Alan Calder

Recommended textbook for the Open University's postgraduate information security course and the recommended text for all IBITGQ ISO 27001 coursesIn this updated edition, renowned ISO 27001/27002 experts Alan Calder and Steve Watkins: Discuss the ISO 27001/27002:2022 updates;Provide guidance on how to establish a strong IT governance system and an ISMS (information security management system) that complies with ISO 27001 and ISO 27002;Highlight why data protection and information security are vital in our ever-changing online and physical environments;Reflect on changes to international legislation, e.g. the GDPR (General Data Protection Regulation); andReview key topics such as risk assessment, asset management, controls, security, supplier relationships and compliance.Fully updated to align with ISO 27001/27002:2022IT Governance - An international guide to data security and ISO 27001/ISO 27002, Eighth edition provides: Expert information security management and governance guidance based on international best practice;Guidance on how to protect and enhance your organisation with an ISO 27001:2022-compliant ISMS; andDiscussion around the changes to international legislation, including ISO 27001:2022 and ISO 27002:2022.As cyber threats continue to increase in prevalence and ferocity, it is more important than ever to implement a secure ISMS to protect your organisation. Certifying your ISMS to ISO 27001 and ISO 27002 demonstrates to customers and stakeholders that your organisation is handling data securely.

Essential guidance for anyone tackling ISO 27001:2022 implementation for the first time.ISO/IEC 27001:2022 is the blueprint for managing information security in line with an organisation's business, contractual and regulatory requirements, and its risk appetite. Nine Steps to Success has been updated to reflect the 2022 version of ISO 27001. This must-have guide from expert Alan Calder will help you get to grips with the requirements of the Standard and make your ISO 27001 implementation project a success. The guide: Details the key steps of an ISO 27001 project from inception to certification;Explains each element of the ISO 27001 project in simple, non-technical language; andIs ideal for anyone tackling ISO 27001 implementation for the first time.To be resilient against cyber attacks, organisations must do more than just erect digital defences; a significant percentage of successful attacks originate in the physical world or are aided and exacerbated by environmental vulnerabilities. Effective cyber security therefore requires a comprehensive, systematic and robust ISMS (information security management system), with boards, customers and regulators all seeking assurance that information risks have been identified and are being managed.Successfully implement ISO 27001 with this must-have guide.

Essential guidance for anyone tackling ISO 27001:2022 implementation for the first time. ISO/IEC 27001:2022 is the blueprint for managing information security in line with an organisation’s business, contractual and regulatory requirements, and its risk appetite. Nine Steps to Success has been updated to reflect the 2022 version of ISO 27001. This must-have guide from expert Alan Calder will help you get to grips with the requirements of the Standard and make your ISO 27001 implementation project a success. The guide: Details the key steps of an ISO 27001 project from inception to certification;Explains each element of the ISO 27001 project in simple, non-technical language; andIs ideal for anyone tackling ISO 27001 implementation for the first time. To be resilient against cyber attacks, organisations must do more than just erect digital defences; a significant percentage of successful attacks originate in the physical world or are aided and exacerbated by environmental vulnerabilities. Effective cyber security therefore requires a comprehensive, systematic and robust ISMS (information security management system), with boards, customers and regulators all seeking assurance that information risks have been identified and are being managed. Successfully implement ISO 27001 with this must-have guide.

Recommended textbook for the Open University's postgraduate information security course and the recommended text for all IBITGQ ISO 27001 coursesIn this updated edition, renowned ISO 27001/27002 experts Alan Calder and Steve Watkins: Discuss the ISO 27001/27002:2022 updates;Provide guidance on how to establish a strong IT governance system and an ISMS (information security management system) that complies with ISO 27001 and ISO 27002;Highlight why data protection and information security are vital in our ever-changing online and physical environments;Reflect on changes to international legislation, e.g. the GDPR (General Data Protection Regulation); andReview key topics such as risk assessment, asset management, controls, security, supplier relationships and compliance.Fully updated to align with ISO 27001/27002:2022IT Governance - An international guide to data security and ISO 27001/ISO 27002, Eighth edition provides: Expert information security management and governance guidance based on international best practice;Guidance on how to protect and enhance your organisation with an ISO 27001:2022-compliant ISMS; andDiscussion around the changes to international legislation, including ISO 27001:2022 and ISO 27002:2022.As cyber threats continue to increase in prevalence and ferocity, it is more important than ever to implement a secure ISMS to protect your organisation. Certifying your ISMS to ISO 27001 and ISO 27002 demonstrates to customers and stakeholders that your organisation is handling data securely.

