Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Mastering Information Security Compliance Management
Mastering Information Security Compliance Management

Mastering Information Security Compliance Management: A comprehensive handbook on ISO/IEC 27001:2022 compliance

Arrow left icon
Profile Icon Adarsh Nair Profile Icon Greeshma M. R.
Arrow right icon
$31.99
Full star icon Full star icon Full star icon Full star icon Half star icon 4.7 (19 Ratings)
eBook Aug 2023 236 pages 1st Edition
eBook
$31.99
Paperback
$39.99
Subscription
Free Trial
Renews at $19.99p/m
Arrow left icon
Profile Icon Adarsh Nair Profile Icon Greeshma M. R.
Arrow right icon
$31.99
Full star icon Full star icon Full star icon Full star icon Half star icon 4.7 (19 Ratings)
eBook Aug 2023 236 pages 1st Edition
eBook
$31.99
Paperback
$39.99
Subscription
Free Trial
Renews at $19.99p/m
eBook
$31.99
Paperback
$39.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Table of content icon View table of contents Preview book icon Preview Book

Mastering Information Security Compliance Management

Foundations, Standards, and Principles of Information Security

In today’s information-centric environment, the concept of information security is paramount and is now on par with other business functions. Irrespective of their market share, private or public status, or geographical location, businesses are being pushed to move online in order to stay relevant.

In the 21st century, we have all experienced the information revolution. Data is stimulating the information revolution in the same way that oil catalyzed the industrial revolution. In today’s environment, data is the raw resource that must be studied, interpreted, and retrieved with care in order to provide significant insights to its users.

The difference between oil and data is that the volume of oil is reducing across the world, whereas the amount of data is growing day by day. Data has become a valuable commodity and fuel source in today’s world.

On the other hand, data-related cybercrime such as data theft is expanding exponentially. A data breach occurs when a company unwittingly exposes critical information that might cause damage to a company’s reputation, brand value, and customer trust, or even result in regulatory penalties.

The average cost of a data breach was $4.35 million in the year 2022, according to IBM’s Cost of a Data Breach Report 2022. While the average cost per record was $164 in 2022, the cost per record has climbed considerably since 2020. Hackers are primarily interested in a company’s customer information because they can use it to blackmail the company or sell the information to competitors. Data has become, on average, more valuable than any other asset. Information security principles guide the entire concept of data security.

This chapter will explain the fundamentals of Information Security, including why it’s important and how security frameworks can help reduce risk and develop a mechanism to manage information security across an enterprise. The key topics covered are the following:

  • The CIA triad
  • Information security standards
  • Using an information security management system
  • The ISO 27000 series

The CIA triad

InfoSec, the shorthand for information security, refers to procedures designed to secure data from unauthorized access or modification, even when the data is at rest or in transit. It covers a broad range of topics, including safeguarding your digital assets, which is where you hold sensitive data.

Information security relies on three pillars known as the CIA Triad: Confidentiality, Integrity, and Availability, the preservation of which is defined in ISO/IEC 27000. See Figure 1.1 for a visual representation of the following three pillars:

  • Confidentiality – Providing access only to authorized personnel who need access
  • Integrity – Maintaining the information’s accuracy and completeness
  • Availability – Making sure the information is available to authorized users when they need it

Figure 1.1 – CIA triad

Let’s see what each of the pillars in the triad means for information security.

Confidentiality

When an organization takes steps to keep its information private or secret, it is referred to as confidentiality. In the real world, this means limiting who has access to data in order to keep it safe from unwanted disclosure. Unauthorized disclosure of information or unauthorized access to information systems can be prevented by implementing confidentiality safeguards. For the confidentiality principle to be effective, sensitive information must be protected and only those who need access to accomplish their job responsibilities should be able to see or access it.

Confidentiality is required to prevent sensitive information from leaking to the wrong people. It is possible to safeguard user data by using authentication controls such as passwords and the encryption of data that is in transit or at rest to keep it confidential.

Integrity

Integrity refers to the ability of a person or thing to stand on their or its own two feet. In the same sense, integrity in information security entails the safeguarding of data from uncontrolled or unauthorized additions, deletions, or modifications. Integrity is based on the idea that data can be trusted to be accurate and not improperly altered.

The idea of non-repudiation, or the inability to refute anything, is closely linked to integrity. Non-repudiation of information and services is ensured by this criterion and thus provides traceability of the actions conducted on them. At all times, accuracy and consistency in data are vital. You must be prepared to show that document credibility has been maintained, particularly in legal circumstances, when it comes to integrity. Hashing, digital signatures, and digital certificates are often employed to ensure the integrity of data.

Availability

It is useless for a business to have valuable systems, apps, or data that can’t be easily accessed by the people who need them. Being available implies all systems and apps are working as expected, and resources are available to authorized users in a timely and reliable manner. The goal of availability is to ensure that data and services are available when needed to make decisions.

