Review: Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own

About the author

Dejan Kosutic is the author of numerous articles, tutorials, documentation templates, webinars, and courses about information security and business continuity management. He has helped various organizations implement information security management according to these standards.

Inside Secure & Simple

Complying with a globally accepted standard is the easiest way for companies to prove to their customers and partners how serious they are about something. ISO 27001 is the most popular information security standard worldwide, and a company that has successfully implemented it effectively proves that it cares about the security of the information it handles and uses, i.e. that it wants to assure its confidentiality, integrity, and availability. At this point it’s also good to remember that information security does not equal IT security – information can come in forms other than the digital one.

If you are an infosec professional or a head of an IT department tasked with implementing ISO 27001 in a small or mid-sized company (i.e. up to 500 employees), this book is for you. First, you need to buy and read the standard – this book is not a replacement for it. But once you’ve done that, this book will take you through the implementation process, one step at a time.

The first two chapters explain what is ISO 27001, exactly, what it’s meant to do, and dispel some of the most common myths about it. The next nine, meant to be read and its contents implemented in that exact order, address topics like:

• Getting the buy-in from management and employees
• Preparing for the implementation of the standard
• First steps in the project
• Non-security aspects of information security management
• Risk management
• Implementation of security controls, operational planning and control
• The 114 security controls in the Annex A of ISO 27001
• Internal checks and audits for evaluating the effectiveness of the information security management system (ISMS) that has been set up
• How to make sure that your company passes the certification audit.

Every chapter is chock-full with to-the-point advice and tips, presented in a way that will make you feel like you asked a real person about it – a person that wants to help you, and not prove that they are smarter than you. Everything is explained very concisely and, most importantly, so clearly that leaves no room for misunderstanding or lack of understanding.

Next, the book offers advice on how to become a professional ISO 27001 implementer, auditor or consultant; and presents standards and framework related to ISO 27001.

Finally, there is a chapter of mini case studies – short stories that include a lot of problem-solving – on how to perform particular steps towards accreditation, for example how perform risk assessment in a small hospital, or how to list the interested parties and their requirements in a European bank.

The dozen or so appendixes provide things like a diagram of ISO 27001 implementation, project checklists and templates, an insight into the mind of an ISO auditor, and so on.

Final thoughts

Throughout the book, the author points out that while achieving the ISO standard is great for business, the most important thing is that with it comes improved information security and, therefore, improved resilience against infosec incidents. And even if you aren’t aiming at getting the certification, this book is a great resource to achieve that.

Also, please not that this book does not contain information about the technology a company should use to achieve the various goals, but will help you make technology-related decisions.