Font Size: A A A

Home > Reviews > IT Governance

IT Governance

Author Alan Calder and Steve Watkins

ISBN No 9780749496951

Review date 13/08/2022

No of pages 383

Publisher Kogan Page

Publisher URL https://www.koganpage.com/product/it-governance-9780749496951

Year of publication 19/05/2020

Brief

Our Review

price

£ 49.99 paperback

This is the seventh edition of IT Governance; sub-titled, An International Guide to Data Security and ISO 27001/ISO 27002.

At the very beginning the authors suggest they are aiming their work at 'forward-looking executives and managers'; in other words, not IT or security or other specialists. That makes sense because of the six reasons they offer - briefly, because of all the uses of information technology; banks and others working on the basis of risk management; data protection and other regulation, especially since GDPR has come in, meaning 'the need for an over-arching information security framework that can provide context and coherence to compliance activity'; information as 'intellectual capital value'; global threats 'particularly in cyberspace'; and the international standard for information security management ISO 27001 as a best practice that you can ask suppliers to meet.

Just as this book in its various editions has been around for nearly 20 years as a guide, so 27001 - and its previous British Standard - is of particular use to the security manager, as the standard covers info-, personnel and physical security alike. The 27 chapters reflect this, as they equally cover cryptography as access control (of a building, and a network), screening of employees, security of equipment such as cables, and controls against malicious software (malware).

It's striking, then, how wide-ranging this book is, and how it can amount to a textbook for any security professional - as it takes in not only the physical-world and cyber security to look after, but supplier relationships (what's the good of having your own buildings and networks secured, if an attacker, whether a mischievous kid or a nation state after intellectual property, gets the data by hacking into one of your suppliers?), incident management and monitoring.

What's true of 27001 is true of ISO standards in general; they are not things you achieve and then get on with whatever it is you do for a living; 27001 is a process, that can apply to any size or type of organisation, and that should reflect your organisation's style and risk assessments. After any security incident, and in any case at least once a year, you review; not least because the threats to info-security are evolving, 'as fast as the information technology that supports it'.

The book to its credit notes very early on that 27001 is not a product badge or a guarantee of anything; 'it is merely an indicator, particularly to third parties, that the objective of achieving appropriate security is being effectively pursued. Information security is, in the terms of the cliche, a journey, not a destination.'

It's a weighty book but then it's a weighty subject, and it makes a sound case for taking info-security seriously, given that information is the lifeblood of business, and disruption has impact - whether a loss of IT service, or a data breach and damage to reputation and the costs of an IT clean-up.

If you actually seek to go through with an audit to be certified to 27001, a chapter at the end takes you through from selecting an auditor. While the book admits that there's a debate whether 27001 can be simply a process you go through, rather than a piece of paper to seek (though the market is moving towards that, the authors suggest), trends in threats to computer-based info-security are making things worse - working from devices at home (bringing opportunities for those that seek to break into a network), more spam, better hacker tools, wireless tech exposing info to casual access; and most people with enough computer experience to pose a threat, if they wanted to apply themselves.

As the authors say, 'the only sensible option is to carry out a thorough assessment of the risks', and to take a systematic approach; which the authors duly take throughout their important and readable book.