ISO 27001 (ISMS) Lead Implementer Course

ISO 27001 Lead Implementer course is a training program that enables people to develop the necessary expertise to support an organization in establishing, implementing, managing, and maintaining an Information Security Management System (ISMS).

The program is designed to provide professionals with the knowledge and skills to provide consulting services to organizations in the development and implementation of an ISMS based on the ISO 27001 standard.

The course also covers the associated ISO 27002 Code of Practice for Information Security Management. Participants in the ISO 27001 Lead Implementer course will learn about the requirements of an Information Security Management System (ISMS) and the best practices for its implementation.

It also covers the objectives, controls, management systems implementation and internal audit requirements of the ISO 27001 standard.

Participants will also gain experience in developing, issuing, monitoring and maintaining effective management system controls (e.g. business processes, policies and procedures).

Additionally, the course covers risk assessment and management methodology, designing control objectives and security requirements, secure system and application design, business continuance and disaster recovery planning, operational security, physical security, and data security.

Students who successfully complete the ISO 27001 Lead Implementer course will have the necessary knowledge and skills to help their organization implement a compliant and effective Information Security Management System.

Course Prerequisites

It is recommended to have a good working knowledge of the following topics prior to taking the ISO 27001 Lead Implementer training:

• Information Security Management Principles, Standards, and Best Practices;

• Risk Management Practices;
• Information Security, Business Continuity, and Disaster Recovery Management;
• Data Protection, Security and Privacy Laws; and
• Information Technology Infrastructure and Architecture.

Target Audience

The ISO 27001 (ISMS) Lead Implementer training is designed for professionals who are directly involved in the implementation, management, and maintenance of an Information Security Management System (ISMS)

This training would be best suited for information security professionals, risk assessment professionals, IT system administrators, IT managers, and IT auditors

It could also be beneficial for individuals with experience in ISO 27001/2 standards who seek further knowledge in the domain

Furthermore, the training is ideal for IT advisors, consultants, security system architects, and business continuity planners who seek to increase their understanding of different information security systems and the best practices for risk management
 

Learning Objectives Of ISO 27001 (ISMS) Lead Implementer

• Understand the requirements of the Information Security Management System (ISMS) framework as prescribed by ISO 27001.

• Become an expert in conducting an Information Security System Assessment.

• Learn the strategies to implement and maintain an ISMS as per ISO 27001 specifications.

• Gain the knowledge to analyze and verify the effectiveness of implemented security controls.

• Have the ability to develop a plan to effectively monitor, maintain and improve the implemented ISMS.

• Prepare for the ISO 27001 (ISMS) Lead Implementer Exam that certifies the professional as an expert in ISO 27001 information security management systems.

You Will Learn:

 Module 1: Training course objectives and structure

• Introduction

• General information

• Learning objectives

• Educational approach

• Examination and certification

• About PECB

 Module 2: Standards and regulatory frameworks

• What is ISO?

• The ISO/IEC 27000 family of standards

• Advantages of ISO/IEC 27001

 Module 3: Information Security Management System (ISMS)

• Definition of a management system

• Management system standards

• Integrated management systems

• Definition of an ISMS

• Process approach

• Overview — Clauses 4 to 10

• Overview — Annex A

 Module 4: Fundamental information security concepts and principles

• Information and asset

• Information security

• Availability, confidentiality, and integrity

• Vulnerability, threat, and impact

• Information security risk

• Classification of security controls

 Module 5: Initiation of the ISMS implementation

• Define the approach to the ISMS implementation

• Proposed implementation approaches

• Application of the proposed implementation approaches

• Choose a methodological framework to manage the implementation of an ISMS

• Approach and methodology

• Alignment with best practices

 Module 6: Understanding the organization and its context

• Mission, objectives, values, and strategies of the organization

• ISMS objectives

• Preliminary scope definition

• Internal and external environment

• Key processes and activities

• Interested parties

• Business requirements

 Module 7: ISMS scope

• Boundary of the ISMS

• Organizational boundaries

• Information security boundaries

• Physical boundaries

• ISMS scope statement

 Module 8: Leadership and project approval

• Business case

• Resource requirements

• ISMS project plan

• ISMS project team

• Management approval

 Module 9: Organizational structure

• Organizational structure

• Information security coordinator

• Roles and responsibilities of interested parties

• Roles and responsibilities of key committees

 Module 10: Analysis of the existing system

• Determine the current state

• Conduct the gap analysis

• Establish maturity targets

• Publish a gap analysis report

 Module 11: Information security policy

• Types of policies

• Policy models

• Information security policy

• Specific security policies

• Management policy approval

• Publication and dissemination

• Training and awareness sessions

• Control, evaluation, and review

 Module 12: Risk management

• ISO/IEC 27005

• Risk assessment approach

• Risk assessment methodology

• Risk identification

• Risk estimation

• Risk evaluation

• Risk treatment

• Residual risk

 Module 13: Statement of Applicability

• Drafting the Statement of Applicability

• Management approval

• Review and selection of the applicable information security controls

• Justification of selected controls

• Justification of excluded controls

 Module 14: Documented information management

• Value and types of documented information

• Master list of documented information

• Creation of templates

• Documented information management process

• Implementation of a documented information management system

• Management of records

 Module 15: Selection and design of controls

• Organization’s security architecture

• Preparation for the implementation of controls

• Design and description of controls

 Module 16: Implementation of controls

• Implementation of security processes and controls

• Introduction of Annex A controls

 Module 17: Trends and technologies

• Big data

• The three V’s of big data

• Artificial intelligence

• Machine learning

• Cloud computing

• Outsourced operations

• The impact of new technologies in information security

 Module 18: Communication

• Principles of an efficient communication strategy

• Information security communication process

• Establishing communication objectives

• Identifying interested parties

• Planning communication activities

• Performing a communication activity

• Evaluating communication

 Module 19: Competence and awareness

• Competence and people development

• Difference between training, awareness, and communication

• Determine competence needs

• Plan the competence development activities

• Define the competence development program type and structure

• Training and awareness programs

• Provide the trainings

• Evaluate the outcome of trainings

 Module 20: Security operations management

• Change management planning

• Management of operations

• Resource management

• ISO/IEC 27035-1 and ISO/IEC 27035-2

• ISO/IEC 27032

• Information security incident management policy

• Process and procedure for incident management

• Incident response team

• Incident management security controls

• Forensics process

• Records of information security incidents

• Measure and review of the incident management process

 Module 21: Monitoring, measurement, analysis, and evaluation

• Determine measurement objectives

• Define what needs to be monitored and measured

• Establish ISMS performance indicators

• Report the results

 Module 22: Internal audit

• What is an audit?

• Types of audits

• Create an internal audit program

• Designate a responsible person

• Establish independence, objectivity, and impartiality

• Plan audit activities

• Perform audit activities

• Follow up on nonconformities

 Module 23: Management review

• Preparing a management review

• Conducting a management review

• Management review outputs

• Management review follow-up activities

 Module 24: Treatment of nonconformities

• Root-cause analysis process

• Root-cause analysis tools

• Corrective action procedure

• Preventive action procedure

 Module 25: Continual improvement

• Continual monitoring process

• Maintenance and improvement of the ISMS

• Continual update of the documented information

• Documentation of the improvements

 Module 26: Preparing for the certification audit

• Selecting the certification body

• Preparing for the certification audit

• Stage 1 audit

• Stage 2 audit

• Follow-up audit

• Certification decision

 Module 27: Closing of the training course

• PECB certification scheme

• PECB certification process

• Other PECB services

• Other PECB training courses and certifications