Information Security Risk Management

Edward Humphreys

Published by






Reviewed by

Mehmet Hurer CEng MBCS CITP


9 out of 10

Information Security Risk ManagementThe author is well placed to write this book, since he is recognised as the ‘father of the ISO/IEC 27000 family of ISMS standards’.

Having some experience of the 27001 standard I found the book very easy to read, but I wouldn’t say this is a prerequisite for the book. The author presents the sections of the standard in a logical manner, giving the reader sufficient understanding of what is required for an information security management system. 

Sections include creating a risk management framework, carrying out a risk assessment, options for managing risks, selection and implementation of risk controls, monitoring and reviewing risks, improving risk controls and a documentation system. Annexes include definitions, examples of compliance, examples of assets, threats, vulnerabilities and risk assessment methods and selection of risk management tools. 

Each section is pretty complete and presented in an easy to understand manner. The combination of the standards-based contents supplemented with clear explanations and illustrated with brief case studies works well to make this a very readable book.

If you intend to create an information security management system, then one way to do this would be to read the handbook from cover to cover and use it in combination with a copy of the standard. Additionally getting hold of templates and/or examples would be beneficial.

Whatever your level of experience with information security risk management, the handbook provides a methodical approach to risk management, with clearly defined outputs from each stage, illustrating how these are used as inputs to the next stage of the process. Although many parts of the handbook are duplicated from the standard’s documentation, particularly the annexes, the author brings the standard alive with additional explanations and examples.

Overall a very complete book, with key stages and concepts explained clearly and presented in a methodical manner.

Further Information: BSI

August 2010