Managing Risk in Information Systems (Information Systems Security & Assurance)

This is a great piece of reference material if you need guidelines on risk assessments, mitigation, and security in your organization. It's very straightforward and it's provided diagrams and examples are fantastic.Greater issue: When read chronologically, it doesn't read well at all. The book's writing style mentions everything, every chapter, and picks a seemingly random one of those things to dive into in each chapter you read.For instance, this book has a chapter dedicated to writing a BIA, which on it's own is very handy. However - it also has a page about it here, a page about it there, and like with many other topics in this book, it sort of regurgitates it's own content, repeatedly, in every chapter. Each topic isn't rewritten in 'how it relates' as much as it is written to 'start over' like you haven't already read about the topic in a previous chapter.On top of that, every chapter forces itself to be 23-25 pages long, seemingly because it can... I think that space would be better used challenging the reader to create a plan or assessment on their own, as opposed to constantly restating itself. I think the idea was to revisit/reinforce earlier concepts by re-introducing them again and again, but it's executed quite badly and makes the book appear very clunky and disorganized.

The second edition of this book is phenomenal. It is well written, clear, and provides fantastic coverage of the topic. For the third edition, all they did was to add "ing" to every other verb. (That's only a slight exaggeration.) There are no significant updates to the content. It's the same content, and the content is still good. It just went from being a really, really well written book to a poorly written book.