Font Size: A A A

Home > Reviews > Nine Steps to Success

Nine Steps to Success

Author Alan Calder

ISBN No 9781849288231

Review date 26/06/2019

No of pages 130

Publisher IT Governance

Publisher URL

Year of publication 16/09/2016


Nine Steps to Success: An ISO 27001:2013 implementation review

Our Review


£ 24.95

An updated guide to using the international standard for information security management, by a man who's been there, is as welcome as ever, writes Mark Rowe.

What I like about the books on information security that come out of IT Governance are two things. First, they cover the technical side of infosec; the standards such as ISO 27001 for information security management, that cover physical security besides IT controls on those zeroes and ones. The second thing is that there’s more to information security than that, the pressing of buttons and the control, the moving or not, of data. There’s the heart and soul of information security inside people’s minds - and if there’s different metaphors there, that is to illustrate how hard it is to pin down the invisible thought processes of people who do infosec, whether the relative handful of specialists, as part of IT or security departments, or the great majority of the rest of us, who may secure data assets badly or not at all. Often it's not computers that are hacked, at least not at first; it's people.

As the founder of IT Governance, Alan Calder gets this, as seen in the third edition of his Nine Steps to Success: An ISO 27001:2013 implementation review. The earlier editions came out in 2005 and 2013. The development of standards can indeed take years, and meanwhile the threats to assets don’t go away nor stop developing (and don’t forget also those outsourced!?).

The author goes through how to gain the international standard in project terms. Know your objectives, get the necessary support of senior managers, put a team together, plan, and integrate with security management systems, or quality systems such as ISO 9001, already in place. If you already have 9001, as you will if you are an NSI-inspected company for example, Calder suggests you’re ‘extending an existing management system to include information security management, not bringing in a whole new system’. In other words, the author is alive to the reality that doing infosec is like a mountain to climb; and most organisations are in the business of whatever it is they do, not to gather management certifications.

Calder has been long enough in the field to know it in the days of the British Standard, BS 7799, and indeed even before then, when it was ‘essentially, a code of practice’. So yes, the project has to pass an exam at the end, an audit, but it’s for a business purpose, and staff have to be aware of it; nor is gaining the certificate a one-off. The book’s title is Nine Steps to Success and it duly has nine chapters, ending with (as with any ISO quality standard) measuring, monitoring and review. Because 27001 is also about risk management (and the book has one chapter devoted to that). You go through a process; at the heart of your work should be the assessing of those risks, what impacts they have, and the controls - which may be a policy document, or a procedure, or pieces of kit or staff. “Please note that information security controls are not simply technical in nature,” Calder properly points out. To guard against malware that corrupts a computer system (and may do the IT equivalent of shred your records), you need anti-malware software, but more than that; ‘a mix of technology, process and correct behaviour’. What’s the point of doing something about email, if staff get around what they see as restrictions, by using instant messaging, on wireless, hand-held devices?!

One quibble might be that the price is a bit steep for quite a short book; but the publisher can counter that for your money you are getting a career's experience. And as ever, how does the price of a book compare with a training course?!

This sensible book recognises that you cannot be risk-free and things will go wrong (’the business does, after all, exist within a risk framework ... there is little point in proposing to control every risk’). And everything has to be ‘cost-effective’. It’s a helpful read, therefore, even if you don’t want to do what the book sets out, namely take your organisation to the 27001 standard. Although plenty of businesses are in regulated fields, and require for example PCI accreditation for use of credit card data, Calder says ‘relatively small numbers of people’ have ‘meaningful ISO 27001 experience’. While there are no, or should not be any, short-cuts in quality management, this ‘Nine Steps’ book can help you take first steps. Or indeed the final steps; the author points out that if you try to suggest to the auditors that all’s perfect, that ‘will provoke incredulity ... they have learned, through long experience, that no system is without flaws and that every attempt to pretend to perfection hides a myriad of previously undetected imperfections’. So don’t encourage auditors to start looking for them!?