ISO 27001/ISO 27002 – A guide to information security management systems ISO 27001 is one of the leading information security standards. It offers an internationally recognised route for organisations of all sizes and industries to adopt and demonstrate effective, independently verified information security. Information is the lifeblood of the modern world. It is at the heart of our personal and working lives, yet all too often control of that information is in the hands of organisations, not individuals. As a result, there is ever-increasing pressure on those organisations to ensure the information they hold is adequately protected. Demonstrating that an organisation is a responsible custodian of information is not simply a matter of complying with the law – it has become a defining factor in an organisation’s success or failure. The negative publicity and loss of trust associated with data breaches and cyber attacks can seriously impact customer retention and future business opportunities, while an increasing number of tender opportunities are only open to those with independently certified information security measures. Understand how information security standards can improve your organisation’s security and set it apart from competitors with this introduction to the 2022 updates of ISO 27001 and ISO 27002.

We live in a world where technology and vast quantities of data play a considerable role in everyday life, both personal and professional. For the foreseeable future (and perhaps beyond), the growth and prominence of data in business shows no signs of slowing down, even if the technology in question will likely change in ways perhaps unimaginable today. Naturally, all this innovation brings huge opportunities and benefits to organisations and people alike. However, these come at more than just a financial cost. In the world as we know it, you can be attacked both physically and virtually. For today’s organisations, which rely so heavily on technology – particularly the Internet – to do business, the latter attack is the far more threatening of the two. The cyber threat landscape is complex and constantly changing. For every vulnerability fixed, another pops up, ripe for exploitation. Worse, when a vulnerability is identified, a tool that can exploit it is often developed and used within hours – faster than the time it normally takes for the vendor to release a patch, and certainly quicker than the time many organisations take to install that patch. This book has been divided into two parts: Part 1: Security principles.Part 2: Reference controls. Part 1 is designed to give you a concise but solid grounding in the principles of good security, covering key terms, risk management, different aspects of security, defence in depth, implementation tips, and more. This part is best read from beginning to end. Part 2 is intended as a useful reference, discussing a wide range of good-practice controls (in alphabetical order) you may want to consider implementing. Each control is discussed at a high level, focusing on the broader principles, concepts and points to consider, rather than specific solutions. Each control has also been written as a stand-alone chapter, so you can just read the controls that interest you, in an order that suits you.

Cyber Essentials – A guide to Cyber Essentials and Cyber Essentials Plus certifications Cyber attacks are a fact of life in the information age. For any organisation that connects to the Internet, the issue is not if an attack will come, but when. Most cyber attacks are performed by relatively unskilled criminals using tools available online. These attacks are often opportunistic: looking for easy targets rather than rich pickings. The Cyber Essentials scheme is a UK government-backed effort to encourage UK-based organisations to improve their cyber security by adopting measures (called controls) that defend against common, less-sophisticated cyber attacks. The scheme recommends practical defences that should be within the capability of any organisation. The Cyber Essentials scheme has two levels: The basic Cyber Essentials; andCyber Essentials Plus. This first part of this book will examine the various threats that are most significant in the modern digital environment, their targets and their impacts. It will help you to understand whether your organisation is ready for Cyber Essentials or Cyber Essentials Plus certification. The second part of the book presents a selection of additional resources that are available to help you implement the controls or become certified.

