You are previewing Fundamentals of Information Risk Management Auditing: An introduction for managers and auditors.
O'Reilly logo
Fundamentals of Information Risk Management Auditing: An introduction for managers and auditors

Book Description

An introductory guide to information risk management auditing, giving an interesting and useful insight into the risks and controls/mitigations that you may encounter when performing or managing an audit of information risk. Case studies and chapter summaries impart expert guidance to provide the best grounding in information risk available for risk managers and non-specialists alike.

Table of Contents

  1. Cover
  2. Title
  3. Copyright
  4. Contents
  5. Part I: What is risk and why is it important?
    1. Chapter 1: Risks and controls
      1. Overview
      2. What is risk?
      3. Management of risk
      4. Risk identification and awareness
      5. Documenting risks
      6. Assessing and monitoring risk
      7. Categorisation
      8. Likelihood
      9. Impact
      10. Risk heat maps
      11. Controlling risk
      12. Summary
    2. Chapter 2: Enterprise risk management (ERM) frameworks
      1. Overview
      2. What is enterprise risk management?
      3. Strategic enterprise wide management process
      4. Identify potential risks
      5. Significant impact
      6. Manage them within the entity’s risk appetite
      7. Common ERM frameworks
      8. COSO
      9. The five components
      10. ISO31000
      11. Sarbanes-Oxley
      12. Summary
    3. Chapter 3: Risk management assurance and audit
      1. Overview
      2. Three lines of defence
      3. First line of defence – Business unit staff and management
      4. Second line of defence – Governance, risk and compliance
      5. Third line of defence – Independent assurance from audit and the Board
      6. Segregation of duties between each line
      7. Internal vs external audit
      8. Other forms of IT assurance
      9. Case study
      10. Summary
    4. Chapter 4: Information Risks and Frameworks
      1. Overview
      2. What is information risk?
      3. COBIT 5
      4. ISO frameworks
      5. CRAMM
      6. Summary and key take-aways
  6. Part II: Introduction to General IT and Management Risks
    1. Chapter 5: Overview of General IT and Management Risks
      1. Overview
      2. Reviewing entity level controls in an IT context
      3. What are general IT controls?
      4. Case studies and examples of general IT controls
      5. Outsourced arrangements
      6. End user computing
      7. Bring your own devices (BYOD)
      8. Case studies and examples of outsourcing
      9. Reviewing general IT controls
      10. Summary
    2. Chapter 6: Security and Data Privacy
      1. Overview
      2. Risks
      3. Controls
      4. Examples of IT security controls
      5. ISO27001
      6. Case study examples
      7. Documenting, assessing and testing security and confidentiality controls
      8. Summary
    3. Chapter 7: System Development and Change Control
      1. Introduction
      2. Project lifecycle overview
      3. Project lifecycle risks
      4. Project lifecycle controls
      5. Project lifecycle case study examples
      6. Project lifecycle documenting, assessing and testing controls
      7. Change management overview and risks
      8. Change management controls
      9. Change management case study examples
      10. Documenting, assessing and testing controls
      11. Summary
    4. Chapter 8: Service Management and Disaster Planning
      1. Introduction
      2. Service management overview
      3. Disaster planning
      4. Case study examples
      5. Summary
  7. Part III: Introduction to Application Controls
    1. Chapter 9: Overview of Application Controls (Integrity)
      1. Introduction
      2. Risks
      3. Controls
      4. Case study examples
      5. Documenting, assessing and testing application controls
      6. Summary
      7. Further reading
  8. Part IV: Life as an Information Risk Management Specialist
    1. Chapter 10: Planning, Running and Reviewing Information Risk Management Assignments
      1. Overview
      2. Stages of a review
      3. IRM assignment planning
      4. Conducting an IRM review
      5. Reviewing the audit review
      6. Ensuring action after the review
      7. Summary
    2. Chapter 11: Personal Development and Qualifications
      1. Overview
      2. Who are IRM auditors?
      3. Skills audit
      4. Qualifications available
      5. Professional and ethical standards
      6. Sources of employment
      7. A personal case study
      8. Summary
  9. Further Reading and Resources
  10. ITG Resources