The accessibility of the system and services provided to authorized users is dependent on the availability factor because the system and services should be available whenever the user needs them. Redundancy of important systems, hardware fault tolerance, frequent backups, extensive disaster recovery plans, and so on, are all ways to assure availability.

Accountability and cyber resilience

Accountability entails assigning explicit obligations for information assurance to each person who interacts with an information system. A manager responsible for information assurance can readily quantify the responsibilities of an employee within the context of the organization’s overall information security plan. A policy statement saying that no employee shall install third-party software on company-owned information infrastructure is one example. To be resilient in the face of cyberattacks, a business must be capable of anticipating them, preparing for them, and responding to them appropriately. This aids an organization in combating cyber threats, reducing the severity of attacks, and guaranteeing that the company continues to exist even after an attack has taken place. This is cyber resilience.

The CIA triad forms the foundation of information security standards such as ISO/IEC 27001. Let’s now look at some of the standards that are accessible in the information security sector.

Information security standards

Standards provide us with a common set of reference points that allow us to evaluate whether an organization has processes, procedures, and other controls that fulfill an agreed-upon minimum requirement. Depending on the needs of the business or stakeholders, an organization may build and manage its own procedures in accordance with information security principles. It offers third parties such as customers, suppliers, and partners confidence in an organization’s capacity to deliver to a specific standard if that business is compliant with the standard.

This can also be a marketing strategy whereby the company can gain a competitive advantage over other organizations. When customers are evaluating a company’s products or services, for example, an organization that is compliant with a security standard may have the edge over a competitor who is not.

On the other hand, some regulatory and legal requirements may specify certain standards that must be met in certain circumstances. Suppose your company stores, processes, or transmits cardholder data. In this case, you must be in compliance with the Payment Card Industry Data Security Standard (PCI DSS). There are a variety of organizations involved in accepting credit and debit cards and the PCI DSS applies to each and every one of them. Major credit card firms such as Visa and Mastercard have identified these criteria as being the industry benchmark. Failure to comply with these standards may result in fines, increased processing fees, or even the refusal to do business with certain credit card companies.

Furthermore, if you are supposed to be compliant with a standard but are not, and you suffer a security breach as a result, you may be subject to legal action from the consumers who were harmed as a result of the breach.

Standards can also assist firms in meeting regulatory requirements such as those imposed by the Data Protection Act, Sarbanes–Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA), and other similar legislation. Utilizing standards to establish a solid foundation for managing and protecting your information systems will make it easier for your organization to comply with current and future regulatory obligations than for an organization that does not use standards.

Let’s have a quick look at some of the important standards in the field of information security.

The ISO/IEC 27000 family of information security standards

The ISO 27000 Family of Information Security Management Standards is a collection of security standards that form the basis of best-practice information security management. ISO 27001, which establishes the requirements for an Information Security Management System (ISMS), is the series’ backbone.

ISO 27001 is a global standard that defines the criteria for an ISMS. The structure of the standard is intended to assist companies in managing their security procedures in a centralized, uniform, and cost-effective manner.

Payment Card Industry Data Security Standard (PCI DSS)

The PCI Security Standards Council (PCI SSC) is an independent organization founded by Visa, MasterCard, American Express, Discover, and JCB to administer and oversee the PCI DSS. According to this regulation, companies, financial institutions, and merchants must comply with a set of security criteria when dealing with cardholder data. A secure environment needs to be maintained to receive, process, store, and transmit cardholder information.

Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act (FISMA) is a set of data security principles that federal agencies must follow in order to preserve and secure their data. Private enterprises that have a contractual connection with the government are likewise subject to FISMA’s regulations.

Government data and information are protected, and governmental expenditure on security is kept under control. FISMA established a set of regulations and standards for government institutions to follow in order to meet data security objectives.

Health Insurance Portability and Accountability Act (HIPAA)

In order to protect the privacy and confidentiality of patient health information, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 mandated the development of national standards. This is also known as the Kennedy–Kassebaum Act.

Health information that may be used to identify a specific individual is covered by the HIPAA, which applies to all forms of protected health information (PHI). All covered entities such as healthcare providers, health plans, and healthcare clearinghouses are under the Health Insurance Portability and Accountability Act of 1996.

Due to the security standard in place, patients may rest easy knowing that the fundamental health-related information they provide will be kept confidential.

NIST Cybersecurity Framework (NIST CSF)

The NIST framework for cybersecurity is a useful tool for organizing and improving your cybersecurity program. In order to assist businesses to establish and enhance their cybersecurity posture, this set of best practices and standards was put together.

A cybersecurity program built on the NIST Cybersecurity Framework (NIST CSF) is widely regarded as the industry standard. To assist enterprises in managing and reducing cybersecurity risk, the NIST CSF provides suggestions based on existing standards, guidelines, and practices.

No matter where they are located, all organizations may use this framework despite its original intent to protect important US infrastructure corporations.