Formally founded in 2017, the EU Data Protection Code of Conduct for Cloud Service Providers (otherwise known as the EU Cloud Code of Conduct; the Code) is a voluntary code of conduct created specifically to support GDPR compliance within the B2B (business-to-business) Cloud industry. The EU Commission, the Article 29 Working Party (now the EDPB (European Data Protection Board)), the EU Directorate-General for Justice and Consumers, and Cloud-industry leaders have all contributed to its development, resulting in a robust framework that recognises the unique requirements of the Cloud industry. Cloud providers must ensure that their services – which by design involve accessing and transferring data across the Internet, exposing it to far greater risk than data stored and processed within an organisation’s internal network – meet or exceed the GDPR’s requirements in order to provide the security and privacy that the market expects. Organisations can achieve this via compliance with the EU Cloud Code of Conduct. The Code has already been adopted by major Cloud service organisations, including: MicrosoftOracleSalesforceIBMGoogle CloudDropboxAlibaba Cloud Public and business focus on information security and data protection continues to increase in the face of a constantly changing threat landscape and ever more stringent regulation, and compliance with initiatives such as the EU Cloud Code of Conduct demonstrates to current and potential customers that your organisation is taking data privacy seriously. It also strengthens your organisation’s approach to information security management, and defences against data breaches. The EU Data Protection Code of Conduct for Cloud Service Providers provides guidance on how to implement the Code. It explores the Code’s objectives, and how compliance can be achieved with or without an ISMS (information security management system). Begin your journey to EU Cloud Code of Conduct implementation with our compliance guide – buy this book today! About the author Alan Calder founded IT Governance Ltd in 2002 and began working full time for the organisation in 2007. He is Group CEO of GRC International Group PLC, the AIM-listed company that owns IT Governance Ltd. Alan has held a number of roles, including CEO of Business Link London City Partners (a government agency focused on helping growing businesses to develop) from 1995 to 1998, CEO of Focus Central London (a training and enterprise council) from 1998 to 2001, and CEO of Wide Learning (a supplier of e-learning) from 2001 to 2003 and the Outsourced Training Company (2005). He was also chairman of CEME (a public–private-sector skills partnership) from 2006 to 2011. Alan is an acknowledged international cyber security guru and a leading author on information security and IT governance issues. He has been involved in the development of a wide range of information security management training courses that have been accredited by IBITGQ (International Board for IT Governance Qualifications). Alan has consulted for clients in the UK and abroad, and is a regular media commentator and speaker. For information on Alan’s other publications, visit www.itgovernancepublishing.co.uk/author/alan-calder.

Safeguard your organisation’s future with business continuity management Business continuity – planning for, protecting against and ensuring recovery from disruptive events – is more important than ever. In an increasingly volatile world – exemplified by the COVID-19 pandemic – organisations are looking at business continuity from a fresh perspective. The illusion of business as a rampart against which the waves of the world break harmlessly is shattered; it is no longer possible to pretend that an organisation can weather all storms equally, or that the limited contingencies organisations develop are sufficient to protect them. As a result, more and more organisations are looking to ISO 22301 – the international standard that defines the requirements for a BCMS – to safeguard their future. ISO 22301 requirements and business continuity best practice ISO 22301:2019 and business continuity management – Understand how to plan, implement and enhance a business continuity management system (BCMS) walks you through the requirements of ISO 22301:2019, explaining what they mean and how your organisation can achieve compliance. Whether you are seeking certification against the Standard or are simply looking to benefit from business continuity concepts and practices without developing a formal system, this book contains all you need to know. It is an essential companion guide for those working in business continuity who are looking to introduce or optimise a BCMS aligned with ISO 22301. The book provides a comprehensive introduction to business continuity best practice, including: Using ISO 22301Context, interested parties and scopeLeadership, policy and responsibilitiesPlanningSupportOperationBusiness continuity strategies and solutionsBusiness continuity plans and proceduresPerformance evaluationImprovementCertification Suitable for business continuity managers, risk managers, compliance officers, senior managers, operations managers, project managers and consultants, this practical guide to ISO 22301 will show you how to develop and implement a BCMS so you can minimise the impact of a disaster on your business and continue to provide essential services to your customers, while reassuring all stakeholders that you take business continuity best practice seriously. Minimise the impact of a disaster on your business with ISO 22301 – buy this book About the author Alan Calder is the Group CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. Alan is an acknowledged international cyber security guru, and a leading author on information security and IT governance issues. He has been involved in the development of a wide range of information security management training courses that have been accredited by IBITGQ (International Board for IT Governance Qualifications). Alan has consulted for clients across the globe and is a regular media commentator and speaker.

