Books by Alan Calder

Implement an effective and compliant information security management system using IT governance best practice.

Step-by-step guidance on a successful ISO 27001 implementation from an industry leaderResilience against cyber attacks requires an organization to defend itself across all of its attack surface: people, processes, and technology. ISO 27001 is the international standard that sets out the requirements of an information security management system (ISMS) – a holistic approach to information security that encompasses people, processes, and technology. Accredited certification to the Standard is recognized worldwide as the hallmark of best-practice information security management.Achieving and maintaining accredited certification to ISO 27001 can be complicated, especially for those who are new to the Standard.Alan Calder knows ISO 27001 inside out: the founder and executive chairman of IT Governance, he led the implementation of the management system that achieved the world’s first accredited certification to BS 7799 – the forerunner to ISO 27001 – and has been working with the Standard ever since. Hundreds of organizations around the world have achieved accredited certification to ISO 27001 with IT Governance’s guidance, which is distilled in this book.In Nine Steps to Success – An ISO 27001 Implementation Overview, Alan provides a comprehensive overview of how to lead an ISO 27001-compliant ISMS implementation in just nine steps.Product overviewAligned with the latest iteration of ISO 27001:2013, this third edition of the original, no-nonsense guide to successful ISO 27001 certification is ideal for anyone tackling ISO 27001 for the first time. In nine critical steps, the guide covers each element of the ISO 27001 project in simple, non-technical language. There is a special focus on how US organizations can tackle this governance.Aligned with the latest iteration of ISO 27001:2013, this book is ideal for anyone tackling ISO 27001 for the first time, and covers each element of the ISO 27001 project in simple, non-technical language, including:Getting management support and keeping the board’s attentionCreating a management framework and performing a gap analysis so that you can clearly understand the controls you already have in place, and identify where you need to focusStructuring and resourcing your project, including advice on whether to use a consultant or do it yourself, and examining the tools and resources that will make your job easierConducting a five-step risk assessment, and creating a Statement of Applicability (SoA) and risk treatment plan (RTP)Guidance on integrating your ISO 27001 ISMS with an ISO 9001 quality management system (QMS) and other management systemsAddressing the documentation challenges you’ll face as you create business policies, procedures, work instructions, and records – including viable alternatives to a costly trial-and-error approachContinual improvement of your ISMS, including internal auditing and testing, and management reviewThe six secrets to certification success.If you’re tackling ISO 27001 for the first time, Nine Steps to Success – An ISO 27001 Implementation Overview will give you the guidance you need to understand the Standard’s requirements and ensure your implementation project is a success – from inception to certification. 

A clear, concise primer on the GDPRThe GDPR aims to unify data protection and ease the flow of personal data across the EU. It applies to every organisation in the world that handles EU residents' personal data.While the GDPR is not law in countries outside the EU, it is effectively part of the legislative environment for organisations that do business with the EU. This is enforced through a combination of international trade law and business pressure - after all, a partner in the EU is unlikely to want to risk engaging with a company in the US, Australia or Singapore (or anywhere else) that will put them at risk.EU GDPR - An international guide to compliance is the ideal resource for anyone wanting a clear primer on the principles of data protection and their obligations under the GDPR.A concise pocket guide, it will help you understand:The terms and definitions used in the GDPR, including explanations;The key requirements of the GDPR, including:Which fines apply to which Articles;The principles that should be applied to any collection and processing of personal data;The Regulation's applicability;Data subjects' rights;Data protection impact assessments;The data protection officer role and whether you need one;Data breaches, and notifying supervisory authorities and data subjects; andObligations for international data transfers.How to comply with the Regulation, including:Understanding your data, and where and how it is used (e.g. Cloud suppliers, physical records);The documentation you must maintain (such as statements of the information you collect and process, records of data subject consent, processes for protecting personal data); andThe "appropriate technical and organisational measures" you need to take to ensure compliance with the Regulation.A full index of the Regulation, enabling you to find relevant Articles quickly and easily.Supplemental material While most of the EU GDPR's requirements are broadly unchanged in the UK GDPR, the context is quite different and will have knock-on effects.¿You may need to update contracts regarding EU-UK data transfers, incorporate standard contractual clauses into existing agreements, and update your policies, processes and procedural documentation as a result of these changes. We have published a supplement that sets out specific extra or amended information for this pocket guide. Click here to download the supplement.

Understand the basics of business continuity and ISO 22301:2019 with this concise pocket guide, which will help you ensure your organisation can continue to operate in the event of a disruption.

