The international risk management standard ISO/IEC 27001 related to information security describes the best practices to put in place so that an organization can effectively manage information-related risks. This course presents the ISO standards for Information System Security and explains what is needed to set up an information security risk management system (ISMS).
Training at your location, our location or remotely
Ref. ASE
3d - 21h
Would you like to transpose this course—without changes—for your company?
A la carte training
Do you want a training course tailored to the needs of your company and its teams? Your training will be built to measure by our experts!
The international risk management standard ISO/IEC 27001 related to information security describes the best practices to put in place so that an organization can effectively manage information-related risks. This course presents the ISO standards for Information System Security and explains what is needed to set up an information security risk management system (ISMS).
Teaching objectives
At the end of the training, the participant will be able to:
Explain the components of an information security management system (ISMS) in accordance with ISO 27001.
Explain the content and correlation between ISO 27001 and 27002 as well as with other standards and regulatory frameworks
Adapt the requirements of the ISO 27001 standard to an organization’s specific context.
Intended audience
CISOs, risk managers, IT directors or managers, project owners/lead contractors, security technicians or engineers, project managers, internal and external auditors, future auditees.
Prerequisites
Basic knowledge of IT security.
Course schedule
» Introduction
Refreshers ISO 27000 and ISO Guide 73 terminology.
SOX, PCI-DSS, and COBIT regulations. For whom? Why? Interaction with the ISO.
Towards IT governance, links with ITIL® and ISO 20000.
What ISO adds for regulatory frameworks.
The alignment of COBIT, ITIL®, and ISO 27002.
» ISO 2700x standards
History of security standards seen by the ISO.
The BS 7799 standards, what they added to the ISO.
The current standards (ISO 27001, 27002).
The complementary standards (ISO 27005, 27004, 27003, etc.).
Convergence with the 9001 quality and 14001 environment standards.
What quality experts add to security.
» The ISO 27001:2013 standard
Definition of an Information System Security Management System (ISMS).
Objectives for your ISMS to achieve.
The "continual improvement" approach as a founding principle, the PDCA model (Deming cycle).
The ISO 27001 standard integrated into a QMS quality approach.
Details of the Plan-Do-Check-Act phases.
From specifying the ISMS scope to the SoA (Statement of Applicability).
The recommendations of ISO 27001 for risk management.
On the importance of risk assessment. Choosing an ISO 27005:2011 method.
What the EBIOS and MEHARI methods add to your assessment approach.
Adopting efficient technical and organizational security measures.
Mandatory ISMS internal audits. Building a program.
ISMS improvement. Setting up corrective and preventive actions.
Corrective and preventive action measures and counter-measures.
Annex A of the ISO 27002 standard.
» Best practices, ISO 27002:2013
Security goals: Availability, Integrity, and Confidentiality.
Structure in domains/chapters (level 1), control objectives (level 2), and control (level 3).
The new ISO 27002:2013 best practices, the measures deleted from ISO 27001:2005. Changes.
The ISO 27002:2013 standard: The 14 domains and 113 best practices.
Examples for applying the standard to your company: Key essential security measures.
» Implementing security in an ISMS project
From security specifications to security acceptance.
How to follow the ISSP and the requirements of the client/project owner?
From risk analysis to building the Statement of Applicability.
The ISO 27003 and 15408 standards as an aid to implementation.
Integrating security measures into specific developments.
The rules to follow for outsourcing.
Ensuring that the project is monitored in its implementation and then operation.
"Security" meetings before acceptance.
Incorporating the PDCA cycle into the project's life cycle.
Project acceptance; How to test it: Intrusion test and/or technical audit?
Preparing the indicators. Continual improvement.
Putting in place a scorecard. Examples.
What the ISO 27004 standard adds.
Vulnerability management in an ISMS: Regular scans, patch management, etc.
» ISO 19011:2011 security audits
Continuous and complete process. Steps, priorities.
Audit categories: Organizational, technical, etc.
Internal, external, and third-party auditing, choosing your auditor.
The ISO process for an audit, the key steps.
Audit objectives, audit quality.
Approach for improving an audit.
Auditor qualities, their assessment.
Organizational audits: Approach, methods.
Compared benefits, human involvement.
» Legal best practices
Intellectual property of software, contractual and tort liability.
Criminal liability, responsibilities of executives, delegation of power, sanctions. The LCEN law.
ISO compliance and legal compliance: The new domain 18 of the ISO 27002:2013 standard.
» ISO certification of IS security - The auditor-audited relationship
Benefit of this approach, seeking the "label".
Criteria for choosing the scope. Field of application. Involvement of stakeholders.
The ISO: Essential supplement to regulatory and standard frameworks (SOX, ITIL®, etc.).
Expected economic issues.
Certifying organizations, choices in France and Europe.
Audit approach, steps, and workloads.
ISO 27006 standard, obligations for certifiers.
Recurring and non-recurring costs of certification.
Practical details
Preparing for ISO 27001 Lead Implementer and Lead Auditor certification.
Customer reviews
4,3 / 5
Customer reviews are based on end-of-course evaluations. The score is calculated from all evaluations within the past year. Only reviews with a textual comment are displayed.
Dates and locations
Select your location or opt for the remote class then choose your date.
Remote class
No session at the moment, we invite you to consult the schedule of distance classes.
3d
- 21h00 
