Protect your organisation from information security risks
This book will be particularly useful for anyone involved in the audit of information security and risk in all organizations that have related issues and concerns. It provides practical approaches to address information risk auditing, even for those with limited technical knowledge. This approach provides understandable examples, which will help readers to consider different aspects, methods and technical options when auditing information security and risk.
Antonio Velasco, CEO of Sinersys Technologies
For any modern business to thrive, it must assess, control and audit the risks it faces in a manner appropriate to its risk appetite. As information-based risks and threats continue to proliferate, it is essential that they are addressed as an integral component of your enterprise’s risk management strategy, not in isolation. They must be identified, documented, assessed and managed, and assigned to risk owners so that they can be mitigated and audited.
Fundamentals of Information Risk Management Auditing provides insight and guidance on this practice for those considering a career in information risk management, and an introduction for non-specialists, such as those managing technical specialists.
Product overview
Fundamentals of Information Risk Management Auditing – An Introduction for Managers and Auditors has four main parts:
I.What is risk and why is it important?
An introduction to general risk management and information risk.
II.Introduction to general IS and management risks
An overview of general information security controls, and controls over the operation and management of information security, plus risks and controls for the confidentiality, integrity and availability of information.
III.Introduction to application controls
An introduction to application controls, the controls built into systems to ensure that they process data accurately and completely.
IV.Life as an information risk management specialist/auditor
A guide for those considering, or undergoing, a career in information risk management.
Each chapter contains an overview of the risks and controls that you may encounter when performing an audit of information risk, together with suggested mitigation approaches based on those risks and controls.
Chapter summaries provide an overview of the salient points for easy reference, and case studies illustrate how those points are relevant to businesses.
The book concludes with an examination of the skills and qualifications necessary for an information risk management auditor, an overview of typical job responsibilities, and an examination of the professional and ethical standards that an information risk auditor should adhere to.
Topics covered
Fundamentals of Information Risk Management Auditing covers, among other subjects, the three lines of defence; change management; service management; disaster planning; frameworks and approaches, including Agile, COBIT®5, CRAMM, PRINCE2®, ITIL® and PMBOK; international standards, including ISO 31000, ISO 27001, ISO 22301 and ISO 38500; the UK Government's Cyber Essentials scheme; IT security controls; and application controls.
Contents
Part I: What is risk and why is it important? Chapter 1: Risks and controls
Chapter 2: Enterprise risk management (ERM) frameworks
Chapter 3: Risk management assurance and audit
Chapter 4: Information risks and frameworks Part II: Introduction to general IT and management risks Chapter 5: Overview of general IT and management risks
Chapter 6: Security and data privacy
Chapter 7: System development and change control
Chapter 8: Service management and disaster planning Part III: Introduction to Application controls Chapter 9: Overview of application controls (Integrity) Part IV: Life as an Information Risk Management specialist Chapter 10: Planning, running and reviewing information risk manag
This book will be particularly useful for anyone involved in the audit of information security and risk in all organizations that have related issues and concerns. It provides practical approaches to address information risk auditing, even for those with limited technical knowledge. This approach provides understandable examples, which will help readers to consider different aspects, methods and technical options when auditing information security and risk.
Antonio Velasco, CEO of Sinersys Technologies
For any modern business to thrive, it must assess, control and audit the risks it faces in a manner appropriate to its risk appetite. As information-based risks and threats continue to proliferate, it is essential that they are addressed as an integral component of your enterprise’s risk management strategy, not in isolation. They must be identified, documented, assessed and managed, and assigned to risk owners so that they can be mitigated and audited.
Fundamentals of Information Risk Management Auditing provides insight and guidance on this practice for those considering a career in information risk management, and an introduction for non-specialists, such as those managing technical specialists.
Product overview
Fundamentals of Information Risk Management Auditing – An Introduction for Managers and Auditors has four main parts:
I.What is risk and why is it important?
An introduction to general risk management and information risk.
II.Introduction to general IS and management risks
An overview of general information security controls, and controls over the operation and management of information security, plus risks and controls for the confidentiality, integrity and availability of information.
III.Introduction to application controls
An introduction to application controls, the controls built into systems to ensure that they process data accurately and completely.
IV.Life as an information risk management specialist/auditor
A guide for those considering, or undergoing, a career in information risk management.
Each chapter contains an overview of the risks and controls that you may encounter when performing an audit of information risk, together with suggested mitigation approaches based on those risks and controls.
Chapter summaries provide an overview of the salient points for easy reference, and case studies illustrate how those points are relevant to businesses.
The book concludes with an examination of the skills and qualifications necessary for an information risk management auditor, an overview of typical job responsibilities, and an examination of the professional and ethical standards that an information risk auditor should adhere to.
Topics covered
Fundamentals of Information Risk Management Auditing covers, among other subjects, the three lines of defence; change management; service management; disaster planning; frameworks and approaches, including Agile, COBIT®5, CRAMM, PRINCE2®, ITIL® and PMBOK; international standards, including ISO 31000, ISO 27001, ISO 22301 and ISO 38500; the UK Government's Cyber Essentials scheme; IT security controls; and application controls.
Contents
Part I: What is risk and why is it important? Chapter 1: Risks and controls
Chapter 2: Enterprise risk management (ERM) frameworks
Chapter 3: Risk management assurance and audit
Chapter 4: Information risks and frameworks Part II: Introduction to general IT and management risks Chapter 5: Overview of general IT and management risks
Chapter 6: Security and data privacy
Chapter 7: System development and change control
Chapter 8: Service management and disaster planning Part III: Introduction to Application controls Chapter 9: Overview of application controls (Integrity) Part IV: Life as an Information Risk Management specialist Chapter 10: Planning, running and reviewing information risk manag
