The Training Program runs for 16 weeks with two 1/2 day sessions each week. The training covers all the clauses of ISO 27001:2013 in detail so the participants will gain a thorough knowledge of the Standard and how they can implement the requirements in their organization.

Participants earn 2 Certificates:

• Certified Internal Auditor
• Certified Management System Specialist

Session Details:

Group Training Session #1 – Intro and Overview

• 1 Week Case Work

Group Training Session #2 – Operation: Operational Planning and Control,  Information Security Risk Assessment, Information Security Risk Treatment, Control Objectives and Controls (Annex A, Table A.1)

• 1 Week Case Work
• 2 One-on-One Coaching Sessions

Group Training Session #3 – Planning: Actions to Address Risks and Opportunities, Information Security Risk Assessment, Information Security Risk Treatment, Information Security Objectives and Planning to Meet Them

• 1 Week Case Work
• One-on-One Coaching Sessions

Group Training Session #4 – Resources: People, Infrastructure and Work Environment, Competence, Awareness and Communication

• 1 Week Case Work
• 1 One-on-One Coaching Session

Group Training Session #5 – Resources (continued): Documented information

• 1 Week Case Work
• 1 One-on-One Coaching Session

Group Training Session #6 – Leadership: Commitment, Policy, Organizational Structure

• 1 Week Case Work
• One-on-One Coaching Session

Group Training Session #7 – Performance Evaluation – Monitoring, Measurements, Analysis and Evaluation

• 1 Week Case Work
• 2 One-on-One Coaching Sessions

Group Training Session #8 – Performance Evaluation – Internal Audits

• 1 Week Case Work
• 2 One-on-One Coaching Sessions

Group Training Session #9 – Internal Audits (continued) and Management Review

• 1 Week Case Work
• 2 One-on-One Coaching Sessions

Group Training Session #10 – Improvement –Root Cause Analysis and Corrective Action

• 1 Week Case Work
• 2 One-on-One Coaching Sessions

Group Training Session #11 Process Analysis and Improvement

• 1 Week Case Work
• 1 One-on-One Coaching Session

Group Training Session #12 Developing an ‘Information Security‘ Culture

• 1 Week Case Work
• 1 One-on-One Coaching Session

Group Training Session #13 Employee involvement and Reference Control Objectives and Controls (Annex A, Table A.1)

• 1 Week Case Work
• 1 One-on-One Coaching Session

Group Training Session #14 – Registration and Audit Readiness

• 1 Week Case Work
• 1 One-on-One Coaching Session

Group Training Session #15 – Final Assessment of Implementation – second Management Review Training and Coaching

• 1 Week Case Work
• 1 One-on-One Coaching Session

Group Training Session #16 – Preparation for Stage 1 Audit by Accredited Registrar

• Final Evaluation of Case Work – Certification of Trainees

Total Course Calendar – 16 weeks (this can be modified to meet your requirements, but the content will still be covered)

Module 1 – ISO 27001 Introduction and Overview

1. Course Overview – participants’ personal objectives and their respective roles
2. Using the Q & C Information Security Management System and Quality Management System as an Integrated Management System (IMS) as a Tool for Improvement
3. ISO 27001Overview – understanding the application of ISMS requirements
4. Defining Organizational Purpose and Direction [4.1, 4.2, 4.3]
   1. Context
   2. Understanding Stakeholders
   3. Understanding Stakeholder Requirements/Expectations
   4. Defining the Scope of the Management System
   5. Defining the Purpose of your  organization from the customer’s point of view relative to Information Security

Case Work

• Define Processes – workflow overview with IT Security risks identified on the process map
• Define Scope of the Integrated Management System (IMS)
• Define Stakeholders and Expectations

Learning Outcomes

• Clear Understanding of Intent and Direction of ISO 27001
• Identifying characteristics of the organization’s context
• Recognition of Various Stakeholders and their Distinct Requirements/Expectations
• Defined Stakeholders, Requirements and Scope for your Organization
• What are customers asking for when they contact you? What matters to your clients? Where in the system does ‘demand’ appear? How aware are customers of Information Security issues?
• Identify how your organization creates value for customers

Module 2 – Operation

1. Operational Planning [8.1]
   1. Managing processes to ensure information security and meet objectives [8.1]
   2. Managing change [8.1 para 3]
2. Information Security Risk Assessment [8.2]
   1. Determining a schedule for review of the IS risk matrix
   2. Documenting the reviews
3. Information Security Risk Treatment [8.3]
   1. Determining risk treatments
   2. Implementing the information security risk treatment plan.
   3. Documenting results of risk treatment
4. Control Objectives and Controls
   1. Information Security Policies [A.5]
   2. Organization of Information Security [A.6]
   3. Human Resource Security [A.7]
   4. Asset Management [A.8]
   5. Access Control [A.9]
   6. Cryptography [A.10]
   7. Physical and Environmental Security [A.11]
   8. Operations Security [A.12]
   9. Communications Security [A.13]
   10. System Acquisition, Development and Maintenance [A.14]
   11. Supplier Relationships {A.15]
   12. Information Security Incident Management [A.16]
   13. Information Security and Business Continuity [A.17]
   14. Compliance [A.18]

