Iso/Iec 27001 Lead Auditor For Information Security

Advance your information security career by mastering ISMS auditing to ISO/IEC 27001:2022

What you'll learn

Management system auditing principles and basics

Requirements of ISO/IEC 27001 from the auditor's perspective

Assessing the information security controls from ISO/IEC 27001

Formulating findings and conculsions for the ISMS audit

Requirements

Familiarity with the framework for information security management proposed by ISO/IEC 27001 is useful but not mandatory

Description

This course will help you master Information Security Management System (ISMS) auditing and the requirements of ISO/IEC 27001:2022, equipping you with essential skills to advance your career in the rapidly growing field of information security.Compliance with international standards, such as ISO/IEC 27001, is now a critical requirement for organizations across industries, including finance, engineering, IT, transportation, professional services or manufacturing. Professionals skilled in assessing compliance and in guiding organizations to strengthen their information security are in high demand.By enrolling in this online course, you will gain a solid understanding of auditing fundamentals, the specific requirements of ISO/IEC 27001, the standard's proposed security controls, and how to evaluate compliance during an ISMS audit.The first part of the course introduces the foundational concepts of information security management systems. You will explore what an ISMS is, the standards within the ISO/IEC 27000 series, and the purpose and structure of ISO/IEC 27001:2022.Next, the course provides a comprehensive overview of management system auditing basics. You will learn about the core principles auditors must adhere to, effective methods for collecting audit evidence, and critical documents such as the audit programme, audit plan, and audit report. This section also delves into remote auditing, how to analyze audit findings and conclusions, and the differences between lead auditors and auditors, as well as internal and external audits.The subsequent section focuses on auditing the management system requirements of ISO/IEC 27001. Key topics include auditing the information security risk assessment, assessing the scope of the ISMS, reviewing the information security policy and objectives, evaluating the management reviews and the internal audits of the ISMS, auditing the statement of applicability and the risk treatment plan or reviewing how the organization manages nonconformities. Each topic is analyzed from an auditor's perspective, emphasizing the critical areas to evaluate during compliance assessments.The following four sections of the course address the main themes of information security controls as outlined in ISO/IEC 27001:2022:Organizational Controls, such as policies, supplier relationships, incident management, privacy and protection of personally identifiable information, access control, threat intelligence, information classification and labelling of the inventory of information and assets.People Controls, including screening, disciplinary process, information security education and training, confidentiality and non-disclosure agreements.Physical Controls, focusing on securing the infrastructure, protecting against natural and environmental threats, cabling security, protecting assets off-premises or managing storage media throughout its life cycle.Technological Controls, covering topics like cryptography, malware protection, network security, secure development, capacity management, backups, information deletion, data masking, vulnerability management or system redundancy.This course provides suggestions for assessing during the ISMS audit challenges such as those posed by remote working, or the use of personal devices for work purposes (BYOD) . You will gain actionable insights into how auditors can evaluate compliance with these controls effectively.The final section of the course focuses on closing the ISMS audit, covering how to formulate the audit's findings and conclusions, how to conduct the closing meeting and plan the necessary post-audit activities.This course provides a complete and detailed exploration of ISO/IEC 27001 requirements, with inputs from related standards such as ISO/IEC 27002, ISO/IEC 27005, and ISO/IEC 27035. It combines theoretical knowledge with practical examples, offering auditors valuable guidance on where to focus to gather meaningful evidence.Whether you are a professional aiming to advance your career as an ISMS auditor or preparing for an upcoming audit, this course offers a structured and comprehensive approach to mastering ISO/IEC 27001:2022 ISMS auditing.

Overview

Section 1: Introduction

Lecture 1 Introduction

Lecture 2 What is an ISMS (Information Security Management System)?

Lecture 3 The ISO/IEC 27000 series of standards

Lecture 4 About ISO/IEC 27001:2022

Lecture 5 Certification to ISO/IEC 27001

Section 2: Generic aspects about management system auditing

Lecture 6 What is a management system audit?

Lecture 7 Principles of management system auditing

Lecture 8 What is an audit programme?

