This course provides participants with the skills to master the basic elements of information security risk management using ISO/IEC 27005 as a framework. Through practical exercises and case studies, participants will acquire the skills and competencies necessary to perform an optimal information security risk assessment and manage risk over time by being familiar with their lifecycle. This training fits perfectly into the ISO/IEC 27001 implementation process.
If you would like to take this course by distance learning, click on the “Distance learning” button to find out more about the program.
Course overview
- Understand the concepts, approaches, methods and techniques for effective risk management in ISO 27005
- Interpret the risk management requirements of ISO 27001 to understand the relationship between an information security management system, security measures, and compliance with the requirements of an organization’s various stakeholders
- Acquire the skills to implement, maintain and manage an ongoing information security risk management program
- Acquire the skills to effectively advise an organization on best practices in information security risk management
Course Curriculum
Day 1: Introduction, risk management program, risk identification and analysis according to ISO 27005
- Concepts and definitions related to risk management
- Risk management standards, frameworks and methodologies
- Implementation of a risk management program in information security
- Risk analysis (Identification and estimation)
Day 2: Risk assessment, treatment, acceptance according to ISO 27005
- Risk Assessment
- Risk treatment
- Risk acceptance in information security and residual risk management
Day 3: Cross-functional risk management and other methodologies
- Risk Communication in Information Security
- Risk monitoring and control in information security
- Overview of existing methodologies (including Ebios)
- Assessment and review
Method of Assessment
The “PECB Certified ISO/IEC 27005 Risk Manager” exam is held on the 3rd day of training and lasts 2 hours. The exam covers the following areas:
- Domain 1: Fundamental principles and concepts, methods and techniques of risk management
- Domain 2: Implementation of a risk management program
- Domain 3: Risk analysis in information security according to ISO 27005
Training benefits
This training is based on alternating theoretical and practical sessions:
- Lectures illustrated with examples from real cases
- Classroom exercises to help prepare for the exam
- Practical tests similar to the certification exam
- In order to preserve the good realization of the practical exercises, the number of participants in the training is limited.
Who should attend?
- Risk Managers
- Individuals responsible for information security or compliance within an organization
- Member of an information security team
- Information technology consultants
- Personnel implementing or seeking compliance with ISO 27001 or participating in a risk management program
Entry Requirements
- General knowledge of information systems
- General knowledge of information systems security
- General knowledge of risk management
How and when to access
The participant is considered registered when:
- The prerequisites and needs are identified and validated
- The training agreement is signed
Registration requests can be sent up to 10 working days before the start of the training.
Accessibility
Whether you are recognized as having a disability or not, making our training accessible to everyone is part of our commitment.
If you need compensation or adaptation for the content, the supports, the “venue”, the material used, the schedules, the rhythm, we are at your disposal.