Case Work

• Identify Gaps in: Operational planning, determine IS risks
• Create appropriate methods to determine IS risks – review methods during this case work
• Develop risk treatments suitable for the IS risks identified
• Implement risk treatments and document relevant results

Learning Outcomes

• Clear understanding of ISO 27001clauses and requirements related to ‘Operations’ including requirements related to environmental aspects
• Recognition of the alignment between Quality processes and ISO 27001 requirements
• Identification of ISO 27001 risk related requirements not currently addressed by your internal audit or risk analysis processes

Module 3 – Risk and Opportunity Management

Risk and Opportunity Management [6.1]

1. Defining outcomes for the ISMS
2. Defining methods for identifying risks and opportunities [6.1.1]
3. Performing an IS risk assessment [6.1.2]
4. Developing and applying an IS risk treatment process [6.1.3]
5. Establishing IS objectives [6.2]
6. Action plan requirements for meeting objectives [6.2]

Case Work

• Define Company Risks and opportunities
• Determine applicable legal and regulatory requirements
• Set suitable (SMART) goals
• Create action plans to meet goals

Learning Outcomes

• Risk Assessment completed
• Understanding the relationship between Goals, Setting Objectives and Defining Risks
• Legal requirements identified and method to access them put into place

Module 4 – Support

Resources

1. Providing competent people [7.1, 7.2]
2. Awareness [7.3]
3. Communication – internal and external [7.4]

Case Work

• Assess current method for providing competent people
• Determine adequacy of infrastructure
• Review all aspects of current Work environment

Learning Outcomes

• Understand the importance of using competent people
• Understand the current state of the infrastructure
• Realize the impact that the work environment has on productivity and safety.

Module 5 – Support (continued): Documented Information

1. General requirements for documentation [7.5.1]
2. Creating and updating [7.5.2]
3. Control of documented information [7.5.3]
4. Alternative forms of documented information for improved understanding and ease of maintenance

Case Work

• Assess current method for managing documented information
• Determine adequacy of document and record control
• Review all aspects of current types of documents and consider alternatives

Learning Outcomes

• Understand the importance documented information
• Understand the current state documents and records and their management
• Realize the impact that efficiency of document management has on operations

Module 6 – Leadership

Leadership’s Role in the Integrated Management System

1. Commitment to the IMS [5.1]
2. Communication
3. Defining the ISMS Policies [5.2]
4. Identifying the different requirements ISO 9001 vs ISO 27001 [5.1]
5. Organizational structure [5.3]
6. Leadership’s view of ‘Demand’.
7. Leadership’s understanding of ‘Failure demand’ and the relevant IS risks

Case Work

• Define the IS Policy
• Outline Business Priorities/Goals
• Define in terms of possible Quality and Information Security Objectives
• Consider current organizational structure
• Review current worker participation levels and awareness of IS issues/vulnerabilities

Learning Outcomes

• Understanding of Leadership’s role in ISO 27001
• Understanding the relationship between Goals, Setting Objectives and Defining Risks
• Defined Policy and Objectives relating to your Organizational Goals
• Requirements related to worker participation are understood among management

Module 7 – Performance Evaluation

Performance Evaluation

1. Monitoring, Measurement, Analysis and Evaluation [9.1]
2. Evaluation of Legal and Regulatory Compliance [Annex A. A.18] and Technical Compliance [Annex A, A.18.2.2]
3. Updating of Risks/Opportunities

Case Work

• Review Current measurement and analysis methods
• Determine (or arrange to have determined) degree of Legal compliance
• Identify opportunities for improvement of risk management

Learning Outcomes

• Understanding of the requirements for measurements in the IMS
• Understanding of the legal requirements required for a secure work environment
• Recognition of options relating to gathering and analyzing performance information
• Development of tracking tools for process performance as it relates to the IMS performance

Module 8 – Performance Training continued: Internal Audits

Internal Audits [9.2]

1. Fundamentals of auditing – planning, performing, reporting and attributes of good auditors (ISO 19011 as reference)
2. Internal Audit Procedure – understanding of current procedure
3. Auditing by Process and Auditing by Objectives
4. Auditing by Risk/Objective/Performance
5. Interview techniques
6. Documenting results
7. Communicating results
8. Logging reports and results
9. Audit follow-up activities

Case Work

• Assess Internal Audit Process for conformance to the requirements of ISO 27001
• Conduct Internal Audits of each process including an audit of your requirements

Learning Outcomes

• Understanding Internal Auditing based on Risk/Objectives/Performance
• Revision of Internal Audit Process if required
• Requirements for Internal Audits and the value of Internal Audits