SOC reporting

An internal control report developed by the American Institute of Certified Public Accountants (AICPA) is called the System and Organization Controls (SOC) for service organizations. Using SOC reports, service providers may increase their customers’ trust in the services they deliver, as well as their own internal control over those services. SOC 1, SOC 2, and SOC 3 are the three types of reports that can be used based on the requirements.

The SOC 1: SOC for Service Organization: ICFR report (type 1 or 2) evaluates an organization’s internal financial reporting controls in order to evaluate the impact of the controls of the service organization on the financial statements of its customers.

The purpose of the SOC 2: SOC for Service Organizations: Trust Services Criteria report (type 1 or 2) is to reassure customers, management, and other stakeholders about the appropriateness and efficacy of the service organization’s security, availability, processing integrity, confidentiality, and privacy measures (trust principles).

The SOC 3: SOC for Service Organizations: Trust Services Criteria for General Use report is a condensed version of the SOC 2 (type 2) report for consumers who want assurance regarding the security, availability, processing integrity, confidentiality, or privacy controls of service organizations. SOC 3 reports may be freely disseminated since they are general-purpose reports.

Cybersecurity Maturity Model Certification (CMMC)

To examine its contractors’ and subcontractors’ security, competence, and resilience, the US Department of Defense uses the Cybersecurity Maturity Model Certification (CMMC). This framework’s goal is to make the supply chain more secure by eliminating vulnerabilities. Control practices, security domains, procedures, and capabilities make up the CMMC.

Five levels of management are utilized in the CMMC architecture. The lowest maturity level is level 1, while the highest is 5. There are tiers of service that contractors are expected to provide depending on the amount of data they manage under the contract. Achieving each level of certification necessitates meeting particular standards by collaborating with various cybersecurity elements.

Information security standards help prove that the organization meets the stipulated data security levels and is compliant. These standards need to be effectively implemented and managed, and that is the role of an Information Security Management System (ISMS).

Using an information security management system

It is an open secret that every business is a target for cyberattacks. Despite the fact that data breaches are growing increasingly catastrophic, many firms still believe they will never be victims. If you have strong defenses, you can prevent most attacks and prepare for a breach. People, procedures, and technology are the three ISMS pillars that help an organization to achieve adequate security compliance.

An ISMS demonstrates the organization’s approach to information security. It will help you detect and respond to threats and opportunities posed by your sensitive data and any associated assets. This safeguards your organization and business processes from security breaches and protects them from disruption if they occur.

An ISMS is a framework for establishing, monitoring, reviewing, maintaining, and enhancing an organization’s information security compliance in order to achieve business and regulatory requirements. It is designed to identify, mitigate, and manage risks effectively by conducting a risk assessment and considering the firm’s risk appetite. Analyzing information asset protection requirements and implementing appropriate controls to ensure that these information assets are protected, as needed, helps in the effective deployment of an ISMS. An ISMS consists of the policies, processes, guidelines, allocated resources, and associated activities that an organization controls together to protect its information assets.

Information is data that is organized and processed, and which has a meaning in context for the receiver. Like other key business assets, it is critical to the operation of an organization and, as such, must be adequately secured. Electronic or optical media may store digital information (such as data files), while paper-based information (such as documents) or tacit knowledge among personnel can be used to store information as well. It can be sent via courier, email, or verbal conversation, among other methods. It must be protected regardless of how it is sent.

Information is reliant on information and communications technologies and infrastructure in many enterprises. This technology is frequently a critical component of an organization, assisting in generating, processing, storing, transferring, protecting, and destroying information.

Confidentiality, availability, and integrity form the three main dimensions of information security. Implementing and managing adequate security controls as part of an ISMS that addresses a wide range of possible risks helps reduce the effect of information security events, thereby ensuring long-term organizational success and continuity.

Controls are implemented according to the risk management process and managed through an ISMS to safeguard identified information assets in order to accomplish information security. These controls include policies and processes, as well as procedures and organizational structures. In order to meet the organization’s specific information security and business objectives, controls must be established, implemented, evaluated, reviewed, and, if necessary, upgraded. A company’s business activities must be taken into consideration while implementing information security controls.

Management entails actions aimed at directing, controlling, and continuously improving an organization within proper organizational structures. Management activities are the actions, styles, or practices of organizing, managing, directing, controlling, and regulating resources. Small enterprises may have a flat management structure with just one person, whereas large corporations may have hierarchies with dozens or even hundreds of people.

From an ISMS perspective, management includes the oversight, support, and decision-making essential to meet the business objectives and regulatory requirements by ensuring the security of the organization’s information assets. Information security management is exemplified by developing and implementing necessary policies, processes, and guidelines, which are subsequently implemented across the organization.

A management system makes use of a framework to help an organization accomplish its goals. Incorporating a management system means considering the organization’s structure, policies, and planning activities, along with roles and duties.

