Information Risk Management

David Sutton

Published by






Reviewed by

Mehmet Hurer B.Sc (Hons) MBCS CITP CEng


10 out of 10

Information Risk ManagementThis book provides a practical guide to implementing an information risk management process. The author takes you logically through the steps required to identify, assess and manage information risks within an organisation. 

The book is written in layman’s terms, with very clear definitions and glossaries throughout. The author also clarifies terms that are often used interchangeably or incorrectly and explains why they are different, such as the difference between likelihood and probability, and events and incidents.

After discussing the fundamental concepts in the first few chapters, each subsequent chapter covers in detail each step within the overall risk management process.  Each step is explained clearly, supported by several generic examples, such as examples of threats and vulnerabilities, as well as the types of controls to treat risk. Ways of presenting the risks, as well as supporting business cases, are also discussed.

The latter half of the book has a wealth of information, covering the CESG scheme, HMG security-related documents, such as the security policy framework and UK Government security classification scheme, typical threats and hazards, typical vulnerabilities, risk controls, methodologies and tools, and templates. There are references throughout to any appropriate standards, such as ISO27001 and ISO27005.

This book is a well written and illustrated throughout, covering the subject area to a sufficient level of detail for both novices and experienced practitioners requiring a refresher. A very practical and complete guide to managing risks within an organisation.

Further information: BCS

January 2015