08 November 2013

IT Governance A Manager’s Guide to Data Security and ISO27001/27002 by Alan Calder

I resolve to “read” Mr Calder’s book which I ordered from Amazon from “cover to cover” – or at least to peruse the whole thing so I know what it contains.

On the face of it, from a cursory glance it looks okay.  It written by a Briton with a UK audience in mind, its only just been published and, best of all, the typeface is nice and big so its 300 pages shouldn’t take forever to digest!

The book’s got 28 chapters. Seemingly chapters 5 to 26 are about different areas of security eg.  Human Resource Security and the physical protection of your site and offices amongst other things.  I am keen to get into chapters 5 onwards as I hope these will tell me what practically I need to do to comply with the ISO 27001 Standard.

Chapter 1 explains what Information Security is.  This is a well written introduction for somebody with a business brain who really didn’t know.   It explains the reasons why information security is becoming increasingly important.  Chapter 2 explains how various pieces of predominantly US and UK legislation have converged and morphed into a compliance model.  Sarbanes Oxley is included in this.

Chapter 3 is about the ISO 27001 standard itself – I groan on p39 when Plan Do Check Act makes a reappearance.

Suddenly, I find a nice clear list on page 40.   There are six steps to planning for ISO 27001:

  1. Define the scope of the management system
  2. Define the policy
  3. Find a risk assessment method
  4. Carry out the risk assessment
  5. Decide how these risks are going to be countered or mitigated
  6. Prepare a Statement of Applicability – whatever that is.

Then Alan Calder talks about what we actually have to do:

Alan Calder’s Points
My Reaction / Thoughts
1. Formulate a risk treatment plan and document it including planned processes and supporting documentation I havn’t yet seen such a Risk Treatment Plan and have no idea what the other documentation should look like
2. Implement the risk treatment plan and planned controls I know what a control is but I would like to see an example of one at this stage
3. Training for staff ok, but on what?
4. Managing operations and resources in line with the management system a statement of common sense which gives little guidance as to how its done
5. Implementation of procedures that allow prompt detection and response to security incidents. Ok, I trust  this would be an audit trail of updates to a SQL database for example.

There is more useful stuff on page 43 with a list of required documentation.  Some of this is readily understandable in that it says the information security policy and the scope of the management system must be defined.  These are short documents and you need only one of each of them.  I have learnt from my Supply London Courses that the Policy is a Statement of Organisation’s intent to continually improve its information security.  The Scope is that area of your organisation to which the management system applies.  Eg the customer service department, the whole company or its Scottish operations.

Things get more confusing again further down the list of required documents.  One needs documented procedures which implement specific controls.

Buried in this paragraph is an explanation that a Work Instruction is an “even more detailed description of how to perform a specific task” than a procedure.  So I was basically correct when I thought these two amounted to the same thing.  Perhaps all this is very confusing but I am getting an accurate grasp after all.  I find this reassuring and move on to Chaper 4!

Based on historical entries in my diary

Leave a Reply