An information security management system helps an organization to do the following:

  • Meet all interested parties’ information security requirements
  • Design and execute the organization’s tasks more effectively
  • Realize the information security goals
  • Comply with all applicable laws, regulations, and industry best practices
  • Ensure systematic management of information assets

Principle of least privilege and need to know

According to the Principle of Least Privilege (POLP), a person should only be granted the privileges necessary to carry out their job. POLP also limits who has access to apps, systems, and processes to only those who are authorized. POLP is implemented in the Role-Based Access Control (RBAC) system, which guarantees that only information relevant to the user’s role is accessible and prohibits them from obtaining information that is not relevant to their role.

Following the POLP lowers the danger of an attacker compromising a low-level user account, device, or application, giving them access to vital systems or sensitive data. By using the POLP, compromises can be contained to the source location, rather than spreading throughout the entire system.

The need-to-know concept can be enforced through user access controls and permission procedures, and its goal is to ensure that only individuals who are authorized have access to the information or systems they need to perform their jobs.

According to this rule, a user should only have access to the data necessary to perform their work. Need to know implies that access is granted based on a legitimate requirement and is then revoked at the end of the project.

An ISMS reflects an organization’s attitude toward protecting data. Implementing an ISMS can be particularly important to an organization in protecting its own data as well as its clients’.

Why is an ISMS important?

An ISMS is crucial because they provide a structure for safeguarding a company’s most confidential data and assets. They aid businesses in spotting threats to their data and assets and devising strategies to counteract them.

According to recent PwC research, one in every four businesses worldwide has had a data breach that cost them between $1 and $20 million or more in the last three years. The average cost of a data breach in 2022 was $4.35 million, according to IBM and Ponemon’s 2022 research. Last year, the average breach cost $4.24 million. From $3.86 million in 2020, the average cost has increased by 12.7%.

A leading e-commerce company was fined $877 million for breaking GDPR cookie regulations, a telecom company paid $350 million to resolve a class action lawsuit over a data breach in early 2021, and a software company was penalized $60 million for misleading Australian customers about location data.

A study by the British Standards Institution (BSI) found that 51.6% of organizations with a certified ISMS reported fewer security incidents.

An ISMS helps an organization devise a plan for handling sensitive information, such as personal and confidential business information, in a systematic way. This reduces the chances of a data breach and the financial and reputational damage it can cause. An ISMS helps businesses comply with applicable laws and regulations, such as the GDPR and HIPAA, in order to avoid penalties and reputational damage.

It is necessary to address the risks connected with an organization’s information assets. All of an organization’s information assets have an associated risk, which needs to be addressed through risk management. Information security needs risk management, which incorporates risks posed by physical, human, and technological threats to all types of information stored or used by the company. This strategic choice must be seamlessly integrated, scaled, and updated to match the organization’s needs when an ISMS is designed for an organization.

The design and execution of an ISMS are influenced by a variety of factors, including the organization’s goals, security requirements, business processes, and size and structure. All stakeholders in the firm, including consumers, suppliers, business partners, shareholders, and other key third parties, must be taken into account while designing and operating an ISMS.

The importance of an ISMS cannot be overstated. An ISMS is a key facilitator of risk management initiatives in any sector. Data access and management become more challenging to govern due to public and private network interconnectivity and the sharing of information assets. Additionally, the proliferation of mobile storage devices carrying information assets has the potential to erode the effectiveness of existing controls.

Businesses that adhere to the ISMS family of standards show their ability to adopt consistent and mutually acknowledged information security principles to their clients and partners. The design and development of information systems do not always take information security requirements into account. The level of information security compliance that may be accomplished using technological approaches is restricted. It may be ineffective unless complemented by appropriate management and policy/procedures within the context of an ISMS.

It can be difficult and expensive to integrate security into a fully operational information system. An ISMS requires careful preparation and attention to detail because it entails establishing which controls are in place. As an example, in order to provide appropriate permission and access limitation to information assets or a facility, access controls need to be designed and put into place. The controls may be technological, physical, administrative, or a combination of all three, depending on the nature of the business and its information security needs.

Companies can have more confidence in the security of their information assets due to the effective deployment of an ISMS, which helps them identify and analyze risks, implement appropriate controls, and meet regulatory requirements.

In conclusion, an ISMS is valuable because it assists businesses in safeguarding private data and assets, mitigating the financial impact of data breaches, and meeting regulatory requirements. Using an ISMS enables organizations to manage their own data assets and those entrusted to them by third parties. Let’s look at the ingredients that make an ISMS implementation successful.

Key factors of an effective ISMS

Several factors contribute to the effectiveness of an ISMS implementation that helps a company to achieve its business goals. The following are the most important criteria for success:

  • Documented information on information security goals, policies, procedures, and implementations that are available and in alignment with the business objectives of the organization.
  • Architecture, implementation, tracking, maintenance, and enhancement of the information security framework in accordance with the organization’s culture and values.
  • All levels of management, especially senior management, showing their full support and commitment. The implementation should start from the top leadership to bring the right culture throughout the ISMS processes. This is known as a top-down approach.
  • Risk management and information security needs are clearly understood.
  • Successful implementation of information security awareness, training, and education programs that inform all interested parties, including employees, about the defined information security obligations of the organization and motivates them to abide by them.
  • An effective process for managing information security incidents.
  • An effective strategy and process for ensuring business continuity.
  • An adequate system for the performance measurement of an information security framework.
  • Continuous improvement of management system operations by discovering and correcting non-conformities as they arise.