Cyber Security - Essential principles to secure your organisation takes you through the fundamentals of cyber security, the principles that underpin it, vulnerabilities and threats, and how to defend against attacks.

Understand ISO 38500: the standard for the corporate governance of ITIn the 21st century, IT governance has become a much-discussed topic among IT professionals. An IT governance framework serves to close the gap between the importance of IT and the understanding of IT, helping to improve your organisation's competitive position.ISO/IEC 38500 is the international standard for the corporate governance of information and communication technology. The purpose of the standard is to create a framework to ensure that the board is appropriately involved, and it sets out guiding principles for governing bodies on how to ensure the effective, efficient and acceptable use of IT within their company.This useful pocket guide is an ideal introduction for those wanting to understand more about ISO 38500. It describes the scope, application and objectives of the Standard and outlines its six core principles. It covers: What is ISO/IEC 38500? The corporate governance context Scope, application and objectives Principles and model for good governance of it Implementing the six IT governance principles ISO/IEC 38500 and the IT steering committee Project governance Other IT governance standards and frameworks Integrated frameworksImplement an IT governance framework to improve your organisation's competitive position. Buy this pocket guide today!About the authorAlan Calder is a leading author on IT governance and information security issues. He is Group CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. Alan is a frequent media commentator on IT governance and information security issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.

Ideal for risk managers, information security managers, lead implementers, compliance managers and consultants, as well as providing useful background material for auditors, this book will enable readers to develop an ISO 27001-compliant risk assessment framework for their organisation and deliver real, bottom-line business benefits.

This pocket guide is an introduction to the EU's NIS Directive (Directive on security of network and information systems). It outlines the key requirements, details which digital service providers are within scope, and explains how the security objectives from ENISA's Technical Guidelines and international standards can help DSPs achieve compliance. This pocket guide is a primer for any DSP that needs to comply with the NIS Directive.The pocket guide helps DSPs: Gain insight into the NIS Directive and who is regulating it; Identify if they are within the scope of the Directive; Understand the key requirements; and Understand how guidance from international standards and ENISA can help them comply.Your essential guide to understanding the EU's NIS Directive - buy this book today and get the help and guidance you need.

This pocket guide is a primer for any OES (operators of essential services) that needs to comply with the NIS Regulations, and explores who they are, and why the NIS Regulations are different for them.An introduction to the new NIS Regulations 2018 that bring the EU's NIS Directive and Implementing Regulation into UK law.This guide outlines the requirements for operators of essential services based on the Cyber Assessment Framework established by the National Cyber Security Centre (NCSC), including an explanation of the objectives, principles and indicators of good practice, and offers implementation guidance.This guide will help you:Understand how to comply with NIS Regulations, and avoid penalties associated with non-complianceUnravel the key definitions, authorities and points of contactLearn the benefits of a good Cyber Resilience planInterpret and ensure compliance with the Cyber Assessment FrameworkEstablish the NCSC's cyber security objectives, principles and indicators of good practiceYour essential guide to understanding the NIS Regulations - buy this book today and get the help and guidance you need.

This pocket guide is a primer for any DSPs (digital service providers) that needs to comply with the NIS Regulations, and explores who they are, and why the NIS Regulations are different for them.An introduction to the new NIS Regulations 2018 that bring the EU's NIS Directive and Implementing Regulation into UK law. This guide outlines the key requirements, details exactly which digital service providers are within scope, and explains how the security objectives from ENISA's Technical Guidelines and international standards can help DSPs achieve compliance.This guide will help you:Clarify how to identify if you are within the scope of the NIS RegulationsGain an insight into the NIS DirectiveUnravel the key definitions, authorities and points of contactUnderstand the benefits of a good cyber resilience planYour essential guide to understanding the NIS Regulations - buy this book today and get the help and guidance you need.

