ISO 27005 Lead Auditor - Australia

ISO 27005 Lead Auditor Course Outline

The following subjects are taught during this course:

Module 1: Introduction to ISO 27005 Standard

• Core concepts, key definitions and background
• Quality Management System (QMS)
• Role and importance
• Understanding the situation in an organisation
• Reviewing and monitoring
• Octave method
• EBIOS method
• MEHARI
• Harmonised Tra method

Module 2: Interaction With Other ISOs

• How ISO 27005 interacts with ISO 9001
• How ISO 27005 interacts with ISO 27001
• Quantifying the business impact
• Impact severity

Module 3: Planning Individual Internal Audits

• Internal audit approach
• Risk assurance mapping
• Audit plan
• Research the audit area
• Conduct process walk-throughs
• Map risks to the organisation, process, or function
• Obtain data prior to fieldwork

Module 4: Conducting the Internal Audit and Handling the Interview Process

• Decide what you want to achieve
• Identify risks and review objectives
• Plan and audit activities
• Validate the facts and complete the work
• Develop a deliverable or report that will drive action
• Follow up

Module 5: Understanding Quality Management Principles in an Internal Audit

Module 6: Preparation of an ISO 27005 Audit

Module 7: Conducting an ISO 27005 Audit

Module 8: Closing an ISO 27005 Audit

Module 9: Managing an ISO 27005 Audit Program

Module 10: Key Concepts, Terminology and Definitions for Lead Implementer

Module 11: Introduction to Risk Management

• Monitoring and reviewing potential risks
• Risk management methodologies
• Information Security risk management framework and process model
• Information assets classification, identification and threats
• Threat vulnerabilities
  • Controls
  • Controlling vulnerabilities
  • Vulnerability categories
  • Vulnerability sources
  • The consequences of vulnerabilities
  • Incident scenarios
• Types of vulnerabilities
• Methods for risk assessment
• Scales and simple calculations
• Acceptance strategies
• Improvement of risk assessment and risk management
• Implementation of risk management programs
• Risk communication and consultation
  • Communicating risk – an overview
  • The six principles of risk communication
  • Accurate communication
  • Risk communication procedures

Module 12: Risk Identification and Analysis

• Risk analysis and scoring
• Risk identification
• Risk estimation
• Risk estimation methodologies
• Risk estimation components
• Risk assessment techniques
• Assumptions analysis
• Checklist analysis
• SWOT analysis
• Prompt lists
• Interviewing and brainstorming

Module 13: Role and Responsibilities of a Risk Manager

• Risk acceptance and making changes accordingly
• About information security
• Types of risks and associated threats
• Security controls and measures
• Scope and boundaries of process
• Understand the organisation
• Know about constraints that affect an organisation
• Impact of risks
• Handling the information security risk management team
• Train and make employees aware of risks

Module 14: Identifying, Evaluating and Treating Risks Specified in ISO 27005

• Risk treatment
• Mitigating control measures
• Risk analysis tools & evaluation

Module 15: Role of an Auditor

• The qualifications of an auditor
• The International Register of Certified Auditors (IRCA) code of conduct
• Internal and external audits
• Roles and responsibilities of a lead auditor

Module 16: Preparation and Planning of an audit

• Auditing definition
• Pre-audit
• Setting audit standards
• Defining targets
• Auditing goals
• Types of audit

Module 17: Audit Tasks

• Monitoring and logging
• Intrusion and penetration testing
• The penetration testing process
• Penetration testing methods
• Inspection
• Report tips
• Report structure
• Reporting audits
• Decision-making

Module 18: Auditing Principles and Techniques

• Gap analysis
• Gap analysis process
• 5-whys
• Communication planning
• Time and auditing on schedule
• Procedure and process flow
• Audit steps
• Plans and programs
• Activities of an auditor
• Verification techniques
• Inspection writing
• Approaches and methods for auditing
• Data analysis
• Data access and management
• Quality and control of audit analytics processes
• Collaboration, efficiency, and sustainability

Module 19: Closure of Audit

• Report evaluation
• Follow-up actions
• Auditing results
• Higher management
• Submitting reports to higher management
• Audit findings
• Audit evidence and findings
• NCPARs
• Audit follow-up
• The follow-up process