The fastest-growing malware in the world The core functionality of ransomware is two-fold: to encrypt data and deliver the ransom message. This encryption can be relatively basic or maddeningly complex, and it might affect only a single device or a whole network. Ransomware is the fastest-growing malware in the world. In 2015, it cost companies around the world $325 million, which rose to $5 billion by 2017 and is set to hit $20 billion in 2021. The threat of ransomware is not going to disappear, and while the number of ransomware attacks remains steady, the damage they cause is significantly increasing. It is the duty of all business leaders to protect their organisations and the data they rely on by doing whatever is reasonably possible to mitigate the risk posed by ransomware. To do that, though, they first need to understand the threats they are facing. The Ransomware Threat Landscape This book sets out clearly how ransomware works, to help business leaders better understand the strategic risks, and explores measures that can be put in place to protect the organisation. These measures are structured so that any organisation can approach them. Those with more resources and more complex environments can build them into a comprehensive system to minimise risks, while smaller organisations can secure their profiles with simpler, more straightforward implementation. Suitable for senior directors, compliance managers, privacy managers, privacy officers, IT staff, security analysts and admin staff – in fact, all staff who use their organisation’s network/online systems to perform their role – The Ransomware Threat Landscape: Prepare for, recognise and survive ransomware attacks will help readers understand the ransomware threat they face. From basic cyber hygiene to more advanced controls, the book gives practical guidance on individual activities, introduces implementation steps organisations can take to increase their cyber resilience, and explores why cyber security is imperative. Topics covered include: IntroductionAbout ransomware Basic measures An anti-ransomware The control frameworkRisk managementControlsMaturity Basic controlsAdditional controls for larger organiationsAdvanced controls Don’t delay – start protecting your organisation from ransomware and buy this book today! About the author Alan Calder is the Group CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. Alan is an acknowledged international cyber security guru, and a leading author on information security and IT governance issues. He has been involved in the development of a wide range of information security management training courses that have been accredited by IBITGQ (International Board for IT Governance Qualifications). Alan has consulted for clients across the globe and is a regular media commentator and speaker.

In the world as we know it, you can be attacked both physically and virtually. For today’s organisations, which rely so heavily on technology – particularly the Internet – to do business, the latter is the far more threatening of the two. The cyber threat landscape is complex and constantly changing. For every vulnerability fixed, another pops up, ripe for exploitation. This book is a comprehensive cyber security implementation manual which gives practical guidance on the individual activities identified in the IT Governance Cyber Resilience Framework (CRF) that can help organisations become cyber resilient and combat the cyber threat landscape. Suitable for senior directors (CEO, CISO, CIO), compliance managers, privacy managers, IT managers, security analysts and others, the book is divided into six parts: Part 1: Introduction. The world of cyber security and the approach taken in this book. Part 2: Threats and vulnerabilities. A discussion of a range of threats organisations face, organised by threat category, to help you understand what you are defending yourself against before you start thinking about your actual defences. Part 3: The CRF processes. Detailed discussions of each of the 24 CRF processes, explaining a wide range of security areas by process category and offering guidance on how to implement each. Part 4: Eight steps to implementing cyber security. Our eight-step approach to implementing the cyber security processes you need and maintaining them. Part 5: Reference frameworks. An explanation of how standards and frameworks work, along with their benefits. It also presents ten framework options, introducing you to some of the best-known standards and giving you an idea of the range available. Part 6: Conclusion and appendices. The appendices include a glossary of all the acronyms and abbreviations used in this book. Whether you are just starting out on the road to cyber security or looking to enhance and improve your existing cyber resilience programme, it should be clear that cyber security is no longer optional in today’s information age; it is an essential component of business success. Make sure you understand the threats and vulnerabilities your organisation faces and how the Cyber Resilience Framework can help you tackle them. Start your journey to cyber security now – buy this book today!

