Books — the smart way to learn about management system standards

  
  Have a question about ISO/IEC 27001, related standards, or about certification? Use our enquiry page to ask your question and we will do our best to answer it
 

Books by Dr David Brewer

Insights into ISO/IEC 27001:2022 Annex A

Book cover for Insights into ISO/IEC 27001:2022 Annex A by David Brewer
  • Is for people who want to know more about ISO/IEC 27001 Annex A, what is its purpose, how does it work and how its effectiveness can be increased
  • Explains how the purpose of Annex A and the Statement of Applicability (SOA) have evolved over the past 27 years
  • Raises questions about whether the Annex A controls are requirements and the effectiveness of the SOA mechanism
  • Reveals the relationship between Annex A and the processes of risk assessment and risk treatment
  • Considers privacy, AI, ransomware and other risk contexts
  • Proposes how the utility of Annex A can be vastly improved.

The book has been written in the style of a mystery. The first four chapters set the scene, each finishing with a conclusion in the form of a perplexing statement or question. The final chapter, like all good mystery stories, resolves all the issues and permits Annex A and the SOA to be regarded in a more refreshing light.

The book reexamines Annex A 15 years after David Brewer and Michael Nash published their paper “Insights into the ISO/IEC 27001 Annex A”, in 2010.

 

Edition 1 (published July 2025). 48 pages. Available on Amazon as a paperback, ISBN-13: 979-8291235935, price £14.99, or Kindle, price £13.45.

 

An introduction to ISO/IEC 27001:2022/Amd 1:2024

Book cover for An introduction to ISO/IEC 27001:2022/Amd 1:2024 by David Brewer
  • Is for people who are looking for a straightforward overview of ISO/IEC 27001:2022/Amd 1:2024 and how to implement it
  • Serves as a basic introduction to the standard and a straightforward guide to implementation;
  • Is an easy to follow pocket guide packed with useful ‘how to’ information
  • Contains guidance that is applicable to a wide range of differing ISMS implementations and is appropriate to SMEs as well as much larger organizations
  • Includes a practical and easy to use assessment/risk treatment method that delivers results directly expressed in business meaningful terms
  • Does not assume any prior knowledge of ISO/IEC 27001 or management systems
What the experts say

‘An excellent book – the ultimate guide to ISO/IEC 27001:2022 – a must have book whether you are an existing registration or considering it. Offers practical and pragmatic guidance to practitioners.’

Sabrina Feng, Chief Technology Risk Officer, London Stock Exchange Group

Edition 5 (published May 2024). First published 2014

181 pages. Available on Amazon as a paperback, ISBN 9798326462220: price £42.25

 

 

Book cover for ISO/IEC 27001 — Mastering Risk Assessment and the Statement of Applicability by David Brewer

ISO/IEC 27001:2022 — Mastering Risk Assessment and the Statement of Applicability

  • Is for people who looking for a straightforward approach to information security risk assessment, treatment, and the Statement of Applicability
  • Provides clear and easy to follow instructions on what to do
  • Uses events and consequences as advocated in ISO 31000:2018 (Risk management – Guidelines) and BS 7799-3:2017 (Guidelines for information security risk management)
  • Contains 182 control questions derived the controls in ISO/IEC 27001:2022 Annex A, augmented by controls derrived from the purpose and guidance text in ISO/IEC 27002:2022
  • Offers two layouts for the Statement of Applicability.

 

 

Edition 2 (published November 2022).

95 pages. Available on Amazon as a paperback, ISBN 9798361626724, price £27.99.

 

About the author

Dr David Brewer has over thirty-five years’ worldwide experience working with management systems as a standards maker, consultant, auditor, tutor, and integrated management system administrator. Hewas one of the first consultants to advise the British Government on information security matters, helping to establish the first ever computer security evaluation facilities and evaluation criteria. He was a founder member of the Department of Trade and Industry’s Commercial Computer Security Centre (1987-1992) and became co-author of the European IT Security Evaluation Criteria (the forerunner of ISO/IEC 15408) and its associated evaluation manual. He was co-author of the original ISMS standard, BS 7799 Part 2 and a former head of the UK delegation to ISO JTC 1 SC27 WG1, which is responsible for the ISO 27000 family of standards. He is the editor for the revision of ISO/IEC 27000 (ISMS Overview) and ISO/IEC 27004 (Monitoring, measurement, analysis and evaluation).

David has conducted a wide variety of consultancy assignments in information security spanning 43 years in over 23 countries. He has assisted many clients to establish their ISMS and has first-hand experience in the maintenance and improvement of two of them. His seminal research papers include: The Chinese Wall Security Policy, published in 1989; Measuring the Effectiveness of an Internal Control System, published in 2004 and Insights into the ISO/IEC 27001 Annex A, published in 2010.