This concise guide is essential reading for EU organisations wanting an easy to follow overview of the new regulation and the compliance obligations for handling data of EU citizens.The EU General Data Protection Regulation (GDPR) will unify data protection and simplify the use of personal data across the EU, and automatically supersedes member states domestic data protection laws.It will also apply to every organisation in the world that processes personal information of EU residents.The Regulation introduces a number of key changes for all organisations that process EU residents' personal data.EU GDPR: A Pocket Guide provides an essential introduction to this new data protection law, explaining the Regulation and setting out the compliance obligations for EU organisations.This second edition has been updated with improved guidance around related laws such as the NIS Directive and the future ePrivacy Regulation.EU GDPR - A Pocket Guide sets out: A brief history of data protection and national data protection laws in the EU (such as the German BDSG, French LIL and UK DPA). The terms and definitions used in the GDPR, including explanations. The key requirements of the GDPR, including: Which fines apply to which Articles; The six principles that should be applied to any collection and processing of personal data; The Regulation's applicability; Data subjects' rights; Data protection impact assessments (DPIAs); The role of the data protection officer (DPO) and whether you need one; Data breaches, and the notification of supervisory authorities and data subjects; Obligations for international data transfers. How to comply with the Regulation, including: Understanding your data, and where and how it is used (e.g. Cloud suppliers, physical records); The documentation you need to maintain (such as statements of the information you collect and process, records of data subject consent, processes for protecting personal data); The "appropriate technical and organisational measures" you need to take to ensure your compliance with the Regulation. A full index of the Regulation, enabling you to find relevant Articles quickly and easily.Buy your copy today.

This pocket guide serves as an introduction to the National Institute of Standards and Technology (NIST) and to its Cybersecurity Framework (CSF).Now more than ever, organizations need to have a strong and flexible cybersecurity strategy in place in order to both protect themselves and be able to continue business in the event of a successful attack. The NIST CSF is a framework for organizations to manage and mitigate cybersecurity risk based on existing standards, guidelines, and practices.With this pocket guide you can:Adapt the CSF for organizations of any size to implementEstablish an entirely new cybersecurity program, improve an existing one, or simply provide an opportunity to review your cybersecurity practicesBreak down the CSF and understand how other frameworks, such as ISO 27001 and ISO 22301, can integrate into your cybersecurity frameworkBy implementing the CSF in accordance with their needs, organizations can manage cybersecurity risks in the most cost-effective way possible, maximizing the return on investment in the organization's security. This pocket guide also aims to help you take a structured, sensible, risk-based approach to cybersecurity.

Istruzioni per la corretta attuazione della Norma ISO 27001Con un linguaggio funzionale e scevro da tecnicismi, questa guida ti accompagnerà lungo le fasi principali di un progetto ISO 27001 per garantirne il successo - dalla fase iniziale fino alla certificazione finale: Mandato dell progetto Avvio del progetto Avvio del SGSI Quadro di gestione Criteri di sicurezza basilari Gestione del rischio Attuazione. Misurazione, monitoraggio e riesame CertificazioneOra alla sua terza edizione e allineata a ISO 27001:2013, questa guida è ideale per tutti coloro che sono chiamati per la prima volta a cimentarsi con questo Standard."È come trovarsi gomito a gomito con un consulente da 300 dollari all'ora a considerare tutti gli aspetti legati al conseguimento del sostegno della direzione, alla pianificazione, alla definizione degli ambiti, alla comunicazione di gestione, ecc."Thomas F. WitwickiCon questo libro scoprirai come: Conseguire il sostegno della direzione e mantenere l'attenzione del consiglio; Creare un guadro di gestione ed eseguire una gap analysis, in modo da poter comprendere chiaramente i controlli già in atto e identificare dove concentrare i propri sforzi; Strutturare e fornire risorse al tuo progetto - con consigli che ti aiuteranno a decidere se avvalerti di consulenti o fare tutto da solo, e a esaminare gli strumenti e le risorse disponibili che possono facilitarti il lavoro; Condurre una valutazione dei rischi in cinque fasi, e creare una Dichiarazione di Applicabilità e un piano di trattamento dei rischi; Integrare il tuo SGSI ISO 27001 con un QMS ISO 9001 ed altri sistemi di gestione; Affrontare le sfide legate alla documentazione che incontrerai sul tuo cammino mentre formulerai politiche aziendali, procedure, istruzioni operative e documenti di registrazione - tra cui alternative sostenibili a un dispendioso approccio euristico; Migliorare continuamente il tuo SGSI, con gli audit e le verifiche interne e il riesame della direzione;Questa pubblicazione ti fornirà la guida necessaria per comprendere i requisiti dello Standard e garantire la riuscita del tuo progetto di attuazione, che racchiude sei segreti che conducono al successo della certificazione.BackgroundIl conseguimento e il mantenimento della certificazione accreditata secondo lo standard internazionale per la gestione della sicurezza delle informazioni - ISO 27001 - può essere un'impresa complicata, soprattutto per i non addetti ai lavori.L'autore, Alan Calder conosce a fondo la norma ISO 27001: egli è il fondatore e il presidente esecutivo di IT Governance, ha diretto l'attuazione del primo sistema di gestione che ha conseguito la certificazione secondo BS 7799 - il precursore della norma ISO 27001 - e da allora non ha mai smesso di lavorare con il citato Standard.