In the world as we know it, you can be attacked both physically and virtually. For today's organisations, which rely so heavily on technology - particularly the Internet - to do business, the latter is the far more threatening of the two. The cyber threat landscape is complex and constantly changing. For every vulnerability fixed, another pops up, ripe for exploitation.This book is a comprehensive cyber security implementation manual which gives practical guidance on the individual activities identified in the IT Governance Cyber Resilience Framework (CRF) that can help organisations become cyber resilient and combat the cyber threat landscape.Suitable for senior directors (CEO, CISO, CIO), compliance managers, privacy managers, IT managers, security analysts and others, the book is divided into six parts: Part 1: Introduction. The world of cyber security and the approach taken in this book.Part 2: Threats and vulnerabilities. A discussion of a range of threats organisations face, organised by threat category, to help you understand what you are defending yourself against before you start thinking about your actual defences.Part 3: The CRF processes. Detailed discussions of each of the 24 CRF processes, explaining a wide range of security areas by process category and offering guidance on how to implement each.Part 4: Eight steps to implementing cyber security. Our eight-step approach to implementing the cyber security processes you need and maintaining them.Part 5: Reference frameworks. An explanation of how standards and frameworks work, along with their benefits. It also presents ten framework options, introducing you to some of the best-known standards and giving you an idea of the range available.Part 6: Conclusion and appendices. The appendices include a glossary of all the acronyms and abbreviations used in this book.Whether you are just starting out on the road to cyber security or looking to enhance and improve your existing cyber resilience programme, it should be clear that cyber security is no longer optional in today's information age; it is an essential component of business success.Make sure you understand the threats and vulnerabilities your organisation faces and how the Cyber Resilience Framework can help you tackle them. Start your journey to cyber security now - buy this book today

A clear, concise primer on the GDPR The GDPR aims to unify data protection and ease the flow of personal data across the EU. It applies to every organisation in the world that handles EU residents’ personal data. While the GDPR is not law in countries outside the EU, it is effectively part of the legislative environment for organisations that do business with the EU. This is enforced through a combination of international trade law and business pressure – after all, a partner in the EU is unlikely to want to risk engaging with a company in the US, Australia or Singapore (or anywhere else) that will put them at risk. EU GDPR – An international guide to compliance is the ideal resource for anyone wanting a clear primer on the principles of data protection and their obligations under the GDPR. A concise pocket guide, it will help you understand: The terms and definitions used in the GDPR, including explanations;The key requirements of the GDPR, including:Which fines apply to which Articles;The principles that should be applied to any collection and processing of personal data;The Regulation’s applicability;Data subjects’ rights;Data protection impact assessments;The data protection officer role and whether you need one;Data breaches, and notifying supervisory authorities and data subjects; andObligations for international data transfers. How to comply with the Regulation, including:Understanding your data, and where and how it is used (e.g. Cloud suppliers, physical records);The documentation you must maintain (such as statements of the information you collect and process, records of data subject consent, processes for protecting personal data); andThe “appropriate technical and organisational measures” you need to take to ensure compliance with the Regulation. A full index of the Regulation, enabling you to find relevant Articles quickly and easily. Supplemental material While most of the EU GDPR’s requirements are broadly unchanged in the UK GDPR, the context is quite different and will have knock-on effects. You may need to update contracts regarding EU–UK data transfers, incorporate standard contractual clauses into existing agreements, and update your policies, processes and procedural documentation as a result of these changes. We have published a supplement that sets out specific extra or amended information for this pocket guide. Click here to download the supplement. About the author Alan Calder is the Group CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. He is an internationally acknowledged cyber security expert, and a leading author on information security and IT governance issues. He co-wrote the definitive compliance guide IT Governance: An International Guide to Data Security and ISO27001/ISO27002, which is the basis for the Open University’s postgraduate course on information security, and has been involved in the development of a wide range of information security management training courses that have been accredited by IBITGQ (International Board for IT Governance Qualifications). Alan has consulted on data security for numerous clients in the UK and abroad, and is a regular media commentator and speaker.

