ISO Pocket Book Series

“Risk management is the central idea of ISO 27001. And, the way ISO 27001 tells you to achieve this tailor-made suit is to perform risk assessment and risk treatment.” This book, ISO 27001 Risk Management in Plain English, is a quick read for people who are focused solely on risk management. It has one aim in mind: to give you the knowledge and practical step-by-step process you need to successfully implement ISO 27001 risk assessment and treatment – without struggle, stress, or headaches. ISO 27001 Risk Management in Plain English is written primarily for beginners in this field and for people with moderate knowledge about risk assessment and treatment. It is structured in such a way that someone with no prior experience or knowledge about information security can quickly understand what it is all about, and how to implement the whole risk management project. However, if you do have experience with ISO 27001, but feel that you still have gaps in your knowledge, you’ll also find this book very helpful. This book will give you a complete overview of risk management according to ISO 27001. It will also explain the differences between risk management in ISO 27001 and other risk-oriented standards, such as ISO 27005 and ISO 31000. You will learn the five main steps in the risk management process, the purpose of risk assessment, and how to perform it. “In my experience, the employees (and the organization as a whole) are usually aware of only 25 to 40% of risks,” says author Dejan Kosutic. “Therefore, a thorough and systematic process needs to be carried out to find out everything that could endanger the confidentiality, integrity, and availability of their information.” This book will serve as your complete guide to ISO 27001 risk management. From the simple explanation of requirements, steps in risk management, development of methodology, and which documents are required for risk management – you will quickly see that this is the only book you’ll ever need on the subject.

In this book, Dejan Kosutic, author and experienced information security consultant, is giving away his practical know-how on ISO 27001 security controls. No matter if you are new or experienced in the field, this book teaches you everything you need to know about security controls. ISO 27001 Annex A Controls in Plain English is written primarily for beginners to ISO 27001, and for people with moderate knowledge about Annex A of the standard and the 114 security controls that are found in the Annex. It is structured in such a way that someone with no prior experience or knowledge about information security can quickly understand what they are all about; however, if you do have experience with ISO 27001, but feel that you still have gaps in your knowledge, you’ll also find this book very helpful. Kosutic uses plain English to explain everything you need to know about security controls in ISO 27001, as well as the differences between the controls in Annex A of ISO 27001 and in ISO 27002. Also, you will learn everything about the crucial link between risk management and security controls, and get a complete overview of Annex A controls starting from the introduction, structuring of the documentation, and instructions on how to write detailed information security policies, all the way to the requirements for compliance. Written in simple language and avoiding the technical jargon, ISO 27001 Annex A Controls in Plain English is the right book to start learning about the subject.

“Before you decide if your company should go for the certification, you have to ask yourself one important question: Do you really need it?” This book is a complete guide that will not only help you decide on this crucial concern, but also lead you from the beginning of the certification project to the end. This book is not focused solely on one ISO standard – the certification process is the same for any standard, so the book is adapted in such a way that it is perfectly acceptable for ISO 9001, ISO 14001, ISO 27001, ISO 20000, ISO 22000, OHSAS 18001, ISO 13485, and IATF 16949. Kosutic wrote Preparing for ISO Certification Audit: A Plain English Guide primarily for beginners in this field, and for people with moderate knowledge about ISO certification. The book is structured in such a way that someone with no prior experience or knowledge about ISO standards can quickly understand how the whole certification process works, and what steps to take for its successful completion. This book is a straightforward guide for ensuring your company passes the certification audit, leading you through the following steps: The final check before going for the certification – this part of the book explains in detail all the necessary steps that need to be done before going for the certification. How to choose a certification body – here you will learn about the most important criteria for choosing the certification body. Among others, you should consider the reputation, specialization, and experience of a certification body. Steps in the company certification and how to prepare – in this part of the book you will learn more about the Stage 1 audit, Stage 2 audit, and surveillance visits – the three main steps in the certification process. Which questions the certification auditor may ask – this section of the book will give you insight into how the certification auditors usually perform the certification audit, explaining what documentation you should prepare, what evidence the auditor will try to find, and what kind of questions you can expect during the certification interview. How to talk to the auditors to benefit from the audit – “Don't forget that auditors are only people, and no matter how professional they are, they will always be glad if you treat them fairly, and will be negative if you treat them badly.” What the auditor can and cannot do – this section is also very important in order to prepare your company for the certification audit. You have to be aware that there are borders that a certification auditor shouldn’t cross. Written in plain English with easy-to-understand language, this is the only book you will ever need on the subject. 