To go further
This training course is a preparation for the following training course:
Duration
3 days (19h)
Price
€ 2 300
Meal
Breakfast & lunch included
Financing
OPCO support
Course overview
- Understand the concepts, approaches, methods and techniques for effective risk management in ISO 27005
- Interpret the risk management requirements of ISO 27001 to understand the relationship between an information security management system, security measures, and compliance with the requirements of an organization’s various stakeholders
- Acquire the skills to implement, maintain and manage an ongoing information security risk management program
- Acquire the skills to effectively advise an organization on best practices in information security risk management
Course Curriculum
Session 1
Section 1: Training objectives and structure
- Training objectives
- Exam and certification
Section 2: Standards and regulations
- The ISO model
- The standards framework
- ISO 27005 risk management framework
- Other information security standards
- ISO 31000 and IEC 31010
- Exercise 1: Myths and realities – Risk management
- Getting ready
Session 2
Section 3: Risk concepts and definitions
- Risk concepts and definitions
- Information security
- Information security risks
- Principles and benefits of risk management
- Exercise 2: Risk management
Section 4: Risk management program
- Leadership and commitment
- Risk management responsibilities
- Accountability measures
- Risk management policies and processes
- Risk assessment methodology
- Risk assessment activity planning
- Provision of resources
- Exercise 3: Resources
Session 3
Section 5: Setting the context
- Understanding the organization and its context
- Establishing the internal and external context
- Identification and analysis of stakeholders
- Determination of objectives
- Determination of basic criteria
- Determination of scope and limits
- Exercise 4: Setting the context
Session 4: Risk assessment
Section 6: Risk identification
- Information gathering techniques
- Identification of primary and supporting assets
- Exercise 5: Asset identification
- Identification of threats
- Identification of existing security measures
- Identification of vulnerabilities and consequences
- Threats, vulnerabilities and security measures
- Consequences
- Exercise 6: Identifying threats, vulnerabilities and impact
Section 7: Risk analysis
- Risk analysis methodology
- Assessment of consequences
- Assessing the likelihood of an incident
- Estimation of risk level
- Exercise 7: Information asset risk worksheet
Session 5
Section 8: Risk assessment
- Assessment of risk levels based on evaluation criteria
- Example of a risk assessment
Section 9: Risk assessment using a quantitative method
- ROSI concept
- Calculation of estimated annual loss
- The calculation of the value of a safety measure
- Exercise 8: Quantitative risk assessment
Section 10: Risk treatment
- Risk treatment process
- Risk treatment options
- Risk treatment plan
- Residual risk assessment
Session 6
Section 11: Acceptance of information security risks
- Acceptance of the risk treatment plan
- Acceptance of residual risk
- Exercise 9: Risk treatment options
Section 12: Communication and consultation on information security risks
- Risk communication objectives
- Risk communication plan
- Internal and external communication
- Decision recording and communication
- Exercise 10: Risk communication
Session 7
- Section 13: Information security risk monitoring and review
- Section 14: OCTAVE Method
- Section 15: MEHARI Method
- Section 16: EBIOS Method
- Section 17: Harmonized threat and risk assessment (TRA) method
- Section 18: Certification process and end of training course
Session 8
- Revisions
Principle planning
-
14h lessons with the trainer divided into 8 sessions of 1H30 to 2H00 (including a revision session for the exam)
-
4 sessions of 1H30
-
4 sessions of 2H
-
Method of Assessment
The “PECB Certified ISO/IEC 27005 Risk Manager” exam is held in a time slot chosen by the candidate from several proposals, within a maximum of one year after training; it lasts 2 hours and is composed of single-choice questions. The exam covers the following areas of competence:
- Domain 1: Fundamental principles and concepts of information security risk management
- Domain 2: Implementation of an information security risk management program
- Domain 3: Information security risk management framework and processes based on ISO/IEC 27005
- Domain 4: Other information security risk assessment methods
The benefits of distance learning
- Training by a cybersecurity expert
- An intuitive, easy-to-use platform
- Exchanges on key concepts and experience sharing adapted to the learners’ context
- Exchanges on key concepts and experience sharing adapted to the learners’ context
- The structure of the questionnaires is similar to that of the certification exam
Who should attend?
- Risk Managers
- Individuals responsible for information security or compliance within an organization
- Member of an information security team
- Information technology consultants
- Personnel implementing or seeking compliance with ISO 27001 or participating in a risk management program
Entry Requirements
- General knowledge of information systems
- General knowledge of information systems security
- General knowledge of risk management
How and when to access
The participant is considered registered when:
- The prerequisites and needs are identified and validated
- The training agreement is signed
Registration requests can be sent up to 10 working days before the start of the training.
Accessibility
Whether you are recognized as having a disability or not, making our training accessible to everyone is part of our commitment.
If you need compensation or adaptation for the content, the supports, the “venue”, the material used, the schedules, the rhythm, we are at your disposal.
To go further
This training course is a preparation for the following training course:
- EBIOS Risk Manager certification
Duration
21 hours
Price
1950€ excl. tax.
Financing
OPCO support