Module 9 – Performance Evaluation Training continued: Internal Auditing [9.2] and Management Review [9.3]

Internal Audits – continued (continue to apply learning) [9.2]

1. Coaching and mentoring during continuing audit activities
2. Coaching of ‘Management Review’ activity and training on evaluation of the effectiveness of the Integrated Management System

Case Work

• Continue Internal Audit Process until completion
• Conduct Internal Audits of each process including an audit of EMS/ISMS requirements
• Prepare for Management Review to include requirements for both QMS and ISMS

Learning Outcomes

• Understand Internal Auditing based on Risk/Objectives/Performance
• Be prepared to perform Management Review for the Integrated System
• Completed Internal Audits and Management Review [9.2 & 9.3]

Module 10 – Improvement

Opportunities for Improvement [10]

1. Monitoring and Measurement of ISMS performance [9.1]
2. Evaluation of Technical Compliance [Annex A, Table A.1, A.18.1]
3. Audits – Internal [9.2] and External (Registrar, customers, regulatory bodies)
4. Management Review [9.3]

Case Work

• Review Current methods for identifying opportunities for improvement
• Identify opportunities for improvement of risk management
• Development of tracking tools for process performance as it relates to Quality and ISMS if needed

Learning Outcomes

• Understanding of the requirements for improvement to the effectiveness of the management system
• Understanding of the requirements for monitoring and measurement of QMS and ISMS factors
• Recognition of options relating to gathering and analyzing performance information

Module 11 –Process Analysis and Improvement

Identify projects for Improvement Activities

1. Based on performance evaluation [9.1]
2. Structured plan (template) for managing an improvement activity
3. Resources
4. Personnel
5. Time line
6. Success measures

Case Work

• Identify an area of weakness that could benefit from an improvement project
• Create the action plan [Use 6.2.2 as a guide]
• Prepare to implement the action plan

Learning Outcomes

• Understand the value of ‘Improvement’
• Be able to plan an improvement project

Module 12 – Developing an Information Security Culture

Determine the characteristics of an ‘Information Security’ Culture

1. Assess current awareness/commitment
2. Review Context [4]
3. Does the ISMS support an ‘Information Security Culture’?
4. Have Objectives for control been identified? [Annex A Table A.1]
5. Have controls identified in (d) been applied? [Annex A Table A.1]
6. Is the IS Policy conducive to an ‘Information Security Culture’?
7. Success measures

Case Work

• Assess the commitment to the environment
• Determine whether the current IMS supports an ISMS and Quality ‘culture’
• Prepare make recommendations to strengthen the culture to create more focus QMS and ISMS conditions, both positive and negative
• Determine whether focus on the environment and worker safety would have any impact on customer focus

Learning Outcomes

• Understand the meaning of and existence of ‘Culture’
• Be able to plan a culture awareness campaign with the intention of strengthening the Quality and IS cultures

Module 13 – Employee Involvement

Employee Engagement [ISMS 5.1.1 f, h)

Assess current awareness/commitment of Management with regards to employee engagement

1. Has an acceptable level of ‘Awareness’ [7.3] been achieved?
2. Is an acceptable form of ‘Communication’ [7.4] taking place?

Case Work

• Establish a method to measure the level of Awareness and Communication
• Create the action plan to improve the levels above [Use 6.2.2 as a guide]
• Prepare to implement the action plan

Learning Outcomes

• Understand how to measure ‘Awareness’ and ‘Communication’
• Make the link between ‘Competence, Awareness and Communication
• Understand how these 3 requirements apply to ‘persons working under the control of the organization’

Module 14 –Registration and Audit Readiness

Preparation Requirements for Registrar visit for Stage 1 Audit

1. Review of registrar requirements for your organization
2. Coordination and planning for your external audit

Case Work

• Prepare all participants for the audit

Learning Outcomes

• Be able to prepare everyone for the Stage 1 Audit

Module 15 – Final Assessment of Implementation – second Management Review

Complete projects suggested as outputs from the first Management Review [ISMS 9.3.3]

1. Structured plan for managing an improvement activity
2. Resources
3. Personnel
4. Time line
5. Success measures

Case Work

• Review commitments made in the first Management Review
• Identify any further action required
• Prepare to implement the action plan

Learning Outcomes

• Understand the cycle of ‘Management Review’ and follow-up
• Communicate findings from Management Review to appropriate Interested Parties
• Carry out necessary adjustments and follow-up

Module 16  – Preparation for Stage 1 Audit by Accredited Registrar

Identify requirements for Registrar visit for Stage 1 Audit

1. Review of registrar requirements for your organization
2. Coordination and planning for your external audit

Case Work

• Prepare all participants for the audit

Learning Outcomes

• Be able to assess how well everyone is prepared for the Stage 1 Audit and close any gaps