In an increasingly volatile world, exemplified by the 2020 COVID-19 pandemic, organisations are looking at business continuity with a fresh perspective. While most organisations believe they are prepared for disruption, COVID-19 has proved otherwise. The need for business continuity has never been clearer. If you were hit by a cyber attack and lost the use of your IT systems, would you be able to carry on? If your business premises were forced to close, what would you do? If you were affected by unexpected staff absence, how could you reassure your customers that you can still offer them the service they expect? Being unprepared can lead to financial and reputational damage, which could prove disastrous. You could fail to keep up with customer demand or lose important business, or your customers could go elsewhere. Without a proper risk assessment strategy, your company directors could even face prosecution if a major incident occurs and results in loss or injury. An introduction to ISO 22301 To minimise the impact of a disaster on your business, and to continue to provide essential services to your customers, you need to put in place a BCMS (business continuity management system). This pocket guide will help you understand the basics of business continuity and ISO 22301:2019, the international standard that describes the specification for a BCMS. It covers: What business continuity is;Key terms and definitions;A brief history of business continuity management;The BCMS;ISO 22301 BCMS requirements; andCertification ISO 22301:2019 - An introduction to a business continuity management system (BCMS) provides an easy-to-read and straightforward introduction to a BCMS that business continuity managers, compliance managers, C-suites and disaster recovery planners – or any organisation implementing, or considering implementing, an ISO 22301 BCMS – will find valuable.

Cyber Security – Essential principles to secure your organisation takes you through the fundamentals of cyber security, the principles that underpin it, vulnerabilities and threats, and how to defend against attacks. Organisations large and small experience attacks every day, from simple phishing emails to intricate, detailed operations masterminded by criminal gangs, and for every vulnerability fixed, another pops up, ripe for exploitation. Cyber security doesn’t have to cost vast amounts of money or take a short ice age to implement. No matter the size of your organisation, improving cyber security helps protect your data and that of your clients, improving business relations and opening the door to new opportunities. This pocket guide will take you through the essentials of cyber security – the principles that underpin it, vulnerabilities and threats and the attackers who use them, and how to defend against them – so you can confidently develop a cyber security programme. Cyber Security – Essential principles to secure your organisation: Covers the key differences between cyber and information security;Explains how cyber security is increasingly mandatory and how this ties into data protection, e.g. the Data Protection Act 2018 and the GDPR (General Data Protection Regulation);Focuses on the nature of the problem, looking at technical, physical and human threats and vulnerabilities;Explores the importance of security by design;Gives guidance on why security should be balanced and centralised; andIntroduces the concept of using standards and frameworks to manage cyber security. No matter the size of your organisation, cyber security is no longer optional – it is an essential component of business success and a critical defence against the risks of the information age. The only questions left are to decide when and where your journey will begin. Start that journey now – buy this book today!

Faced with the compliance requirements of increasingly punitive information and privacy-related regulation, as well as the proliferation of complex threats to information security, there is an urgent need for organizations to adopt IT governance best practice. IT Governance is a key international resource for managers in organizations of all sizes and across industries, and deals with the strategic and operational aspects of information security. Now in its seventh edition, the bestselling IT Governance provides guidance for companies looking to protect and enhance their information security management systems (ISMS) and protect themselves against cyber threats. The new edition covers changes in global regulation, particularly GDPR, and updates to standards in the ISO/IEC 27000 family, BS 7799-3:2017 (information security risk management) plus the latest standards on auditing. It also includes advice on the development and implementation of an ISMS that will meet the ISO 27001 specification and how sector-specific standards can and should be factored in. With information on risk assessments, compliance, equipment and operations security, controls against malware and asset management, IT Governance is the definitive guide to implementing an effective information security management and governance system.

Faced with the compliance requirements of increasingly punitive information and privacy-related regulation, as well as the proliferation of complex threats to information security, there is an urgent need for organizations to adopt IT governance best practice. IT Governance is a key international resource for managers in organizations of all sizes and across industries, and deals with the strategic and operational aspects of information security. Now in its seventh edition, the bestselling IT Governance provides guidance for companies looking to protect and enhance their information security management systems (ISMS) and protect themselves against cyber threats. The new edition covers changes in global regulation, particularly GDPR, and updates to standards in the ISO/IEC 27000 family, BS 7799-3:2017 (information security risk management) plus the latest standards on auditing. It also includes advice on the development and implementation of an ISMS that will meet the ISO 27001 specification and how sector-specific standards can and should be factored in. With information on risk assessments, compliance, equipment and operations security, controls against malware and asset management, IT Governance is the definitive guide to implementing an effective information security management and governance system.

