This seminar, based partially on the ISO/CEI 27005:2018 standard, allows participants to acquire theoretical and practical knowledge on information security risk management. It prepares candidates for ISO 27005 Risk Manager certification using case studies.
Training at your location, our location or remotely
Ref. AIR
3d - 21h
Would you like to transpose this course—without changes—for your company?
A la carte training
Do you want a training course tailored to the needs of your company and its teams? Your training will be built to measure by our experts!
This seminar, based partially on the ISO/CEI 27005:2018 standard, allows participants to acquire theoretical and practical knowledge on information security risk management. It prepares candidates for ISO 27005 Risk Manager certification using case studies.
Teaching objectives
At the end of the training, the participant will be able to:
Understand the concept of risk in relation to information security
Use ISO 27005:2018 for risk analysis
Be aware of other methods (EBIOS RM, MEHARI)
Logically choose a risk analysis method
Intended audience
CISOs or Security contacts, security architects, IT directors or officers, engineers, and project managers (owner, lead contractor) who need to incorporate security requirements
Prerequisites
Basic knowledge in the field of information security
Course schedule
Introduction
ISO 27000 terminology.
Definitions of the Threat. Vulnerability. Risks.
Availability, Integrity, and Confidentiality requirements: Taking into account traceability/evidence.
Review of regulatory and standards constraints (GDPR, LPM/NIS, PCI DSS, etc.).
Role of the CISO vs. the Risk Manager.
The 31000 standard, from interest in an “umbrella” standard to a universal reference source.
The concept of “Risk”
Identifying and classifying risks.
Operational, physical, and logical risks.
The consequences of risk (financial, legal, human, etc.).
Insurability of a risk, financially calculating the transfer to insurance.
Risk management according to the ISO
The method of the 27001:2013 standard and its “Risk Management” process.
Initially assessment in the Plan phase of section 6: Planning.
The 27005:2018 standard: Information Security Risk Management.
Implementing a PDCA process for risk management.
Context, assessment, treatment, acceptance, and review of risks.
Steps of risk analysis (identification, analysis, and assessment).
Preparing the Statement of Applicability (SoA) and the action plan.
Sharing risks with third parties (cloud, insurance, etc.); Domain 15 of ISO 27002.
Risk analysis methods
MEHARI methods (2010, PRO, and Manager).
Compliance-based approach vs. risk scenario approach.
Taking into account sophisticated intentional threats like APTs.
The goals of EBIOS RM (Identifying the security requirements, Being in compliance, Identifying and analyzing, etc.).
Activities of the method.
CRAMM, OCTAVE, etc. History and rest of the world.
Conclusion and choosing a method
How do you choose the best method?
Knowledge bases (threats, risks, etc.)
Convergence onto ISO, the need for an update.
Being or not being in the “ISO spirit”: Constraints of the PDCA model.
A comprehensive method or project-specific method.
The real cost of a risk analysis.
Customer reviews
4,5 / 5
Customer reviews are based on end-of-course evaluations. The score is calculated from all evaluations within the past year. Only reviews with a textual comment are displayed.
Dates and locations
Select your location or opt for the remote class then choose your date.
Remote class
No session at the moment, we invite you to consult the schedule of distance classes.