Qioptiq logo Raytheon


Web Page sponsored by IT Governance



08 Oct 11. Book Review: Security Risk Management – Building an Information Security Risk Management Program from the Ground Up
Available in paperback only at the present time and consisting of 339 pages, this book provides a good grounding with respect to the subject matter: that of Security Risk Management. The back cover of the book is described as presenting a roadmap for designing and implementing a security risk management program, and in my view it largely delivers on this promise, both for individuals and teams engaged in risk identification and management. The book is packed with practical tips and the information contained throughout provides a good overview of the subject matter. The author explains the fundamentals of risk identification, assessment and management, exploring the differences between a vulnerability assessment and a risk assessment, and also providing rationales behind each of subjects covered. The author articulates security risk management in business terms well and has taken care to provide an explanation each time jargon is used; he also covers the majority of jargon in everyday use amongst security professionals. From a practical perspective, the author explores the risk management lifecycle, describes methodologies for qualifying and quantifying risk and levels of risk, and provides examples of how these can best be described and/or presented at a senior management level. He draws a direct comparison between analyzing and assessing business risk (trust me, these are not the same thing!). This is not a technical book and the author generally avoids detailed technical analysis; rather it is an aide-memoir for Security Risk Management. Sufficient information is provided throughout to enhance the readers understanding of each phase of the risk management lifecycle, providing practical examples and advice. (Source: Len Zuga/INFOSEC)

IT Governance is a unique organisation.

We source, create and deliver products and services to meet the real-world, evolving IT governance needs of today’s organizations, directors, managers and practitioners. Our objective is to make this site the one-stop-shop for comprehensive corporate and IT governance information, advice, guidance, books, tools, training and consultancy.

We have been involved in designing, and successfully implementing, cost-effective BS 7799/ISO 27001 information security management systems since the standard was first promulgated. We write and publish extensively on IT governance subjects, including IT service management, project governance, regulation and compliance, and have evolved a range of leading-edge tools for IT governance, information security and regulatory compliance practitioners, available through the online shop on this site.

We approach IT governance, regulatory compliance and information security issues from a management perspective and are committed to engaging business leaders in developing and implementing information, ICT regulatory compliance and information security strategies that enable their businesses to compete effectively in the global information economy.

IT Governance Ltd
t:+ 44 (0) 8450 701750
d:+ 44 (0) 1353 771068
f:+ 44 (0) 1353 662667

Back to article list