ISO 27001 Lead Auditor - United Kingdom

ISO 27001 Lead Auditor Course Outline

This ISO 27001 Lead Auditor training course will explore the following modules:

Module 1: Introduction

• The 27001 standard
• 27001 mission
• 27001 high-level methodology
• 27001 focus
• Common interrelationships
• Review and monitor
• Improvement and maintenance
• Clauses of ISO 27001

Module 2: Information Security Management Systems (ISMS) and the ISO 27001 Standards Family

• What is an ISMS?
• Creating project plan according to ISMS ISO 27001
• Establishing management and governance frameworks
• ISMS principles
• ISMS benefits
• Scope of ISMS in an organisation
• Introduction to management systems
• Process approach
• Fundamentals
• The PDCA cycle

Module 3: Interaction with ISO 27005

• What is ISO 27005
• ISO 27001 vs ISO 27005
• Quantifying the business impact

• Impact severity

Module 4: Introduction to Auditing

• Defining auditing
• Types of audit
• Techniques and principles
• Phases of audit

Module 5: Performing ISO 27001 Audits

• Preparing audit reports
• Analysing data
• Auditing procedures
• Reviewing documents and reports
• Validating reports
• Designing and merging findings
• Classifying findings
• Planning, organising, and prioritising
• Factors that affect the reliability of audit findings

Module 6: Internal Auditor

• Roles and responsibilities of an internal auditor
• Record review activities
• Internal auditor checklist
• Communication between departments
• Drafting reports and test plans

Module 7: Risk Management

• Analysing and evaluating risks
• Managing risk approaches

Module 8: Risk Assessment and the Statement of Applicability (SOA)

• Risk assessment summary
• Conducting risk assessments
• Risk assessment methodology
• Risk assessment implementation
• Risk treatment plan
• Risk treatment implementation
• ISMS risk assessment report
• The Statement of Applicability (SOA)
• Threats and vulnerabilities

Module 9: Roles and Responsibilities of a Lead Implementer

Module 10: Launch and Implement an ISMS in an Organisation

• Apply the frameworks
• Design writing procedures and controls
• Implementing the controls
• Training and awareness programme
• Management’s role
• Impediments and aids to success
• Responsibilities of employees

Module 11: Certification

• Certification Process - organisations
• Steps to certification
• Certification audits
• Surveillance visits
• Certification process - individuals
• Procedures
• Documentation
• Information Security policies
• Monitoring and reviewing within an organisation

Module 12: Security Controls and Incident Management

• Management of incidents and operations
• Annex A
• Physical and environmental security
• Operations
• Communications
• Managing incidents
• Confidentiality and security of information in an ISMS
• Business Continuity Management(BCM)
• Control and act
• Managing records
• Monitoring controls
• Indicating performance
• Developing a matrix according to ISO 27001
• Internal auditing
• Review
• Improvement programmes

Module 13: Introduction to ISO 27001 Lead Auditor

• Qualifications of an auditor
• IRCA code of conduct
• Difference between conformance and compliance

Module 14: Preparing and Planning an Audit

• Evaluation methods
• Roles and responsibility of an auditor
• Auditing schedule and time
• Procedures and process flow
• Plans and programs
• Activities of an auditor
• Audit checklists
• Internal auditing goals
• Internal auditing charter
• Audit components
• Purpose and extent of an audit
• Confirming audit plans
• Documentation

Module 15: Reviewing Process and Qualities

• Inspection writing
• Different review stages
• Auditing approaches and methods
• Data analysis
• Collecting evidence
• Checking
• Taking notes
• Observation
• Audit findings
• Auditor team meetings
• Analysing reports from other auditors
• Preventative and corrective actions
• Conducting follow-ups

Module 16: Tasks of an Auditor

• Preparing audit plans and checklists
• Defining targets
• Monitoring and logging
• Handling stressful situations
• Tips and recommendations
• Intrusion and penetration testing
• Inspection
• Reporting audits
• Follow-up actions
• Auditing results
• Submitting reports to higher management
• Decision making