ISO/IEC 27001:2013 Extension to ISO/IEC 27701:2019 Lead Auditor (PIMS, Privacy Information Management System) Training Course

Through the management system audit and certification, the organization can demonstrate its ability on legal (i.e. EU GDPR, DPA, IPRs), legislationstandards (i.e. ISO, IEC, IEEE), contractual obligation (i.e. Trade Secret, IP), policy and procedures compliance.

Also, the competence to plan, operation and continual improvements in the management system to control the risks and achieve its expected outcome.


The successful completion of this course is prerequisite and essential to becoming an ISMS/PIMS Auditor.  

To participate in this training course, the following prior knowledge was expected: 

a) Management systems

  • Understand the Plan-Do-Check-Act (PDCA) cycle
  • The core elements of a management system and the interrelationship between top management responsibility, policy, objectives, planning, implementation, measurement, review, and continual improvement.

b) Information security and privacy management

Knowledge of the following information security management principles and concepts:

  • awareness of the need for information security;
  • the assignment of responsibility for information security;
  • incorporating management commitment and the interests of stakeholders;
  • enhancing societal values;
  • using the results of risk assessments to determine appropriate controls to reach acceptable levels of risk;
  • incorporating security as an essential element of information networks and systems;
  • the active prevention and detection of information security incidents;
  • ensuring a comprehensive approach to information security management;
  • continual reassessment of information security and making of modifications as appropriate.
  • awareness of common examples of relevant national and local data protection legislation and requirements

c) ISO/IEC 27001

  • Knowledge of the requirements of ISO/IEC 27001 (with ISO/IEC 27002) and the commonly used information security management terms and definitions, as given in ISO/IEC 27000, which may be gained by completing an ISMS Foundation Training course or equivalent.

Note. You are advised that course examination questions can relate to any requirement of ISO/IEC 27001 and the expected prior knowledge. For delegates who do not have these, we recommend attending our foundation training course. 

Who should attend?

This is intended for those who will be involved in leading audits of an ISMS and PIMS that conform to the latest ISO/IEC 27001 and ISO/IEC 27701 in any organization. The suggested job functions and their teams including but not limited to the following:

  • Information security managers and data protection officers, data protection team
  • IT and corporate security managers, data protection representative
  • Corporate governance managers
  • Risk and compliance managers
  • Information security and privacy consultants

Learning objectives

  • Learn how to explain the purpose and business benefits of an ISMS and PIMS, of ISMS and PIMS standards, of management system audit and of third-party certification
  • Learn how to explain the role of an auditor to plan, conduct, report, and follow-up an ISMS and PIMS audit in accordance with ISO 19011 (and ISO 17021, ISO 27006) where appropriate
  • Learn how to plan, conduct, report and follow-up an audit of an ISMS and PIMS to establish conformity (or otherwise) with ISO/IEC 27001 (with ISO/IEC 27002 and ISO/IEC 27701) in accordance with ISO 19011 (and ISO 17021, ISO 27006 where appropriate)

Course benefits

  • Your organization will have an internal resource and process to be able to conduct its own audit of its ISMS and PIMS to assess and improve conformance with ISO/IEC 27001 and ISO/IEC 27701
  • You will gain a professional qualification that certifies that you have the knowledge and skills to be able to lead a team to conduct an audit of an ISMS and PIMS in any organization
  • Successful auditing will improve the protection of an organization’s personal data and trade secret to meet market assurance and corporate governance needs
  • Understand how to identify gaps in an ISMS and PIMS system
  • Accurately audit will be able to provide continuous improvement to a management system
  • Meet the minimum training requirements for auditor certification 

Course outline

Day 1, Information security and privacy management systems knowledge (ISO 27001, ISO 27701)

  • Management system structure (MSS) and process approach (PDCA)
  • Understand the organization's compliance risk
    • Understanding of organization, interested parties, and their requirements 
    • Management system scoping 
  • Leadership and commitment
    • Top management leadership, management system policy and objectives 
    • Support the management system and a documented management system
    • Personal data controller and processors
  • Compliance risk management and objectives
    • Information asset and personal data management (asset register, asset owner)
    • Information security and privacy risk management requirements and process
    • Risk assessment (identify the risk, risk owner, risk analysis and risk evaluation)
    • Risk treatment (treatment options, Statement of Applicability (SoA), risk treatment plan)
    • Privacy information management controls 
  • Information security control objectives and controls (ISO/IEC 27001, Annex A)

Day 2, Information security management (ISO/IEC 27002), Privacy information management (ISO/IEC 27701), Guidelines for auditing management systems (ISO 19011 and ISO 17021, ISO/IEC 27006)

  • Information security extended personal data protection controls 
    • Personnel data controller specific controls (ISO/IEC 27701, Annex A)
    • Personnel data processor specific controls (ISO/IEC 27701, Annex B)
  • Management system operation and personal data processing 
  • Management system performance evaluation and improvement processes
  • Auditor's role, responsibility, and competence
  • Different types of audit and certification process

Day 3, Guidelines for auditing management systems (ISO 19011) - Audit simulate the process of planning, preparation for an audit

  • Roles and responsibilities in an audit 
  • Management system performance evaluation and continual improvement requirements 
  • Different types of audit
  • Audit programme and purpose
  • Planning an audit (initiate the audit, feasibility analysis)
  • Conduct a Stage 1 audit (document review)
  • Preparation for Stage 2 (on-site) audit - audit plan
  • Preparation of audit work documents includes checklist and audit trails 

Day 4, Guidelines for auditing management systems (ISO 19011) - Audit simulate the opening meeting, on-site audit activities, and role-play

  • Opening meeting
  • Roleplay for audit scenarios 
  • Practice audit skills of collecting audit evidence
  • Prepare audit findings and results, includes conformance, non-conformity (NC), and opportunity for improvement (OFI) 
  • Prepare audit report 

Day 5, Guidelines for auditing management systems (ISO 19011) - Audit simulate the closing of on-site audit - close meeting and follow-up

  • Audit conclusion 
  • Closing meeting 
  • Audit follow-up
  • Evaluating correction, the corrective action including root cause analysis and audit finding closure
  • Management system certification 
  • Course summary and examination 

What's included?

  • Course material
  • Auditor course examination 
  • Course certificate

Organizational information

Please contact us for more information or support 

Last modified: Tuesday, 8 November 2022, 6:29 AM