Proteja la información de su organización con la ISO27001:2013La información es uno de los recursos más importantes de su organización y mantener esa información segura es vital para su negocio. Esta guía de bolsillo útil es una visión de conjunto esencial sobre las dos normas de la seguridad de la información clave que cubren los requisitos formales (ISO27001:2013) para crear un Sistema de Gestión de la Seguridad de la Información (SGSI) y las recomendaciones de mejores prácticas (ISO27002:2013) para aquellos responsables de iniciar, implementar o mantenerlo.Un SGSI basado en la ISO27001/ISO27002 ofrece un sinfín de beneficios: Eficacia mejorada implantando procedimientos y sistemas de seguridad de la información, que le permiten concentrarse en su actividad empresarial principal. Protege sus activos de información de un amplio abanico de ciberamenazas, actividad criminal, compromiso de información privilegiada y fallo del sistema. Gestione sus riesgos sistemáticamente y establezca planes para eliminar o reducir las ciberamenazas. Permite la detección temprana de amenazas o errores de procesamiento y una solicuón más rápida¿Siguiente paso para la certificación?Puede organizar una auditoría independiente de su SGSI frente a las especificaciones de la ISO27001 y, si su SGSI se ajusta, finalmente logra la certificación acreditada. Publicamos una variedad de libros y herramientas de documentación del SGSI (como Nueve pasos para el éxito) para ayudarle a lograr esto.Índice La familia de normas de la seguridad de la información ISO-/IEC 27000; Historia de las Normas; Especificación frente al Código de Prácticas; Proceso de certificación; El SGSI y la ISO27001; Visión de conjunto de la ISO/IEC 27001:2013; Visión de conjunto de la ISO/IEC 27002:2013; Documentación y registros; Responsabilidad de la gestión; Enfoque del proceso y el ciclo PDCA; Contexto, política y alcance; Evaluación del riesgo; La declaración de aplicabilidad (SoA); Implementación; 15. Verificar y actuar; Revisión gerencial; ISO27001; Anexo AAcerca del autorAlan Calder es el fundador y presidente ejecutivo de IT Governance Ltd, una empresa de información, asesoramiento y consultoría que ayuda a los consejos de administración de empresas a abordar problemas de gobierno de TI, gestión del riesgo, cumplimiento y seguridad de la información. Tiene muchos años de experiencia en alta gerencia en los sectores públicos y privados.Una guía de bolsillo que proporciona una visión de conjunto esencial de dos normas de la seguridad de la información clave, cómprela hoy y aprenda cómo proteger el activo más importante de su organización.

Proteggi le informazioni della tua organizzazione con ISO27001:2013Le informazioni costituiscono una delle risorse più importanti della tua organizzazione, e proteggerne la sicurezza è di importanza vitale per la tua attività. Questa pratica guida tascabile costituisce una panoramica essenziale di due norme di sicurezza delle informazioni che prende in esame i requisiti formali (ISO27001:2013) per la creazione di un Sistema di Gestione della Sicurezza delle Informazioni (SGSI), e le procedure consigliate (ISO27002:2013) rivolte ai responsabili dell'avvio, dell'attuazione o del mantenimento di tale sistema.Un SGSI basato sulle norme ISO27001/ISO27002 presenta numerosi vantaggi: Una maggiore efficienza derivante dalla messa in atto di sistemi e procedure di sicurezza delle informazioni, consentendoti di concentrarti maggiormente sul tuo core business. Protegge il tuo patrimonio informativo da un gran numero di minacce informatiche, attività criminose, compromissione interna dei dati e errori di sistema. Gestisce i tuoi rischi in modo sistematico e stabilisce piani d'azione per eliminare o ridurre le minacce informatiche. Consente il rilevamento precoce di minacce o errori d'elaborazione e la loro rapida risoluzione.Qualè il passo successivo verso la certificazione?Puoi disporre una verifica indipendente del tuo SGSI per accertarne la conformità alle specifiche dello standard ISO27001 e, in caso di conformità, ottenere quindi la certificazione accreditata. Pubblichiamo una vasta gamma di compendi e libri documentativi sullo standard SGSI (come I Nove Passi Per il Successo) che possono aiutarti a conseguire tale obiettivo.Indice Il gruppo di norme sulla sicurezza delle informazioni ISO/IEC 27000 ; Il contesto delle norme; Specifica e codice di comportamento a confronto; Il processo di certificazione; Il SGSI e l'ISO27001; Panoramica dell'ISO/IEC 27001:2013; Panoramica dell'ISO/IEC 27002:2013; Documentazione e registrazioni; Responsabilità della direzione; Approccio al processo e ciclo PDCA; Contesto, politica e campo di applicazione; Valutazione dei rischi; La dichiarazione di applicabilità; Attuazione; Check and Act; Riesame della direzione; Allegato A ISO27001L'autoreAlan Calder è fondatore e presidente esecutivo di IT Governance Ltd, un'azienda di assistenza e consulenza che aiuta gli organi sociali ad occuparsi di IT governance, gestione dei rischi, conformità e problemi di sicurezza delle informazioni. Alan ha occupato per molti anni incarichi di alto livello sia nel settore pubblico che privato. -Una pratica guida tascabile che offre una panoramica essenziale di due norme sulla sicurezza delle informazioni. Acquistala oggi stesso e apprendi come proteggere il patrimonio più importante della tua organizzazione

