This book is not practical, neither is it theoretical. It is geared towards management and tries to give an overview of what is needed to ensure information security. It does this by being extremely descriptive and utilising one step at the time methodology, while in some cases brushing over some details and in others go off-tangent by giving explanations to certain things that should be obvious for information security professionals. Regardless, I really liked the book!

Recommended reading.