An ISMS boosts an organization’s likelihood of regularly achieving the important success criteria essential to safeguard its information assets.

The ISO 27000 series of standards cover all the requirements, including sector-specific ones for implementing a robust and sustainable ISMS. The organization chooses what to implement based on the business requirements.

The ISO 27000 series

Businesses of any kind can manage the security of assets such as financial information, intellectual property, employee details, or information entrusted by third parties by using the ISO/IEC 27000 family of standards. They cover a wide range of businesses, large and small, in every industry.

In response to changing information security requirements in many industries and contexts, new standards are being developed to keep pace with the rapid advancement of technology.

There are a number of standards in the ISMS family that do the following:

  • Outline the standards for an ISMS and for those who certify such systems (for example, ISO/IEC 27001, ISO/IEC 27006, and so on)
  • Assist in the whole process of establishing, implementing, maintaining, and improving an ISMS (for example, ISO/IEC 27002, ISO/IEC 27003, ISO/IEC 27004, and so on)
  • Address industry-specific rules for the ISMS (for example, ISO/IEC 27010, ISO/IEC 27011, and so on)
  • Deal with ISMS conformance assessment (for example, ISO/IEC 17021)

ISO 27001, and other management system standards published by ISO, undergo periodic reviews and updates to ensure their continued relevance and effectiveness in addressing emerging risks and evolving industry practices. These revisions reflect the commitment of the standard-setting bodies to incorporate advancements in technology, address emerging threats, and align with changing regulatory requirements to maintain the highest standards of information security management.

Let's look at a few of the ISO 27000 series of standards that have been published.

ISO/IEC 27001

This standard is known as Information security, Cybersecurity, and Privacy protection – Information security management systems – Requirements (https://www.iso.org/).

This standard talks about the requirements for implementing an effective information security management system. Using ISO/IEC 27001, an organization can build and operate an ISMS that includes a set of controls for controlling and mitigating risks connected with its information assets. Organizational conformance can be audited and certified.

One further set of criteria and guidelines for a Privacy Information Management System (PIMS) is specified in ISO/IEC 27701, which is an extension of ISO/IEC 27001 (ISMS).

All businesses of any kind and size may benefit from the standard since it helps them fulfill legal obligations while also managing privacy concerns associated with Personally Identifiable Information (PII).

ISO/IEC 27006

This standard is known as Information technology – Security techniques –Requirements for bodies providing audit and certification of information security management systems (https://www.iso.org/home.html).

This standard lays out the requirements and offers guidance to organizations that do ISMS audits and certifications. Its primary purpose is to facilitate the accreditation of certifying organizations that issue ISMS certifications. Organizations that provide ISO/IEC 27001 audits and ISMS certification should follow this standard’s criteria and recommendations.

ISO/IEC 27006 is a supplement to ISO/IEC 17021 that establishes the accreditation requirements for certification firms for them to provide compliance certifications that meet the ISO/IEC 27001 requirements.

ISO/IEC 27002

This standard is known as Information security, Cybersecurity and Privacy protection – Information security controls (https://www.iso.org/).

This standard establishes guidelines and management techniques for corporate information security. Using the standard’s controls and best practice recommendations, implementers can make well-informed decisions about which controls to use and how to put them in place to fulfill their information security goals.

The ISO/IEC 27002 guideline is a code of practice for information security controls that outlines the procedures for implementing the security controls established in the ISO 27001 standard.

ISO/IEC 27003

This standard is known as Information technology – Security techniques – Information security management systems – Guidance (https://www.iso.org/).

ISO/IEC 27003 is intended to assist organizations in designing and implementing an ISMS. It gives straightforward instructions on how to plan an ISMS project in organizations of all sizes and sectors.

ISO 27001:2013 specifies the what, whereas ISO 27003 specifies the how. It provides direction for the actions required to implement and launch an ISMS.

ISO/IEC 27004

This standard is known as Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation (https://www.iso.org/).

ISO/IEC 27004 specifies methods to evaluate ISO 27001’s performance. The standard is designed to assist companies in assessing the efficacy and efficiency of their ISMS by providing the information essential for managing and improving the framework in a methodical manner.

Additionally, it defines how to develop and implement measurement processes, as well as how to evaluate and report on the results of connected measurement constructs, which enables the effectiveness of an ISMS to be evaluated in accordance with ISO/IEC 27001.

ISO/IEC 27005

This standard is known as Information security, cybersecurity, and privacy protection – Guidance on managing information security risks (https://www.iso.org/).

