Title IT Governance, 7/e
Subtitle An International Guide to Data Security and ISO 27001/ISO 27002
Author Alan Calder, Steve Watkins
ISBN 9780749496951
List price GBP 49.99
Price outside India Available on Request
Original price
Binding Paperback
No of pages 408
Book size 153 x 229 mm
Publishing year 2020
Original publisher Kogan Page Limited
Published in India by .
Exclusive distributors Viva Books Private Limited
Sales territory India, Sri Lanka, Bangladesh, Pakistan, Nepal, .
Status New Arrival
About the book Send Enquiry


Faced with the compliance requirements of increasingly punitive information and privacy-related regulation, as well as the proliferation of complex threats to information security, there is an urgent need for organizations to adopt IT governance best practice. IT Governance is a key international resource for managers in organizations of all sizes and across industries, and deals with the strategic and operational aspects of information security.

Now in its seventh edition, the bestselling IT Governance provides guidance for companies looking to protect and enhance their information security management systems (ISMS) and protect themselves against cyber threats. The new edition covers changes in global regulation, particularly GDPR, and updates to standards in the ISO/IEC 27000 family, BS 7799-3:2017 (information security risk management) and the latest standards on auditing. It also includes advice on the development and implementation of an ISMS that will meet the ISO 27001 specification and how sector-specific standards can and should be factored in. With information on risk assessments, compliance, equipment and operations security, controls against malware and asset management, IT Governance is the definitive guide to implementing an effective information security management and governance system.


Key Features:

  • Advises on the development and implementation of an information security management system that will meet the ISO 27001 specification
  • Outlines IT governance best practice for international organizations of all sizes and across sectors
  • New to this edition: changes in global regulation (including GDPR) and updates to standards in the ISO/IEC 27000 family, BS 7799-3:2017 (information security risk management) and the latest standards on auditing
  • Covers topics such as risk assessment, asset management, controls, security, supplier relationships and compliance


About the author




Chapter 1: Why is information security necessary? • The nature of information security threats • Information insecurity • Impacts of information security threats • Cybercrime • Cyberwar • Advanced persistent threat • Future risks • Legislation • Benefits of an information security management system

Chapter 2: The Corporate Governance Code, the FRC Risk Guidance and Sarbanes–Oxley • The Combined Code • The Turnbull Report • The Corporate Governance Code • Sarbanes-Oxley • Enterprise risk management • Regulatory compliance • IT governance

Chapter 3: ISO27001 • Benefits of certification • The history of ISO27001 and ISO27002 • The ISO/IEC 27000 series of standards • Use of the standard • ISO/IEC 27002 • Continual improvement, Plan–Do–Check–Act, and process approach • Structured approach to implementation • Management system integration • Documentation • Continual improvement and metrics

Chapter 4: Organizing information security • Internal organization • Management review • The information security manager • The cross-functional management forum • The ISO27001 project group • Specialist information security advice • Segregation of duties • Contact with special interest groups • Contact with authorities • Information security in project management • Independent review of information security • Summary

Chapter 5: Information security policy and scope • Context of the organization • Information security policy • A policy statement • Costs and the monitoring of progress

Chapter 6: The risk assessment and Statement of Applicability • Establishing security requirements • Risks, impacts and risk management • Cyber Essentials • Selection of controls and Statement of Applicability • Statement of Applicability Example • Gap analysis • Risk assessment tools • Risk treatment plan • Measures of effectiveness

Chapter 7: Mobile devices • Mobile devices and teleworking • Teleworking

Chapter 8: Human resources security • Job descriptions and competency requirements • Screening • Terms and conditions of employment • During employment • Disciplinary process • Termination or change of employment

Chapter 9: Asset management • Asset owners • Inventory • Acceptable use of assets • Information classification • Unified classification markings • Government classification markings • Information lifecycle • Information labelling and handling • Non-disclosure agreements and trusted partners

Chapter 10: Media handling • Physical media in transit

Chapter 11: Access control • Hackers • Hacker techniques • System configuration • Access control policy • Network Access Control

