CONTENTS
ABOUT THE AUTHOR
PREFACE
1 INTRODUCTION
1.1.WHO SHOULD READ THIS BOOK?
1.2 HOW TO READ THIS BOOK?
1.3 WHAT THIS BOOK IS NOT
1.4 WHY IS RISK MANAGEMENT THE CENTRAL PHILOSOPHY IN ISO 27001?
1.5 RELATIONSHIP BETWEEN ENTERPRISE RISK MANAGEMENT AND INFORMATION SECURITY MANAGEMENT
1.6 ISO 27001 VS. ISO 27005 VS. ISO 31000
1.7 ADDITIONAL RESOURCES
2 STEPS IN THE RISK MANAGEMENT
2.1 ADDRESSING RISKS AND OPPORTUNITIES (CLAUSE 6.1.1)
2.2 FIVE STEPS IN THE RISK MANAGEMENT PROCESS (CLAUSE 6.1)
2.3 WRITING THE RISK ASSESSMENT METHODOLOGY (CLAUSE 6.1.2)
2.4 RISK ASSESSMENT PART I: IDENTIFYING THE RISKS (CLAUSES 6.1.2 AND 8.2)
2.5 RISK ASSESSMENT PART II: ANALYZING AND EVALUATING THE RISKS (CLAUSES 6.1.2 AND 8.2)
2.6 PERFORMING RISK TREATMENT (CLAUSES 6.1.3 AND 8.3)
2.7 STATEMENT OF APPLICABILITY: THE CENTRAL DOCUMENT OF THE WHOLE ISMS (CLAUSE 6.1.3 D)
2.8 DEVELOPING THE RISK TREATMENT PLAN (CLAUSES 6.1.3, 6.2, AND 8.3)
2.9 REGULAR REVIEW OF THE RISK ASSESSMENT AND TREATMENT (CLAUSE 8.2)
2.10 SUCCESS FACTORS
3 MINI CASE STUDY: PERFORMING RISK ASSESSMENT IN A SMALL HOSPITAL
APENDIX - CATALOG OF THREATS AND
VULNERABILITIES
BIBLIOGRAPHY
LIST OF FIGURES
Figure 1: Relationship between enterprise risk management, information security, business continuity, IT, and cybersecurity
Figure 2: Five steps in the risk management process
Figure 3: Example of risk assessment table with identified risks
Figure 4: Example of full risk assessment table
Figure 5: Example of risk treatment table
Figure 6: Example of Statement of Applicability
Figure 7: