Contents -- Introduction -- The information economy -- What is IT governance? -- Information security -- 01 Why is information security necessary? -- The nature of information security threats -- Information insecurity -- Impacts of information security threats -- Cybercrime -- Cyberwar -- Advanced persistent threat -- Future risks -- Legislation -- Benefits of an information security management system -- 02 The UK Combined Code, the Turnbull Report and Sarbanes-Oxley -- The Combined Code -- The Turnbull Report -- The Revised Combined Code -- Sarbanes-Oxley -- Enterprise risk management -- Regulatory compliance -- IT governance -- 03 ISO27001 -- Benefits of certification -- The history of ISO27001 and ISO27002 -- The ISO/IEC 27000 series of standards -- Use of the standard -- ISO/IEC 27002 -- The Plan-Do-Check-Act and process approach -- Structured approach to implementation -- Quality system integration -- Documentation -- Continual improvement and metrics -- 04 Organizing information security -- Internal organization -- Management review -- The information security manager -- The cross-functional management forum -- The ISO27001 project group -- Approval process for information processing facilities -- Specialist information security advice -- Contact with authorities and special interest groups -- Independent review of information security -- Summary -- 05 Information security policy and scope -- Information security policy -- A policy statement -- Costs and the monitoring of progress -- 06 The risk assessment and Statement of Applicability -- Establishing security requirements -- Risks, impacts and risk management -- Selection of controls and Statement of Applicability -- Gap analysis -- Risk assessment tools -- Risk treatment plan -- Measures of effectiveness -- 07 External parties -- Identification of risks related to external parties.

Types of access -- Reasons for access -- Outsourcing -- On-site contractors -- Addressing security when dealing with customers -- Addressing security in third-party agreements -- 08 Asset management -- Asset owners -- Inventory -- Acceptable use of assets -- Information classification -- Unified classification markings -- Government classification markings -- Information lifecycle -- Information labelling and handling -- Non-disclosure agreements and trusted partners -- 09 Human resources security -- Job descriptions and competency requirements -- Screening -- Terms and conditions of employment -- During employment -- Disciplinary process -- Termination or change of employment -- 10 Physical and environmental security -- Secure areas -- Public access, delivery and loading areas -- 11 Equipment security -- Equipment siting and protection -- Supporting utilities -- Cabling security -- Equipment maintenance -- Security of equipment off-premises -- Secure disposal or reuse of equipment -- Removal of property -- 12 Communications and operations management -- Documented operating procedures -- Change management -- Segregation of duties -- Separation of development, test and operational facilities -- Third-party service delivery management -- Monitoring and review of third-party services -- Managing changes to third-party services -- System planning and acceptance -- 13 Controls against malicious software (malware) and back-ups -- Viruses, worms and Trojans -- Spyware -- Anti-malware software -- Hoax messages -- Phishing and pharming -- Anti-malware controls -- Airborne viruses -- Controls against mobile code -- Back-up -- 14 Network security management and media handling -- Network management -- Media handling -- 15 Exchanges of information -- Information exchange policies and procedures -- Exchange agreements -- Physical media in transit.

Business information systems -- 16 E-commerce services -- E-commerce issues -- Security technologies -- Server security -- Online transactions -- Publicly available information -- 17 E-mail, internet use and social media -- Security risks in e-mail -- Spam -- Misuse of the internet -- Internet acceptable use policy -- Social media -- 18 Access control -- Hackers -- Hacker techniques -- System configuration -- Access control policy -- User access management -- Clear desk and clear screen policy -- 19 Network access control -- Networks -- Network security -- Server virtualization -- 20 Operating system access control -- Secure log-on procedures -- User identification and authentication -- Password management system -- Use of system utilities -- Session time-out -- Limitation of connection time -- 21 Application access control and teleworking -- Application and information access control -- Mobile computing and teleworking -- Teleworking -- 22 Systems acquisition, development and maintenance -- Security requirements analysis and specification -- Correct processing in applications -- 23 Cryptographic controls -- Encryption -- Public key infrastructure -- Digital signatures -- Non-repudiation services -- Key management -- 24 Security in development and support processes -- System files -- Access control to program source code -- Development and support processes -- Vulnerability management -- 25 Monitoring and information security incident management -- Monitoring -- Information security events -- Management of information security incidents and improvements -- Legal admissibility -- 26 Business continuity management -- ISO22301 -- The business continuity management process -- Business continuity and risk assessment -- Developing and implementing continuity plans -- Business continuity planning framework.

Testing, maintaining and reassessing business continuity plans -- 27 Compliance -- Identification of applicable legislation -- Intellectual property rights -- Safeguarding of organizational records -- Data protection and privacy of personal information -- Prevention of misuse of information processing facilities -- Regulation of cryptographic controls -- Compliance with security policies and standards -- Information systems audit considerations -- 28 The ISO27001 audit -- Selection of auditors -- Initial audit -- Preparation for audit -- Terminology -- Appendix 1: Useful websites -- IT Governance Ltd -- ISO27001 certification organizations -- Microsoft -- Information security -- Appendix 2: Further reading -- ISO27000 family of standards -- Books -- Toolkits -- INDEX.