ISO/IEC 27001:2022 Lead Auditor (Information Security Management Systems) Training Course

What is ISO/IEC 27001?

ISO/IEC 27001 is the world's best-known standard for information security management systems (ISMS). It defines the requirements an ISMS must meet.

The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining, and continually improving an information security management system.

Conformity with ISO/IEC 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company and that this system respects all the best practices and principles enshrined in this International Standard.

Why is ISO/IEC 27001 necessary?

With cybercrime on the rise and new threats constantly emerging, it can seem difficult or even impossible to manage cyber risks. ISO/IEC 27001 helps organizations become risk-aware and proactively identify and address weaknesses.

ISO/IEC 27001 promotes a holistic approach to information security: vetting people, policies, and technology. An information security management system implemented according to this standard is a tool for information security risk management, cyber-resilience, and operational excellence.

This course aims to provide learners with the knowledge and skills required to perform first, second and third-party audits of information security management systems against ISO/IEC 27001 (with ISO/IEC 27002), in accordance with ISO 19011 and ISO/IEC 17021, as applicable.

Learners who successfully complete this CQI (Chartered Quality Institute) and IRCA (International Register of Certificated Auditors) certified training course successfully will satisfy the training requirements for initial certification as an IRCA ISMS auditor. (within the five years prior to making an application to become a certificated auditor) 

Recommended Prior Knowledge

To participate in this training course, the following prior knowledge was expected: 

a) Management systems

    • Understand the Plan-Do-Check-Act (PDCA) cycle
    • The core elements of a management system and the interrelationship between Top-management responsibility, policy, objectives, planning, implementation, measurement, review, and continual improvement.

b) Information security management

Knowledge of the following information security management principles and concepts:

    • awareness of the need for information security;
    • the assignment of responsibility for information security;
    • incorporating management commitment and the interests of stakeholders;
    • enhancing societal values;
    • using the results of risk assessments to determine appropriate controls to reach acceptable levels of risk;
    • incorporating security as an essential element of information networks and systems;
    • the active prevention and detection of information security incidents;
    • ensuring a comprehensive approach to information security management;
    • continual reassessment of information security and the making of modifications as appropriate.

c) ISO/IEC 27001

    • Knowledge of the requirements of ISO/IEC 27001 (with ISO/IEC 27002) and the commonly used information security management terms and definitions, as given in ISO/IEC 27000, which may be gained by completing an IRCA certified ISMS Foundation Training course or equivalent.

Note. You are advised that course examination questions can relate to any requirement of ISO/IEC 27001 family standards and the expected prior knowledge. For delegates who do not have these, we recommend attending our foundation training course. 

Who should attend?

This is intended for those who will be involved in leading audits of an ISMS that conforms to the latest ISO/IEC 27001 in any organization. The suggested job functions and their teams include but are not limited to the following:

    • Information security managers
    • IT and corporate security managers
    • Corporate governance managers
    • Risk and compliance managers
    • Information security consultants

Learning objectives

    • Learn how to explain the purpose and business benefits of an ISMS, of ISMS standards, of management system audit, and third-party certification.
    • Learn how to explain the role of an auditor to plan, conduct, report, and follow up an ISMS audit in accordance with ISO 19011 (and ISO 17021) where appropriate.
    • Learn how to plan, conduct, report, and follow up an audit of an ISMS to establish conformity (or otherwise) with ISO/IEC 27001 (with ISO/IEC 27002) in accordance with ISO 19011 (and ISO 17021 where appropriate)

Course Benefits

    • Your organization will have an internal resource and process to be able to conduct its own audit of its ISMS to assess and improve conformance with ISO/IEC 27001
    • You will gain a professional qualification that certifies that you have the knowledge and skills to be able to lead a team to conduct an audit of an ISMS in any organization.
    • Successful auditing will improve the protection of an organization’s personal data and trade secret to meet market assurance and corporate governance needs.
    • Understand how to identify gaps in an ISMS system.
    • Accurately audits will be able to provide continuous improvement to a management system.
    • Meet training requirements for CQI/IRCA auditor certification. 

Course outline

Day 1, Information security management systems knowledge (ISO 27001)

    • Management system structure (MSS) and process approach (PDCA)
    • Risk-based thinking - Compliance Risk and Opportunities
      • Understanding of the organization, interested parties, and their requirements 
      • Management system scoping 
    • Risk-based thinking - Information Security Risk and Opportunities
      • Information asset management (asset register, asset owner)
      • Information security risk management requirements and process
      • Risk assessment (identify the risk, risk owner, risk analysis, and risk evaluation)
      • Risk treatment (treatment options, Statement of Applicability(SoA), risk treatment plan)
    • Leadership and commitment
      • Top management leadership, management system policy, and objectives
    • Support the management system and a documented management system
    • Management System Operation and Annex A, Information security controls 

Day 2, Guidelines for auditing management systems (ISO 19011 and ISO 17021) - Auditor, audit types, and certification process

    • Management system operation and objectives 
    • Management system performance evaluation 
    • Management system improvement
    • Auditor's Role, responsibility, and Competence
    • Different types of audit and certification processes

Day 3, Guidelines for auditing management systems (ISO 19011) - Audit simulate the process of planning, preparation for an audit

    • Planning an audit (initiate the audit, feasibility analysis)
    • Conduct a Stage 1 audit (document review)
    • Preparation for Stage 2 (on-site) audit - audit plan
    • Preparation of audit work documents includes a checklist and audit trails 

Day 4, Guidelines for auditing management systems (ISO 19011) - Audit simulate the opening meeting, on-site audit activities, and role-play

    • Opening meeting
    • Roleplay for audit scenarios 
    • Practice audit skills in collecting audit evidence
    • Prepare audit findings and results, including conformance and good practice, non-conformity (NC), and opportunity for improvement (OFI) 
    • Prepare audit report 

Day 5, Guidelines for auditing management systems (ISO 19011) - Audit simulate the closing of on-site audit - close meeting and follow-up

    • Audit conclusion 
    • Closing meeting 
    • Audit follow-up
    • Evaluating correction, the corrective action including root cause analysis and audit finding closure
    • Management system certification 
    • Course summary and examination 

What's included?

    • Course material
    • CQI/IRCA course certificate

Organizational information

    • Course information and joint instruction 

Please get in touch with us for more information or support 

Last modified: Tuesday, 23 May 2023, 10:10 AM