In this book, Dejan Kosutic, author and experienced ISO consultant, is giving away his practical know-how on managing policies, procedures, plans, forms, reports, and other documented information. No matter if you are new or experienced in the field, this book gives you everything you will ever need to learn on how to handle ISO 9001, ISO 14001, ISO 27001, ISO 22301, ISO 20000, ISO 22000, OHSAS 18001, ISO 13485, AS9100, and IATF 16949 documents. Many ISO practitioners are often disappointed with the quantity and complexity of the documentation. You can frequently hear: “We don’t need these documents – we’re doing just fine without them; this would only be overkill.” “This standard is all about documentation – we simply need to fill out all the documents, and we’ll automatically get the certificate.” “We need to write policies and procedures for each and every process, activity, and control in our company – the more documents, the clearer the rules will be, and it will be easier for us to comply.” This book is here to prove these statements wrong. As Kosutic says: “The main point of the implementation of any standard is that the employees perform their activities and processes in a better way, and the documentation is here to help you do that, because otherwise, their processes and activities would become unmanageable.” Managing ISO Documentation: A Plain English Guide is a step-by-step guide that will explain the sequence of writing the documentation and its relationship with the PDCA cycle, how to decide on your documentation strategy, how to decide which policies and procedures to write, and what might be the most crucial part – how to write documentation that will be accepted by your employees. Written in easy-to-understand language, whether you’re an experienced practitioner or new to the field, Managing ISO Documentation: A Plain English Guide is the only book you’ll ever need on the subject.

“There are many misconceptions about ISO standards that very often do not allow the standard to become a serious candidate for consideration, let alone for the actual implementation.” In this book, Dejan Kosutic, author and experienced ISO consultant, is giving away his practical know-how on preparing for ISO 9001, ISO 14001, ISO 27001, ISO 22301, ISO 20000, ISO 22000, OHSAS 18001, ISO 13485, AS9100, and IATF 16949 implementation. No matter if you are new or experienced in the field, this book gives you everything you will ever need to learn about preparations for ISO implementation projects, and how to avoid some costly mistakes in the process. The first step that is crucial to any ISO implementation project is to convince your top management to implement the ISO standard, and in order to do so, you have to speak the language they want to hear. As Kosutic says: “What management wants to hear are profit, market share, client satisfaction, cost cutting, business strategy, and business risks. And you can't blame them – after all, this is what their job is all about.” Starting from that step, Preparations for the ISO Implementation Project: A Plain English Guide will cover other important steps your organization must take in order to be completely prepared for the implementation of any ISO standard. Among other important things, you will learn how to choose a consultant, how to set up the project management structure, and what tools and templates can help you in the implementation project. Written in easy-to-understand language, this book is written for people who are going for an ISO implementation for the first time and need clear guidance on what to do before the project starts. Whether you’re an experienced practitioner or new to the field, it’s the only book you’ll ever need on the subject.

Let’s be realistic – it is human to make mistakes, so it’s impossible to have a system with no errors; it is, however, possible to have a system that improves itself and learns from its mistakes. Internal audits are a crucial part of such a system. In this book, Dejan Kosutic, an author, and experienced ISO consultant is giving away his practical know-how on ISO 9001, ISO 14001, ISO 27001, ISO 22301, ISO 20000, ISO 22000, OHSAS 18001, ISO 13485, AS9100 and IATF 16949 internal audits. This book is written primarily for beginners in internal auditing and for people with moderate knowledge about internal audits. On the other hand, if you do have experience with internal audits, but you feel that you still have gaps in your knowledge, you’ll also find this book helpful. So, no matter if you are new or experienced in the field, this book gives you everything you will ever need to learn and more about internal audits. Inside you will find not just basic information about the internal audit and ISO 19011 but also information on how to create the internal audit checklist, how to write the internal audit report, what are the best technics for finding evidence during the audit, how to perform interviewing during the audit and much more. Kosutic uses real-life examples and plain English in order to explain everything that is necessary to completely understand how to perform an internal audit for all ISO management standards.