Guide to the Implementation and Auditing of ISMS Controls based on ISO/IEC 27001

Bridget Kenyon and Edward Humphreys

Published by






Reviewed by

Mehmet Hurer B.Sc (Hons) MBCS CITP CEng


9 out of 10

This is one in a series of five books published by the BSI to accompany the 2013 edition of the ISO/IEC 27001 standard. This series of books are designed to help the reader prepare for, and maintain, certification against this standard.

This third book of the series provides more detail about each of the requirements and implementation controls of the standard. The authors provide this from two viewpoints: implementation guidance and auditing guidance. 

The implementation guidance describes what needs to be considered in order to achieve compliance against the requirements. Such guidance can only be generic, as the actual implementation will be specific to each organisation.  For example, cryptography principles and considerations are mentioned, but the specific type of encryption and technology is not discussed. However, examples are given throughout.

The auditing guidance describes what evidence an auditor should look for in order to satisfy themselves that the requirement has been met. Again, several examples of the type of evidence are given throughout. Obviously, this section will also be of use to the implementer as a means of confirming that their implementation and evidence to support it will be sufficient to pass an audit.

This book provides a great place to start for anyone looking to implement ISMS processes and security controls; the implementation detail is comprehensive and supplemented with good examples. Similarly, for anyone involved in internal or external audits, or wanting to gain an understanding of what evidence would be required for such audits, the authors provide comprehensive descriptions and examples. Out of all the five books in the series you will definitely want a copy of this one! 

Further information: BSI

December 2013