** Implementing the ISO/IEC 27001 Information Security Management System Standard. By Edward Humphreys. Published by Artech House Publishers, www.artechhouse.com (Web); 290 pages; $85.
Author Edward Humphreys provides a good introduction to the ISO/IEC 27001 standard for institutional IT security in a simple and practical form, but he does not provide a much-needed explanation of how to apply the standard in the real world.
Humphries places the standard in the context of risk and risk management, explaining development and implementation of a compliance structure. He also addreses the challenges of establishing governance and maintaining compliance as the standard is amended. The book further outlines methods for monitoring and reviewing information security management systems, including checklists and benchmarking methods, and it describes several IT security case studies.
Readers should consider that while ISO/IEC 27001 is widely applied outside North America, this is not the case in the United States and Canada. It is, however, increasingly likely that more North American companies will adopt it.
The book could serve as a basic “instruction manual” for adoption of ISO/IEC 27001. But as we all know, instruction manuals alone are of limited help when trying to use something new. The author needs to write “Volume Two” to provide a book that is more useful to IT security professionals.
Reviewer: Jim Litchko is CEO of Cyber Security Professionals in Kensington, Maryland. He is a member of the ASIS Information Technology Security Council and the Privacy and Personnel Management Council.