This title covers the implementation issues of the information security standards up to and including audits. Pivotal to this it covers the installation of an ISMS, or Information Security Management System. This is defined as ‘that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. The management system includes organisational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.’

Effective information security is defined in the Standard as the ‘preservation of confidentiality, integrity and availability of information.’ It cannot be achieved through technological means alone, and should never be implemented in a way that is either out of line with the organisation’s approach to risk or which undermines or creates difficulties for its business operations.

The ISMS includes ‘organisational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources’ and is a structured, coherent management approach to information security. It should be designed to ensure the effective interaction of the three key attributes of information security:

• Process (or Procedure)
• Technology
• Behaviour

The book covers cultural and organisational issues that are key for successful adoption and certification. It covers strategic business decision-making and makes recommendations as to Board input. It notes that the design and implementation of the ISMS should be directly influenced by the organisation’s ‘needs and objectives, security requirements, the processes employed and the size and structure of the organisation.’