What cyber security topics do Mark Hayward's books cover?

Mark Hayward's 144+ books cover a wide range of cyber security topics including Identity & Access Management (IAM), Incident Response, Wireless Security, IoT Security, OSINT, Governance & Policy, SOC2 Certification, PCI DSS compliance, the Cyber Assessment Framework, and AI standards like ISO 42001.

What formats are the cyber security books available in?

All books are available on Amazon in Kindle eBook format (with many on Kindle Unlimited), paperback, and hardcover editions. Digital versions offer instant download, while physical copies ship worldwide through Amazon.

Are these books suitable for beginners in cyber security?

Yes! The collection includes books for all skill levels. 'Cyber Security for Beginners' is the recommended starting point. From there, readers can progress through intermediate and advanced titles covering specialised topics like ethical hacking, threat detection, and enterprise security.

Mark Hayward is a UK-based cyber security expert with over 23 years of experience and a veteran of the UK Armed Forces. He has served both independently and within prominent organisations, providing cyber security services to local and central government departments. He is the author of 144+ published books on cyber security.

Can I purchase these books outside the United States?

Absolutely. All books are available worldwide through Amazon. Kindle eBooks can be downloaded instantly from any country, and physical copies (paperback and hardcover) ship globally through Amazon's international delivery network.

What is cyber security and why does it matter?

Cyber security is the practice of protecting computer systems, networks, and data from digital attacks, unauthorised access, and damage. It matters because organisations and individuals depend on digital systems for everything from financial transactions to critical infrastructure — and a successful attack can cause financial loss, reputational damage, and serious operational disruption.

What cyber security books does Mark Hayward recommend for beginners?

Mark Hayward recommends starting with 'Cyber Security for Beginners', which covers the fundamentals of digital security including network protection, threat types, and security best practices. From there, readers can progress through his 144+ book collection covering specialist topics from incident response and ethical hacking to AI security and compliance frameworks.

How do I start a career in cyber security?

Starting a career in cyber security typically involves building foundational knowledge through books, courses, and certifications (such as CompTIA Security+, CISSP, or CEH), gaining hands-on practice in lab environments, and developing skills in areas like network security, threat analysis, and incident response. Mark Hayward's 'Cyber Security for Beginners' series provides a structured starting point for those new to the field.

Cyber Security ISO 27001:2022 Certification ~ 1.4 Documenting Scope and Exclusions for Certification

Defining the ISMS Scope

Defining the scope of an Information Security Management System (ISMS) is a fundamental step toward achieving certification. It requires a clear understanding of what parts of the organisation, its assets, processes, and activities are included in the security management effort. Done poorly, scope ambiguity creates confusion during audits and weakens the credibility of your certification. Done well, it gives every stakeholder a precise picture of what is protected and why.

To define scope effectively, start by identifying the organisational boundaries — whether the ISMS covers the entire company, specific departments, or particular business units. This clarity prevents ambiguity in responsibilities and ensures everyone understands exactly what falls within the programme. From there, list critical assets: data, hardware, software, and facilities. Determining which assets are in scope helps focus security controls where they matter most.

Including core processes and workflows in your scope documentation is equally important. Essential business activities must be protected, and their security posture properly recorded. Keep the scope documentation precise but flexible enough to accommodate future changes — the nature of business operations and technology environments evolves, and your ISMS must be able to keep pace without requiring a full recertification each time.

Strategic Exclusions: What to Leave Out and Why

Once the scope is well defined, strategic considerations come into focus when documenting exclusions. Exclusions are the parts of the organisation or assets that are intentionally left outside the ISMS boundary — typically due to resource constraints, legal boundaries, or demonstrably low risk levels. Clearly identifying these exclusions from the outset prevents misunderstandings during audits and ensures full transparency with auditors and stakeholders.

Consider a common example: a company might exclude outsourced processes managed entirely by third-party providers, provided there is a formal agreement in place and the third party demonstrably meets the required security standards. Similarly, personal devices or non-critical administrative systems might be excluded if they have no direct impact on information security objectives. The key test is whether any exclusion creates a gap in security controls or compliance. If it does, that exclusion is not justifiable under ISO 27001:2022.

Every exclusion must be accompanied by a rationale. Documenting the reasoning behind each decision shows auditors that the scope was carefully considered and intentionally limited — not carelessly narrow. This level of transparency signals organisational maturity and reduces the risk of non-compliance findings during certification audits.

Documenting Exclusions in Detail

When recording exclusions in your ISMS documentation, include the following for each one:

The reason for exclusion — resource constraints, legal boundaries, third-party ownership, or demonstrably low risk
The specific assets or processes affected — be precise; vague exclusions invite scrutiny
Any compensating controls — if there is residual risk, document how it is mitigated outside the ISMS scope

This level of detail reduces confusion, provides evidence of deliberate decision-making, and makes periodic reviews far more manageable. When organisational changes occur — a new acquisition, a technology refresh, a change in outsourcing arrangements — the exclusion log provides a baseline from which to assess whether boundaries need to shift.

As a practical discipline, review all exclusions annually or whenever significant organisational changes take place. This ensures the scope remains accurate and aligned with the organisation's current security posture and business objectives. Properly documented scope and exclusions do not just satisfy auditors — they serve as the structural foundation for developing targeted, effective security controls and building a compelling case throughout the certification process.

📘 Read the Full Book