A concise introduction to the EU GDPRThe EU General Data Protection Regulation (GDPR) will unify data protection and simplify the use of personal data across the EU from 25 May 2018, when it will automatically supersede member states' domestic data protection laws.It will also apply to every organisation in the world that processes personal information of EU residents.The Regulation introduces a number of key changes for all organisations that process EU residents' personal data.EU GDPR: A Pocket Guide provides an essential introduction to this new data protection law, explaining the Regulation and setting out the compliance obligations for EU organisations. Product overviewEU GDPR - A Pocket Guide sets out: A brief history of data protection and national data protection laws in the EU (such as the German BDSG, French LIL and UK DPA). The terms and definitions used in the GDPR, including explanations. The key requirements of the GDPR, including: Which fines apply to which Articles; The six principles that should be applied to any collection and processing of personal data; The Regulation's applicability; Data subjects' rights; Data protection impact assessments (DPIAs); The role of the data protection officer (DPO) and whether you need one; Data breaches, and the notification of supervisory authorities and data subjects; Obligations for international data transfers. How to comply with the Regulation, including: Understanding your data, and where and how it is used (e.g. Cloud suppliers, physical records); The documentation you need to maintain (such as statements of the information you collect and process, records of data subject consent, processes for protecting personal data); The "appropriate technical and organisational measures" you need to take to ensure your compliance with the Regulation. A full index of the Regulation, enabling you to find relevant Articles quickly and easily. About the authorAlan Calder, the founder and executive chairman of IT Governance Ltd, is an internationally acknowledged cyber security expert, and a leading author on information security and IT governance issues. He co-wrote the definitive compliance guide IT Governance: An International Guide to Data Security and ISO27001/ISO27002, which is the basis for the Open University's postgraduate course on information security, and has been involved in the development of a wide range of information security management training courses that have been accredited by the International Board for IT Governance Qualifications (IBITGQ). Alan has consulted on data security for numerous clients in the UK and abroad, and is a regular media commentator and speaker.Quickly understand your new obligations under the EU GDPR, and learn what steps you need to take to avoid costly fines.

The perfect introduction to the principles of information security management and ISO27001:2013

In corporate governance environment, where the value and importance of intellectual assets are significant, boards must be seen to extend the core governance principles - setting strategic aims, and overseeing and monitoring the performance of executive management - to the organisation's intellectual capital, information and IT.

Provides the reader with a basic understanding of how an organization's Information Technology supports and enables the achievement of its strategies and objectives. This pocket guide describes the drivers for IT governance; why it matters; and, the relationship between IT governance, risk management, information risk and project governance.

Information is the currency of the information age and in many cases is the most valuable asset possessed by an organisation. Information security management is the discipline that focuses on protecting and securing these assets against the threats of natural disasters, fraud and other criminal activity, user error and system failure. Effective information security can be defined as the ‘preservation of confidentiality, integrity and availability of information.’ This book describes the approach taken by many organisations to realise these objectives. It discusses how information security cannot be achieved through technological means alone, but should include factors such as the organisation’s approach to risk and pragmatic day-to-day business operations. This Management Guide provides an overview of the implementation of an Information Security Management System that conforms to the requirements of ISO/IEC 27001:2005 and which uses controls derived from ISO/IEC 17799:2005. It covers the following: CertificationRiskDocumentation and Project Management issuesProcess approach and the PDCA cyclePreparation for an Audit