Chapter 12: User access management • User access provisioning

Chapter 13: System and application access control • Secure log-on procedures • Password management system • Use of privileged utility programs • Access control to program source code

Chapter 14: Cryptography • Encryption • Public key infrastructure • Digital signatures • Non-repudiation services • Key management

Chapter 15: Physical and environmental security • Secure areas • Delivery and loading areas

Chapter 16: Equipment security • Equipment siting and protection • Supporting utilities • Cabling security • Equipment maintenance • Removal of assets • Security of equipment and assets off-premises • Secure disposal or reuse of equipment • Clear desk and clear screen policy

Chapter 17: Operations security • Documented operating procedures • Change management • Separation of development, testing and operational environments • Back-up

Chapter 18: Controls against malicious software (malware) • Viruses, worms, Trojans and rootkits • Spyware • Anti-malware software • Hoax messages and Ransomware • Phishing and pharming • Anti-malware controls • Airborne viruses • Technical vulnerability management • Information Systems Audits

Chapter 19: Communications management • Network security management

Chapter 20: Exchanges of information • Information transfer policies and procedures • Agreements on information transfers • E-mail and social media • Security risks in e-mail • Spam • Misuse of the internet • Internet acceptable use policy • Social media

Chapter 21: System acquisition, development and maintenance • Security requirements analysis and specification • Securing application services on public networks • E-commerce issues • Security technologies • Server security • Server virtualization • Protecting application services transactions

Chapter 22: Development and support processes • Secure development policy • Secure systems engineering principles • Secure development environment • Security and acceptance testing

Chapter 23: Supplier relationships • Information security policy for supplier relationships • Addressing security within supplier agreements • ICT supply chain • Monitoring and review of supplier services • Managing changes to supplier services

Chapter 24: Monitoring and information security incident management • Logging and monitoring • Information security events and incidents • Incident management – responsibilities and procedures • Reporting information security events • Reporting software malfunctions • Assessment of and decision on information security events • Response to information security incidents • Legal admissibility

Chapter 25: Business and information security continuity management • ISO22301 • The business continuity management process • Business continuity and risk assessment • Developing and implementing continuity plans • Business continuity planning framework • Testing, maintaining and reassessing business continuity plans • Information security continuity

Chapter 26: Compliance • Identification of applicable legislation • Intellectual property rights • Protection of organizational records • Privacy and protection of personally identifiable information • Regulation of cryptographic controls • Compliance with security policies and standards • Information systems audit considerations

Chapter 27: The ISO27001 audit • Selection of auditors • Initial audit • Preparation for audit • Terminology


Appendix 1: Useful websites

Appendix 2: Further reading


About the Authors:

Alan Calder is a founder-director of IT Governance Ltd, which provides IT governance and information security services through its website www.itgovernance.co.uk. He is the author of Corporate Governance, IT Governance and International IT Governance, all published by Kogan Page.

Steve Watkins is Corporate Services Manager of HMCPSI and was Head of Quality and Operations at Focus Central London and was, before that, Quality Manager at Business Link. Alan Calder and Steve Watkins were responsible for one of the first companies (BLLCP) to achieve BS 7799 registration when the standard was first promulgated in 1996. They have aided other organisations since then to implement effective information security management systems, and have been involved in the development of both the accredited certification scheme and related training standards. He is also director at IT Governance, Chair of the ISO/IEC 27001 User Group - the UK Chapter of the ISMS International User Group - and contracted Technical Assessor for UKAS, assessing certification bodies offering ISMS/ISO 27001 and ITSMS/ISO 20000-1 accredited certification. He sits on the UK national standards body’s technical committees RM/1 (risk management), IST/33 (information technology - security techniques) and sub-committee IST/33/1 (information security management systems), and is Chair of IST/33/1 Panel 2 (certification and audits), which is responsible for the UK’s contributions to standards including ISO 27006, 27007, 27008 and 27021.

Target Audience:

This book provides guidance for companies looking to protect and enhance their information security management systems (ISMS) and protect themselves against cyber threats.


Special prices are applicable to the authorised sales territory only.
Prices are subject to change without prior notice.