Lecture 9 Preparing for an audit

Lecture 10 The audit team

Lecture 11 Lead auditor vs. Auditor

Lecture 12 The audit plan

Lecture 13 Conducting an audit

Lecture 14 Collecting and recording evidence

Lecture 15 Remote auditing

Lecture 16 Audit findings and conclusions

Lecture 17 The audit report and post-audit activities

Section 3: Auditing the management system requirements in ISO/IEC 27001:2022

Lecture 18 Strategy for auditing an ISMS

Lecture 19 Audit and documented information

Lecture 20 Auditing top management

Lecture 21 Context of the organization

Lecture 22 The scope of the ISMS

Lecture 23 Leadership and commitment

Lecture 24 The information security policy

Lecture 25 Organizational roles, responsibilities and authorities

Lecture 26 Addressing risks and opportunities

Lecture 27 The information security risk assessment

Lecture 28 Information security risk treatment

Lecture 29 The Statement of Applicability (SoA)

Lecture 30 Information security objectives and planning to achieve them

Lecture 31 Planning of changes

Lecture 32 Resources

Lecture 33 Competence and awareness

Lecture 34 Communication

Lecture 35 The ISMS documented information

Lecture 36 Operational planning and control

Lecture 37 Monitoring, measurement, analysis and evaluation

Lecture 38 Internal audit

Lecture 39 Management review

Lecture 40 Continual improvement

Lecture 41 Management of nonconformities

Lecture 42 Recapitulation - Management system requirements of ISO/IEC 27001:2022

Section 4: Organizational controls

Lecture 43 Considerations about the organizational controls

Lecture 44 Policies and procedures for information security

Lecture 45 Information security roles and responsibilities

Lecture 46 Segregation of duties

Lecture 47 Contact with authorities and with special interest groups

Lecture 48 Threat intelligence

Lecture 49 Information security in project management

Lecture 50 Inventory of information and associated assets

Lecture 51 Acceptable use of information and assets. Return of assets

Lecture 52 Classification and labelling of information

Lecture 53 Information transfer

Lecture 54 Access control and access rights

Lecture 55 Identity management

Lecture 56 Authentication information

Lecture 57 Information security in supplier relationships and agreeements

Lecture 58 Information security in the ICT supply chain

Lecture 59 Information security for use of cloud services

Lecture 60 Information security incident management

Lecture 61 Information security aspects of business continuity

Lecture 62 Compliance with legal, statutory and regulatory requirements

Lecture 63 Privacy and protection of PII

Lecture 64 Independent review of information security. Compliance with policies and rules

Lecture 65 Recapitulation - Organizational controls

Section 5: People controls

Lecture 66 Considerations about the people controls

Lecture 67 Screening

Lecture 68 Terms & conditions of employment. Confidentiality and non-disclosure agreements

Lecture 69 Information security awareness, education and training

Lecture 70 Disciplinary process

Lecture 71 Responsibilities after termination or change of employment

Lecture 72 Remote working

Lecture 73 Information security event reporting

Lecture 74 Recapitulation - People controls

Section 6: Physical controls

Lecture 75 Considerations about the physical controls

Lecture 76 Security perimeters. Phyiscal entry. Securing rooms and facilities

Lecture 77 Physical security monitoring

Lecture 78 Protection against physical and environmental threats

Lecture 79 Work in secure areas

Lecture 80 Clear desk and clear screen

Lecture 81 Equipment siting, protection and maintenance

Lecture 82 Security of assets off-premises

Lecture 83 Storage media

Lecture 84 Supporting utilities

Lecture 85 Cabling security

Lecture 86 Secure disposal and re-use of equipment

Lecture 87 Recapitulation Physical controls

Section 7: Technological controls

Lecture 88 Considerations about the technological controls

Lecture 89 User end-point devices

Lecture 90 Privileged access rights

Lecture 91 Information access restriction. Access to source code

Lecture 92 Secure authentication

Lecture 93 Capacity management

Lecture 94 Protection against malware

Lecture 95 Management of technical vulnerabilities

Lecture 96 Configuration management

Lecture 97 Information deletion

Lecture 98 Data masking

Lecture 99 Data leakage prevention

Lecture 100 Information backup

Lecture 101 Redundancy of information processing facilities

Lecture 102 Logging, monitoring and clock synchronization

Lecture 103 Use of privileged utility programs

Lecture 104 Installation of software on operational systems

Lecture 105 Security of networks and network services

Lecture 106 Web filtering

Lecture 107 Use of cryptography

Lecture 108 Secure development lifecycle

Lecture 109 Application security requirements

Lecture 110 Secure system architecture and engineering principles

Lecture 111 Secure coding

Lecture 112 Security testing. Test information

Lecture 113 Separation of development, test and production environments

Lecture 114 Outsourced development

Lecture 115 Change management

Lecture 116 Protection of information systems during audit testing

Lecture 117 Recapitulation Technological controls

Section 8: Closing the ISMS audit

Lecture 118 Closing the ISMS audit

Lecture 119 Some final considerations

Lecture 120 Thank you and good bye

Information security professionals,Aspiring ISMS auditors,IT Managers and System Administrators,Consultants and Advisors,Candidates for ISO/IEC 27001 Auditor exams,Organizational Leaders and Decision-Makers,Students or Recent Graduates in IT or Security Fields,ISO specialists and enthusiasts