ISO 27005 Lead Implementer Course Outline
This course will cover the following topics:
Module 1: Introduction to ISO 27005 Standard
- Core concepts, key definitions and background
- Quality Management System (QMS)
- Role and importance
- Understanding the situation in an organisation
- Reviewing and monitoring
- Octave method
- EBIOS method
- MEHARI
- Harmonised Tra method
Module 2: Interaction With Other ISOs
- How ISO 27005 interacts with ISO 9001
- How ISO 27005 interacts with ISO 27001
- Quantifying the business impact
- Impact severity
Module 3: Planning Individual Internal Audits
- Internal audit approach
- Risk assurance mapping
- Audit plan
- Research the audit area
- Conduct process walk-throughs
- Map risks to the organisation, process, or function
- Obtain data prior to fieldwork
Module 4: Conducting the Internal Audit and Handling the Interview Process
- Decide what you want to achieve
- Identify risks and review objectives
- Plan and audit activities
- Validate the facts and complete the work
- Develop a deliverable or report that will drive action
- Follow up
Module 5: Understanding Quality Management Principles in an Internal Audit
Module 6: Preparation of an ISO 27005 Audit
Module 7: Conducting an ISO 27005 Audit
Module 8: Closing an ISO 27005 Audit
Module 9: Managing an ISO 27005 Audit Program
Module 9: Managing an ISO 27005 Audit Program
Module 10: Key Concepts, Terminology and Definitions for Lead Implementer
Module 11: Introduction to Risk Management
- Monitoring and reviewing potential risks
- Risk management methodologies
- Information Security risk management framework and process model
- Information assets classification, identification and threats
- Threat vulnerabilities
- Controls
- Controlling vulnerabilities
- Vulnerability categories
- Vulnerability sources
- The consequences of vulnerabilities
- Incident scenarios
- Types of vulnerabilities
- Methods for risk assessment
- Scales and simple calculations
- Acceptance strategies
- Improvement of risk assessment and risk management
- Implementation of risk management programs
- Risk communication and consultation
- Communicating risk – an overview
- The six principles of risk communication
- Accurate communication
- Risk communication procedures
Module 12: Risk Identification and Analysis
- Risk analysis and scoring
- Risk identification
- Risk estimation
- Risk estimation methodologies
- Risk estimation components
- Risk assessment techniques
- Assumptions analysis
- Checklist analysis
- SWOT analysis
- Prompt lists
- Interviewing and brainstorming
Module 13: Role and Responsibilities of a Risk Manager
- Risk acceptance and making changes accordingly
- About information security
- Types of risks and associated threats
- Security controls and measures
- Scope and boundaries of process
- Understand the organisation
- Know about constraints that affect an organisation
- Impact of risks
- Handling the information security risk management team
- Train and make employees aware of risks
Module 14: Identifying, Evaluating and Treating Risks Specified in ISO 27005
- Risk treatment
- Mitigating control measures
- Risk analysis tools & evaluation