book

IT Governance – An international guide to data security and ISO 27001/ISO 27002, Eighth edition

Name: IT Governance – An international guide to data security and ISO 27001/ISO 27002, Eighth edition
ISBN: 9781787784109

by Alan Calder, Steve Watkins

July 2024

Intermediate to advanced

486 pages

11h 19m

English

IT Governance Publishing

Read now

Unlock full access

Cover
Title
Copyright
Contents
About the Authors
Introduction
The information economyWhat is IT governance?Information security
Chapter 1: Why is information security necessary?
The nature of information security threatsInformation insecurityImpacts of information security threatsCyber crimeCyber warAdvanced persistent threatFuture risksLegislationBenefits of an information security management system
Chapter 2: The corporate governance code, the FRC guidance on risk management, and Sarbanes–Oxley
The Combined CodeThe Turnbull ReportThe Corporate Governance CodeSarbanes–OxleyEnterprise risk managementRegulatory complianceIT governance
Chapter 3: ISO 27001
Benefits of certificationThe history of ISO 27001 and ISO 27002The ISO/IEC 27000 series of standardsUse of the StandardISO/IEC 27002Continual improvement, Plan–Do–Check–Act, and process approachStructured approach to implementationManagement system integrationDocumentationContinual improvement and metrics
Chapter 4: Organizing information security
Internal organizationManagement reviewThe information security managerThe cross-functional management forumThe ISO 27001 project groupSpecialist information security adviceSegregation of dutiesContact with authoritiesContact with special interest groupsInformation security in project managementIndependent review of information securitySummary

Chapter 5: Information security policy and scope
Context of the organizationInformation security policyA policy statementCosts and the monitoring of progress
Chapter 6: The risk assessment and Statement of Applicability
Establishing security requirementsRisks, impacts, and risk managementThreat intelligenceCyber EssentialsSelection of controls and Statement of ApplicabilityStatement of Applicability exampleGap analysisRisk assessment toolsRisk treatment planMeasures of effectiveness
Chapter 7: Mobile and remote working
Mobile devices and remote workingRemote working
Chapter 8: Human resources security
Job descriptions and competency requirementsScreeningTerms and conditions of employmentDuring employmentDisciplinary processTermination or change of employment
Chapter 9: Asset management
Asset ownersInventory of information assetsAcceptable use of information and other assetsClassification of informationUnified classification markingsGovernment classification markingsInformation lifecycleLabeling of informationNon-disclosure agreements and trusted partners
Chapter 10: Exchanges of information
Information transfer policies and proceduresAgreements on information transfersManagement of removable mediaEmail and social mediaSecurity risks in emailSpamMisuse of the Internet and web filteringInternet acceptable use policySocial media
Chapter 11: Access control
HackersHacker techniquesAccess control
Chapter 12: User access management
Identity managementAccess rightsPassword management system
Chapter 13: Supplier relationships
Information security policy for supplier relationshipsAddressing security within supplier agreementsManaging information security in the ICT supply chainMonitoring, review, and change management of supplier servicesManaging changes to supplier servicesInformation security for Cloud services
Chapter 14: Physical and environmental security
Physical security perimetersDelivery and loading areasPhysical security monitoringProtecting against external and environmental threats
Chapter 15: Equipment security
Equipment siting and protectionSupporting utilitiesCabling securityEquipment maintenanceSecurity of equipment and assets off-premisesSecure disposal or reuse of equipmentUnattended user equipmentClear desk and clear screen policy
Chapter 16: System and application access control
Information access restrictionDynamic access controlAccess control to source codeSecure authenticationUse of privileged utility programsInstallation of software on operational systems
Chapter 17: Cryptography
EncryptionPublic key infrastructureDigital signaturesNon-repudiation servicesKey management
Chapter 18: Operations security
Documented operating proceduresChange managementSeparation of development, testing and operational environmentsInformation backup
Chapter 19: Controls against malicious software (malware)
Viruses, worms, Trojans, and rootkitsSpywareAnti-malware softwareHoax messages and ransomwarePhishing and pharmingAnti-malware controlsAirborne virusesTechnical vulnerability managementSystem configurationInformation deletionData maskingData leakage prevention
Chapter 20: Networks security
Network security managementNetworks securityAccess to networks and network services
Chapter 21: System acquisition, development, and maintenance
Security requirements analysis and specificationApplication security requirementsE-commerce issuesSecurity technologies
Chapter 22: Development and support processes
Secure development policySecure systems architecture and engineering principlesSecure codingSecure development environmentSecurity testing in development and acceptance
Chapter 23: Monitoring and information security incident management
Logging and monitoringInformation security events and incidentsIncident management – responsibilities and proceduresReporting information security eventsReporting software malfunctionsAssessment of and decision on information security eventsResponse to information security incidentsLegal admissibility
Chapter 24: Business and information security continuity management
ISO 22301The business continuity management processBusiness continuity and risk assessmentDeveloping and implementing continuity plansBusiness continuity planning frameworkTesting, maintaining, and reassessing business continuity plansInformation security continuity
Chapter 25: Compliance
Identification of applicable legislationRegulation of cryptographic controlsIntellectual property rightsProtection of organizational recordsPrivacy and protection of personally identifiable informationCompliance with security policies and standards
Chapter 26: The ISO 27001 audit
Selection of auditorsInitial auditPreparation for auditTerminologyInformation systems audit considerations
Appendix 1: Useful websites
Appendix 2: Further reading
Index

Content preview from IT Governance – An international guide to data security and ISO 27001/ISO 27002, Eighth edition

CHAPTER 22: DEVELOPMENT AND SUPPORT PROCESSES

The purpose of control A.8.25 is to ensure the inclusion of information security within the development lifecycle.

The systems development lifecycle (SDLC) – also sometimes called the application development lifecycle – is a process for planning, creating, testing, and deploying an information system. The term is used to describe whatever mix of hardware, software, coding, and application services are required to deliver the information systems objective. NIST has a useful paper on the SDLC at https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final. SDLC can operate within any project management environment, from Agile to waterfall, and with any project management methodology, from Scrum to PRINCE2^®. ISO ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

The Cybersecurity Guide to Governance, Risk, and Compliance

Publisher Resources

ISBN: 9781787784109Publisher Website

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

IT Governance – An international guide to data security and ISO 27001/ISO 27002, Eighth edition

by Alan Calder, Steve Watkins

CHAPTER 22: DEVELOPMENT AND SUPPORT PROCESSES

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.