This standard contains risk management recommendations for information security and is intended to aid in the successful implementation of information security using a risk management strategy. An efficient ISMS must identify organizational needs in relation to information security requirements and follow the guidelines in ISO/IEC 27005, which explains how to carry out a risk assessment in compliance with ISO/IEC 27001 criteria.

For an organization, risk assessments are critical to the ISO/IEC 27001 compliance process.

ISO/IEC 27007

This standard is known as Information security, cybersecurity, and privacy protection – Guidelines for information security management systems auditing (https://www.iso.org/).

This standard gives advice on performing ISMS audits and on the competence of auditors. In order to administer an ISMS audit program in accordance with the requirements defined in ISO/IEC 27001, businesses must follow ISO/IEC 27007.

ISMS audit program management, auditing, and the competency of ISMS auditors are all addressed in these guidelines. They may be used by anybody who needs to understand or perform an ISMS audit, whether it’s internal or external, or who needs to manage an ISMS auditing program.

ISO/IEC TS 27008

This standard is known as Information technology – Security techniques – Guidelines for the assessment of information security controls (https://www.iso.org/).

This standard contains instructions for conducting a review and assessment of information security controls. These controls are evaluated in accordance with an organization’s established ISMS framework. This document offers guidance on how to review and assess how well the controls have been implemented, how they are working, and how well they have been technically evaluated.

Information security assessments and technical compliance checks are relevant to all kinds and sizes of organizations, including public and private businesses, government agencies, and not-for-profit ones.

ISO/IEC 27013

This standard is known as Information security, cybersecurity, and privacy protection – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (https://www.iso.org/).

This standard provides guidance to users on how to establish a dual management system that includes procedures and documentation. This will guide the deployment of ISO/IEC 27001 and ISO/IEC 20000-1 simultaneously or sequentially and match the current ISO/IEC 27001 and ISO/IEC 20000-1 management system specifications.

As a result, businesses are better able to design an integrated management system that complies with both ISO/IEC 27001 and ISO/IEC 20000-1 standards and comprehend the features, similarities, and differences between the two.

ISO/IEC 27014

This standard is known as Information security, cybersecurity, and privacy protection – Governance of information security (https://www.iso.org/).

An organization’s information security actions can be evaluated, directed, monitored, and communicated using ISO/IEC 27014. According to the guidelines laid forth in this standard, information security governance should be based on principles and processes. Information security management may be assessed, directed, and monitored with the use of this. If an organization’s information security measures are breached, it may have a negative effect on the organization’s public image. A requirement of this standard is that an organization’s governing bodies be given oversight of information security to guarantee that its objectives are fulfilled.

ISO/IEC TR 27016

This standard is known as Information technology – Security techniques – Information security management – Organizational economics (https://www.iso.org/).

This standard lays forth the principles by which an organization should make decisions regarding the security of its data by considering the financial impact of such decisions. The technical report equips the organization with the knowledge necessary to more accurately assess the risks associated with its identified information assets, comprehend the value that information security measures add to those assets, and determine the appropriate level of resources to apply to secure those assets.

It outlines how an organization may make information-protection choices and assess the economic implications of such decisions in the setting of conflicting resource demands.

ISO/IEC 27010

This standard is known as Information technology – Security techniques – Information security management for inter-sector and inter-organizational communications (https://www.iso.org/).

This standard establishes guidelines for information security collaboration and coordination between organizations within the same domain, between domains, and with authorities. When it comes to inter-organizational and inter-sector communications, this standard provides guidelines for the implementation of information security management. It also provides controls and guidance related to the inception, implementation, maintenance, and improvement of information security in those communications.

The guidelines apply to all types of sensitive information transmission and sharing (public and private, national and international, within the same sectors or across industry sectors).

ISO/IEC 27011

This standard is known as Information technology – Security techniques – Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations (https://www.iso.org/).

This standard offers information security management recommendations for telecommunications businesses. The ISO/IEC 27002 rules have been adapted to fit the needs of the industrial sector.

ISO/IEC TR 27015

This standard is known as Information technology – Security techniques – Information security management guidelines for financial services (https://www.iso.org/).

In addition to the recommendations provided in the ISO/IEC 27000 family of standards, ISO/IEC TR 27015 offers guidance for establishing, implementing, maintaining, and enhancing information security in financial services companies.

ISO 27017

This standard is known as Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services (https://www.iso.org/).

ISO 27017 is a collection of principles for securing cloud-based infrastructures and reducing the risk of security incidents. Customers may be confident that a business is committed to providing secure cloud services and that it has procedures in place to deal with any difficulties that may arise as a result of that commitment.

ISO 27018

This standard is known as Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (https://www.iso.org/).

The ISO/IEC 27018 standard is a set of rules or a code of conduct for the selection of PII protection measures as part of the implementation of an ISO/IEC 27001-based cloud computing information security management system.

ISO 27799

This standard is known as Health informatics – Information security management in health using ISO/IEC 27002 (https://www.iso.org/).

