ISO 27002 Lead Auditor Training - Malaysia

ISO 27002 Lead Auditor Training Course Outline

Module 1: Introduction to ISO 27002

• What is Information Security?
• Why is Information Security Needed?
• How to Establish Security Requirements
• Assessing Security Risks
• Selecting Controls
• Information Security Starting Point
• Critical Success Factors
• Lifecycle Considerations
• Difference between the ISO 27001 and 27002
• Relation between the ISO 27001 and 27002

Module 2: Scope, Terms and Definitions

• Scope
• Terms and Definitions

Module 3: Structure of ISO 27002 Standard

• Clauses
• Security Categories
  • Control
  • Implementation Guidance
  • Other Information

Module 4: Risk Assessment and Treatment

• Assessing Security Risks
• Treating Security Risks

Module 5: Audit Plan and Process

• Audit Plan
• Preparing for an Audit
• Audit Process
  • Planning
  • Notification
  • Opening Meeting
  • Fieldwork
  • Report Drafting
  • Management Response
  • Closing Meeting
  • Final Audit Report Distribution
  • Follow-Up

Module 6: Internal Auditor

• Understanding an Internal Auditor (IA) 
• Internal Auditing Process 
• Requirements for Internal Auditors
• Internal Auditor Vs External Auditor 
• Benefits of an Internal Auditor (IA) 

Module 7: ISMS Audit

• Introduction
• Principles 
• Audit Management
• Auditing Process
• Competence and Evaluation of Auditors 

Module 8: Cybersecurity Auditing

• What is Cybersecurity Audit?
• How It Helps Organisation? 
• Cybersecurity and the Role of Internal Audit 
  • Cyber Risk and Internal Audit
  • Third Line of Defence
  • Cybersecurity Assessment Framework

Module 9: Information Security Audit

• What is IT Security Audit?
• Benefits 
• Types
  • Approach Based
  • Methodology Based
• Importance
• How to Conduct an IT Security Audit?
• Roles and Responsibilities of Information Security Auditor
  • Basic Duties List
  • Roles and Responsibilities on the Job

Module 10: Information Security in Project Management

• Project Management
• Attributes Table
• Purpose of Control 5.8
• Meet Requirements 
• Differences Between ISO 27002:2013 and ISO 27002:2022

Module 11: Components of Information Security

• Confidentiality
• Integrity 
• Availability
• Authenticity
• Non-Repudiation 

Module 12: Information Security Risk Management (ISRM)

• Introduction
• Stages
  • Identification
  • Assessment
  • Treatment
  • Communication
  • Rinse and Repeat
• Ownership
  • Process Owners
  • Risk Owners

Module 13: Control and Compliance

• Security Controls
• Importance of Compliance
• Legal Requirements for Information Security 
• Information Technology Compliance
  • Improved Security
  • Minimised Losses
  • Increased Control
  • Maintained Trust
• Information Security Compliance Standards 

Module 14: Management Responsibilities

• Control 5.4 Management Responsibilities
• What is an Information Security Policy?
• Attributes Table
• Purpose of Control 5.4 
• Implementation Guidelines 

Module 15: Competence and Evaluation of Auditors

• Auditor Competence 
  • Field
  • Changes to ISO27 and Other Standards, Guidelines
  • Legal and Regulatory Changes
  • Business and Organisational Changes
  • Technology Changes
• Demonstration of Auditor Competence 

Module 16: Lead Auditor

• What is Lead Auditor?
• Roles of Lead Auditor
  • Planning Phase
  • Audit Phase 
  • Audit Report 

Module 17: Conformity Assessment

• What is Conformity Assessment? 
• Need of Conformity Assessment 
• Conformity Assessment and Standards
• Types of Conformity Assessment

Module 18: Themes and Controls 

• Control Type 
• Information Security Properties
• Cybersecurity Concepts 
• Operational Capabilities 
• Security Domains 
• Control Layout

Module 19: Organisational Controls

• Policies for Information Security
• Information Security Roles and Responsibilities 
• Segregation of Duties 
• Management Responsibilities  
• Contact with Authorities
• Contact with Special Interest Groups
• Threat Intelligence
• Information Security in Project Management 
• Inventory of Information and Other Associated Assets
• Acceptable Use of Information and Other Associated Assets 
• Return of Assets 
• Classification of Information 
• Labelling of Information
• Information Transfer 
• Access Control 
• Identity Management 
• Authentication Information 
• Access Rights
• Information Security in Supplier Relationships  
• Addressing Information Security within Supplier Agreements
• Managing Information Security in the ICT Supply Chain
• Monitoring, Review, and Change Management of Supplier Services
• Information Security for Use of Cloud Services
• Information Security Incident Management Planning and Preparation 
• Assessment and Decision on Information Security Events 
• Response to Information Security Incidents
• Learning from Information Security Incidents
• Collection of Evidence
• Information Security During Disruption
• ICT Readiness for Business Continuity
• Legal, Statutory, Regulatory, and Contractual Requirements
• Intellectual Property Rights
• Protection of Records 
• Privacy and Protection of PII 
• Independent Review of Information Security 
• Compliance with Policies, Rules, and Standards for Information Security
• Documented Operating Procedures 

Module 20: People Controls

• Screening
• Terms and Conditions of Employment
• Information Security Awareness, Education, and Training 
• Disciplinary Process 
• Responsibilities After Termination or Change of Employment 
• Confidentiality or Non-Disclosure Agreements
• Remote Working 
• Information Security Event Reporting 

Module 21: Physical Controls

• Physical Security Perimeters 
• Physical Entry 
• Securing Offices, Rooms, and Facilities
• Physical Security Monitoring
• Protecting Against Physical and Environmental Threats
• Working in Secure Areas
• Clear Desk and Clear Screen
• Equipment Siting and Protection
• Security of Assets Off-premises
• Storage Media
• Supporting Utilities
• Cabling Security
• Equipment Maintenance
• Secure Disposal or Re-use of Equipment

Module 22: Technological Controls

• User Endpoint Devices
• Privileged Access Rights
• Information Access Restriction
• Access to Source Code
• Secure Authentication
• Capacity Management
• Protection Against Malware
• Management of Technical Vulnerabilities
• Configuration Management
• Information Deletion
• Data Masking
• Information Deletion
• Data Masking
• Data Leakage Prevention
• Information Backup
• Redundancy of Information Processing Facilities
• Logging
• Monitoring Activities
• Clock Synchronisation
• Use of Privileged Utility Programmes
• Installation of Software on Operational Systems
• Networks Security
• Security of Network Services
• Segregation of Networks
• Web Filtering
• Use of Cryptography
• Secure Development Life Cycle
• Application Security Requirements
• Secure System Architecture and Engineering Principles
• Secure Coding
• Security Testing in Development and Acceptance
• Outsourced Development
• Separation of Development, Test, and Production Environments
• Change Management 
• Test Information
• Protection of Information Systems during Audit Testing