Calder, a consultant in information technology (IT) governance, compliance, risk management, and information security, and Watkins, who works in management system standards, offer a guide for companies to protecting and improving their information security management systems and meeting the ISO (International Organization for Standardization) standards. They explain the topic from the perspective of the director or business manager, rather than the IT specialist, and focus on the strategic and operational aspects of information security. They describe the UK Combined Code, the FRC (Financial Reporting Council) Risk Guidance, and the Sarbanes-Oxley Act; the ISO27001 standard; organizing information security; information security policy and scope; mobile devices; human resources, physical and environmental, and equipment and operations security; asset management; media handling; access control; user access management; system and application access control; cryptography; controls against malicious software; communications management; exchanges of information; system acquisition, development, and maintenance; development and support processes; supplier relationships; monitoring and information security incident management; business and information security continuity management; compliance; and the ISO27001 audit. This edition has been updated to incorporate current cyber security and advanced persistent threats and recent regulatory and technological developments, including 2013 updates to ISO27001/ISO27002, and key international markets, including the UK, North America, European Union, and Asia Pacific. It includes changes to data-related regulations in different jurisdictions and compliance, the new continual improvement model that replaces Plan-Do-Check-Act in the previous ISO standard, new developments in cyber risk and mitigation practices, and the new information security risk assessment process. Annotation ©2015 Ringgold, Inc., Portland, OR (protoview.com)