Understand ISO 38500: the standard for the corporate governance of IT In the 21st century, IT governance has become a much-discussed topic among IT professionals. An IT governance framework serves to close the gap between the importance of IT and the understanding of IT, helping to improve your organisation’s competitive position. ISO/IEC 38500 is the international standard for the corporate governance of information and communication technology. The purpose of the standard is to create a framework to ensure that the board is appropriately involved, and it sets out guiding principles for governing bodies on how to ensure the effective, efficient and acceptable use of IT within their company. This useful pocket guide is an ideal introduction for those wanting to understand more about ISO 38500. It describes the scope, application and objectives of the Standard and outlines its six core principles. It covers: What is ISO/IEC 38500?The corporate governance contextScope, application and objectivesPrinciples and model for good governance of itImplementing the six IT governance principlesISO/IEC 38500 and the IT steering committeeProject governanceOther IT governance standards and frameworksIntegrated frameworks Implement an IT governance framework to improve your organisation’s competitive position. Buy this pocket guide today! About the author Alan Calder is a leading author on IT governance and information security issues. He is Group CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. Alan is a frequent media commentator on IT governance and information security issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.

Protect your information assets with effective risk management In today’s information economy, the development, exploitation and protection of information and associated assets are key to the long-term competitiveness and survival of corporations and entire economies. The protection of information and associated assets – information security – is therefore overtaking physical asset protection as a fundamental corporate governance responsibility. Information security management system requirements ISO 27000, which provides an overview for the family of international standards for information security, states that “An organisation needs to undertake the following steps in establishing, monitoring, maintaining and improving its ISMS […] assess information security risks and treat information security risks”. The requirements for an ISMS are specified in ISO 27001. Under this standard, a risk assessment must be carried out to inform the selection of security controls, making risk assessment the core competence of information security management and a critical corporate discipline. Plan and carry out a risk assessment to protect your information Information Security Risk Management for ISO 27001 / ISO 27002: Provides information security and risk management teams with detailed, practical guidance on how to develop and implement a risk assessment in line with the requirements of ISO 27001.Draws on national and international best practice around risk assessment, including BS 7799-3:2017 (BS 7799-3).Covers key topics such as risk assessment methodologies, risk management objectives, information security policy and scoping, threats and vulnerabilities, risk treatment and selection of controls.Includes advice on choosing risk assessment software. Ideal for risk managers, information security managers, lead implementers, compliance managers and consultants, as well as providing useful background material for auditors, this book will enable readers to develop an ISO 27001-compliant risk assessment framework for their organisation and deliver real, bottom-line business benefits. Buy your copy today! About the authors Alan Calder is the Group CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. Alan is an acknowledged international cyber security guru and a leading author on information security and IT governance issues. He has been involved in the development of a wide range of information security management training courses that have been accredited by IBITGQ (International Board for IT Governance Qualifications). Alan has consulted for clients in the UK and abroad, and is a regular media commentator and speaker. Steve Watkins is an executive director at GRC International Group plc. He is a contracted technical assessor for UKAS – advising on its assessments of certification bodies offering ISMS/ISO 27001 and ITSMS/ISO 20000-1 accredited certification. He is a member of ISO/IEC JTC 1/SC 27, the international technical committee responsible for information security, cyber security and privacy standards, and chairs the UK National Standards Body’s technical committee IST/33 (information security, cyber security and privacy protection) that mirrors it. Steve was an active member of IST/33/-/6, which developed BS 7799-3.

This pocket guide is an introduction to the EU’s NIS Directive (Directive on security of network and information systems). It outlines the key requirements, details which digital service providers are within scope, and explains how the security objectives from ENISA’s Technical Guidelines and international standards can help DSPs achieve compliance. This pocket guide is a primer for any DSP that needs to comply with the NIS Directive. The pocket guide helps DSPs: Gain insight into the NIS Directive and who is regulating it;Identify if they are within the scope of the Directive;Understand the key requirements; andUnderstand how guidance from international standards and ENISA can help them comply. Your essential guide to understanding the EU’s NIS Directive – buy this book today and get the help and guidance you need.