Information security management system internal auditor

(ISO 27001, ISO 19011)

This online course allows you to gain the necessary knowledge and skills to conduct an internal audit of the information security management system (ISMS) based on ISO/IEC 27001:2022, ISO 19011:2018 standards.

Training participants will gain knowledge about various components of the ISMS, including the following: leadership, risk management, necessary procedures and information security controls, documentation, performance evaluation, management review and continual development, as well as the tasks and roles of internal auditors in the planning process, conducting audits, reporting, planning and monitoring activities and actions based on the results of audits.

View Our Work

Duration

30 hours

Language

English/Ukrainian

Format

100% online

Objectives

Understand the principles of the ISMS implementation according to the requirements of ISO/IEC 27001:2022
Get a complete understanding of the concepts, approaches, methods and techniques necessary for effective management of the ISMS
Gain knowledge in identifying risks and opportunities associated with the ISMS
Understand the relationship between the ISMS and compliance with the requirements of various stakeholders of an organization
Improve the ability to analyze the internal and external environment of an organization and make decisions in the context of the information security management system
Determine which of the 93 information security controls are applicable to your organization
Familiarize yourself with all the stages of preparing and conducting an internal audit
Gain the necessary knowledge to manage an ISMS audit team

Target audience

Internal auditors
Project managers and consultants who wish to master the process of auditing an information security management system
Heads and specialists of departments responsible for information security
Members of the ISMS implementation team at the enterprise
Professionals who wish to gain in-depth knowledge of the ISMS
Specialists involved in the day-to-day support of the ISMS processes
Students of specialized faculties

Document on completion

ISMS internal auditor certificate, listed in the SIC international register

Evaluation scale

60.0-100.0

0.0-59.9

Complies

Does not comply

Thematic plan

1 Module “Information security management systems (ISO/IEC 27001)”

2 Internal audit (ISO 19011)

The program is designed for 30 hours, including time for studying theoretical material and taking tests.

Objectives

Module 1 Information Security Management Systems (ISO 27001)

Number of hours

1	Introduction	1,5
2	General provisions of the standard	2,5
3	Context of the organization	2
4	Leadership	2
5	Planning	2,5
6	Support (resources)	2,5
7	Operation	1
8	Performance evaluation	3
9	Improvement	1
10	Information security controls	5
	Testing	1

Module 2 Internal audit (ISO 19011)

Number of hours

2.1 Introduction 1
2.2 General provisions of the standard 1,5
2.3 Audit program management (AP) 5
2.4 Carrying out an audit 5
2.5 Competence of auditors 2
Testing 1

Module 1. Detailed content

Introduction:

– General

– The most popular cyber security threats

– Information security management systems: benefits

– ISMS standards: history

– Changes to the latest edition of ISO/IEC 27001

General provisions of the standard:

– Framework of the standard

– Scope

– Terms and definitions

Context of the organization:

– Understanding the organization and its context, examples

– Understanding the needs and expectations of interested parties, examples

– Determining the scope of the information security management system

– ISMS and its processes

Leadership:

– Leadership and commitment

– Policy, topic-specific IS policies

– Organizational roles, responsibilities and authorities

Planning:

– Actions to address risks and opportunities

– Information security objectives

– Planning of changes

Support:

– Resources, examples

– Competence

– Awareness

– Communication, examples

– Documented information, list of mandatory documents

Operation:

– Operational planning and control

– Information security risk assessment

– Information security risk treatment

Performance evaluation:

– Monitoring, measurement, analysis and evaluation

– Internal audit

– Management review

Improvement:

– Nonconformity and corrective action

– Continual improvement

Information security controls:

– Organizational controls

– People controls

– Physical controls

– Technological controls

Module 2. Detailed content

2.1	Introduction: – Audit definition – Classification of audits – Audit criteria – History of the standard
2.2	General provisions of the standard: – Structure of the standard – Scope of application of the standard – Terminology – Principles – Auditor code of ethics
2.3	Audit program management (AP): – PDCA – General provisions – Diagram of the AP control process – AP Planning – Identification and assessment of risks and opportunities – Person in charge of the AP – Determining the scope of the AP – AP Resources – AP Execution – Determination of objectives, scope, and criteria for a specific audit – Selection and determination of audit methods – Selection of audit team members – AP records management – AP Monitoring – Reviewing and improving the AP – Unscheduled audits
2.4	Carrying out an audit: – Audit initiation – Preparation for an audit, an example of the Audit Plan. – Distribution of tasks in an audit team – Preparation of working documents, an example of a Checklist – Opening meeting – Exchange of information during audit – Collection and verification of information: examples of questions, spot check – Preparation of an Audit Report – Preparation of audit conclusions, example of a Statement of Nonconformities – Final meeting – Preparation and distribution of an Audit Report
2.5	Competence of auditors: – Competence assessment stages – Personal qualities – General knowledge and skills – General competence of an audit team leader – Support and improvement of the competence of an auditor