This standard includes guidelines for establishing an ISMS to help healthcare organizations in adopting an ISMS that has industry-specific adaptations of ISO/IEC 27002 standards.

Following the ISO 27000 series of standards helps organizations protect their critical and confidential data. In this section, we saw the various standards available in the ISO 27000 family. Although there are numerous standards in the family, only a few are relevant as such from an implementation perspective, which were explained.

Summary

This chapter discussed the family of information security standards that can be implemented to ensure the CIA triad across an organization. You also learned about the ISMS framework and its relevance and the ISO 27000 series of standards. In the next chapter, we will discuss the origin and structure of the ISO 27001 framework. You will also learn in detail about the PDCA cycle, legal and regulatory compliance, certifications and accreditations, and more.

Left arrow icon Right arrow icon

Key benefits

  • Familiarize yourself with the clauses and control references of ISO/IEC 27001:2022
  • Define and implement an information security management system aligned with ISO/IEC 27001/27002:2022
  • Conduct management system audits to evaluate their effectiveness and adherence to ISO/IEC 27001/27002:2022

Description

ISO 27001 and ISO 27002 are globally recognized standards for information security management systems (ISMSs), providing a robust framework for information protection that can be adapted to all organization types and sizes. Organizations with significant exposure to information-security–related risks are increasingly choosing to implement an ISMS that complies with ISO 27001. This book will help you understand the process of getting your organization's information security management system certified by an accredited certification body. The book begins by introducing you to the standards, and then takes you through different principles and terminologies. Once you completely understand these standards, you’ll explore their execution, wherein you find out how to implement these standards in different sizes of organizations. The chapters also include case studies to enable you to understand how you can implement the standards in your organization. Finally, you’ll get to grips with the auditing process, planning, techniques, and reporting and learn to audit for ISO 27001. By the end of this book, you’ll have gained a clear understanding of ISO 27001/27002 and be ready to successfully implement and audit for these standards.

Who is this book for?

This book is for information security professionals, including information security managers, consultants, auditors, officers, risk specialists, business owners, and individuals responsible for implementing, auditing, and administering information security management systems. Basic knowledge of organization-level information security management, such as risk assessment, security controls, and auditing, will help you grasp the topics in this book easily.

What you will learn

  • Develop a strong understanding of the core principles underlying information security
  • Gain insights into the interpretation of control requirements in the ISO 27001/27002:2022 standard
  • Understand the various components of ISMS with practical examples and case studies
  • Explore risk management strategies and techniques
  • Develop an audit plan that outlines the scope, objectives, and schedule of the audit
  • Explore real-world case studies that illustrate successful implementation approaches

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Aug 11, 2023
Length: 236 pages
Edition : 1st
Language : English
ISBN-13 : 9781803243160

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning

Product Details

Publication date : Aug 11, 2023
Length: 236 pages
Edition : 1st
Language : English
ISBN-13 : 9781803243160

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 134.97
Mastering Information Security Compliance Management
$39.99
Information Security Handbook
$44.99
Practical Cybersecurity Architecture
$49.99
Total $ 134.97 Stars icon

Table of Contents

17 Chapters
Part 1: Setting the Stage – Definitions, Concepts, Principles, Standards, and Certifications Chevron down icon Chevron up icon
Chapter 1: Foundations, Standards, and Principles of Information Security Chevron down icon Chevron up icon
Chapter 2: Introduction to ISO 27001 Chevron down icon Chevron up icon
Part 2: The Protection Strategy – ISO/IEC 27001/02 Design and Implementation Chevron down icon Chevron up icon
Chapter 3: ISMS Controls Chevron down icon Chevron up icon
Chapter 4: Risk Management Chevron down icon Chevron up icon
Chapter 5: ISMS – Phases of Implementation Chevron down icon Chevron up icon
Chapter 6: Information Security Incident Management Chevron down icon Chevron up icon
Chapter 7: Case Studies – Certification, SoA, and Incident Management Chevron down icon Chevron up icon
Part 3: How to Sustain – Monitoring and Measurement Chevron down icon Chevron up icon
Chapter 8: Audit Principles, Concepts, and Planning Chevron down icon Chevron up icon
Chapter 9: Performing an Audit Chevron down icon Chevron up icon
Chapter 10: Audit Reporting, Follow-Up, and Strategies for Continual Improvement Chevron down icon Chevron up icon
Chapter 11: Auditor Competence and Evaluation Chevron down icon Chevron up icon
Chapter 12: Case Studies – Audit Planning, Reporting Nonconformities, and Audit Reporting Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.7
(19 Ratings)
5 star 84.2%
4 star 10.5%
3 star 0%
2 star 0%
1 star 5.3%
Filter icon Filter
Top Reviews

Filter reviews by




Terence Hamilton Aug 25, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
The authors and reviewers have more than 30 years of combined experience, auditing, developing strategies, implementing globally recognized standards and frameworks to provide Information Security Management Systems for various organizations worldwide! They provided examples of past breaches and their costs in the millions!The book concisely revealed how implementing an Information Security Management System or (ISMS) using the standards mentioned in the book will help to assess the company and potentially discover any threats to their data and then develop strategies to counteract those threats. I liked how concise the information is and I am not left guessing anything.The book cleared up many misconceptions for me and I now understand, on a deeper level, the importance of having a properly structured ISMS in place that adheres to the underlying Confidentiality, Integrity and Availability or (CIA) framework of the ISO/IEC 27000 Information Security Standards. Also, the strategies to implement the standards within organizations.
Amazon Verified review Amazon
Cristian R. Sep 01, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I recently got the opportunity to read "Mastering Information Security Compliance Management" by Adarsh Nair and Greeshma M. R. from Packt provided to me by Shruthi Setty. Starting with the CIA triad right off the bat followed by an overview of some of the most important sets of standards, this book knocks it out of the park from chapter one. With a solid overview of ISO 27001 and even diving into Risk Management and Information Security Incident Management, it provides the reader a great insight into the real world considerations surrounding not only compliance, but also security. With the need to validate compliance, the dive into auditing concepts was broad and deep enough to prepare the reader to embark on their journey towards the "Auditor" title. Sprinkling in some use cases really rounded off the material with clear examples 'in action' so to speak. All in all, I would definitely recommend this book.
Amazon Verified review Amazon
Dwayne Natwick Sep 10, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
The process and framework for security, risk, and compliance should be important to the entire organization and a focus on all information systems and applications. Packt publishing's Mastering Information Security Compliance Management from Adarsh Nair and Greeshma M R provide an in-depth guide to create the management and monitoring framework for security and compliance with the ISO 27001 standards and recommendations. If you are building a security and risk management program, this book is for you.
Amazon Verified review Amazon
Georgie Kurien Oct 10, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
"Mastering Information Security Compliance Management: A comprehensive handbook on ISO/IEC 27001:2022 compliance," co-authored by Adarsh Nair, the Head of Information Security at UST, and Greeshma M. R., a qualified Information Security Auditor and entrepreneur, serves as a masterclass in understanding and implementing the ISO/IEC 27001:2022 standards. The book methodically dissects the intricate facets of Information Security Management System (ISMS) by dedicating individual chapters to its various components, from foundational principles to audit reporting.Adarsh Nair and Greeshma's expertise shines brightly, allowing readers to delve deep into the operational model of ISO 27001, comprehend its benefits, and understand the processes vital for accreditation. The book’s layout is logically structured, providing step-by-step guidance on developing a robust ISMS, while also emphasizing the critical role of risk management and comprehensive incident management plans.Real-world case studies punctuate the text, offering invaluable practical insights and grounding theoretical concepts in tangible scenarios. The chapters on auditing principles, processes, and competencies are particularly enlightening, revealing the meticulousness and professionalism required in the auditing process.Conclusively, this handbook is indispensable for organizations aiming to implement the ISO 27001:2022-based ISMS or professionals aspiring to make their mark in the ISMS domain. A thorough, well-structured, and expertly written guide, this book is set to become the gold standard in the realm of information security compliance management.
Amazon Verified review Amazon
CBR Oct 03, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book is a must have for anyone who wants to dive into security standards, management systems, incident management, and auditing. Mastering Information SecurityCompliance Management covers a vast amount of topics and details so you can become familiar with many important aspects of information security. Real-life case studies help cement and support the applications you learn about.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

How do I buy and download an eBook? Chevron down icon Chevron up icon

Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.

If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.

Please Note: Packt eBooks are non-returnable and non-refundable.

Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:

  • You may make copies of your eBook for your own use onto any machine
  • You may not pass copies of the eBook on to anyone else
How can I make a purchase on your website? Chevron down icon Chevron up icon

If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:

  1. Register on our website using your email address and the password.
  2. Search for the title by name or ISBN using the search option.
  3. Select the title you want to purchase.
  4. Choose the format you wish to purchase the title in; if you order the Print Book, you get a free eBook copy of the same title. 
  5. Proceed with the checkout process (payment to be made using Credit Card, Debit Cart, or PayPal)
Where can I access support around an eBook? Chevron down icon Chevron up icon
  • If you experience a problem with using or installing Adobe Reader, the contact Adobe directly.
  • To view the errata for the book, see www.packtpub.com/support and view the pages for the title you have.
  • To view your account details or to download a new copy of the book go to www.packtpub.com/account
  • To contact us directly if a problem is not resolved, use www.packtpub.com/contact-us
What eBook formats do Packt support? Chevron down icon Chevron up icon

Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.

You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.

What are the benefits of eBooks? Chevron down icon Chevron up icon
  • You can get the information you need immediately
  • You can easily take them with you on a laptop
  • You can download them an unlimited number of times
  • You can print them out
  • They are copy-paste enabled
  • They are searchable
  • There is no password protection
  • They are lower price than print
  • They save resources and space
What is an eBook? Chevron down icon Chevron up icon

Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.

When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.

For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.