Information Security Management

ISO 27001

What Is ISO 27001?

ISO 27001, titled “Information Security Management – Specification With Guidance for Use”, is the replacement for the original document, BS7799-2. It is intended to provide the foundation for third party audit, and is ‘harmonized’ with other management standards, such as ISO 9001 and ISO 14001.

The basic objective of the standard is to help establish and maintain an effective information management system, using a continual improvement approach. It implements OECD (Organization for Economic Cooperation and Development) principles, governing security of information and network systems.

The Contents of the Standard?

The broad content is of course similar to the old BS7799. Included is:

    * Cross reference with ISO 27002 controls

    * Use of PDCA

    * Information Management System

    * Terms and definitions


ISO 27001 Certification

As with BS7799-2, a robust audit and certification scheme supports the standard. For those previously certified against BS7799, accredited certification bodies have established transitional arrangements. More detail and explanation is available on our specific certification page (see left hand panel)

The ISO 27000 Series

The final version of ISO 27001 was published in October 2005 to a great fanfare. It should be noted, however, that this was in fact only the first of a series of standards to support information security. Having stated this, it may well be the most important, at least from a ‘top down’ perspective, as it defines the information security management system.

ISO/IEC 27001:2005 covers all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organizations). ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.

ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.

ISO/IEC 27001:2005 is intended to be suitable for several different types of use, including the following:

    * use within organizations to formulate security requirements and objectives;

    * use within organizations as a way to ensure that security risks are cost effectively managed;

    * use within organizations to ensure compliance with laws and regulations;

    * use within an organization as a process framework for the implementation and management of controls to ensure that

      the specific security objectives of an organization are met;

    * definition of new information security management processes;

    * identification and clarification of existing information security management processes;

    * use by the management of organizations to determine the status of information security management activities;

    * use by the internal and external auditors of organizations to determine the degree of compliance with the policies,

      directives and standards adopted by an organization;

    * use by organizations to provide relevant information about information security policies, directives, standards and

      procedures to trading partners and other organizations with whom they interact for operational or commercial reasons;

    * implementation of business-enabling information security;

    * use by organizations to provide relevant information about information security to customers.

(sourse: International Standards for Business, Government and Society)

Course No.1:

Information Security Manager / Internal Auditor

In accordance with ISO 19011

An expert on technology of information security management systems, oriented to managerial skills

Information Security Manager is globally recognized, highly specialized accredited training program. It focuses on problems related to information security, including complex issues of standard ISO 27001. As because this certifiable standard ISO 27001 includes not only security of information and communication technologies, but also security of personnel, infrastructure, buildings and environment with all practical aspects beginning with alarm system through fire service to access control, it goes far beyond the topics of information and communications security as such.

Course objectives:

Participants of “IS Manager” (Information Security Manager) program will familiarize with complex issues of ISMS (Information Security Management System), learn new skills and information necessary for assessing actual conditions, implementation, communication with auditor, management, and permanent ISMS improvement, where he or she would act as an interface between organization’s top management and executive departments. The manager shall be capable of successful promotion of company’s objectives with minimal friction area at the level of relationships of the company, organization, or corporation. The manager learns to create project teams, to manage them and to motivate them. He or she also receives basic knowledge of legislative framework related to ISMS issues and problems.

    * Lecturers at the seminar are specialists for information security problems, communication, and auditors of the international certification and educational organization CIS-Certification & Information Security Services.

    * This course is accredited via Austrian Federal Ministry of Economy and Labor (BMWA) in cooperation with EA (European Cooperation for Accreditation), and IAF (International Accreditation Forum).

    * The course is being applied worldwide. The certificate that is issued to a participant after successful completion of the program is globally recognized and valid worldwide, as well as certifications provided by CIS – Certification & Information Security Services.

Program content:

    * Managerial skills in the area of psychology and communication, and their linking to the ISMS

    * Issues and problems of ISO 27001 standard, practical demonstrations, application and examples

    * Basic legislative framework, standards and regulations, international and local requirements

    * Final test

After successful completion of the final test the participant receives international certificate “Information Security Manager” validity of which would be extended on brief, pointed update seminar after three years.

Course duration: 4 days

Preliminary entry knowledge:basic knowledge of information technologies terminology

Course No.2

Internal Information Security Auditor in accordance with ISO 19011

Become the “highest instance” for information security

Course Objective

To provide guidance and practical experience in planning, executing, and reporting Information Security Management System Audits.

Information security is now recognized as an important business process which if not managed correctly and efficiently may impact upon an organizations ability to deliver its products and services to their customers. Just as important lack of security has the potential to impact upon revenues. The highly specialised skills and practical knowledge needed to assess an organisations capability in managing all aspects of information security is one that can be learnt.

This innovative two-day course provides a solid foundation in all aspects of the audit process. Stage by stage delegates are taken through a structured programme that includes a balance of theory and practice using a combination of workshops and practical exercises enabling delegates to gain an understanding of the key activities for auditing.

This course for Internal Auditors of IS (Information Security) is ideal supplement for qualified Information Security Managers. As because the Internal IS Auditor may himself or herself perform internal audits within the organization and thus prepare it optimally for challenges of a global organization or for assessments performed by external auditors, he or she represents the “highest instance” for system of information security management within the organizations. The auditor assesses the system from the view of its compliance with standards and legislative requirements, detects imperfections and defines potential improvements. His or her activity directly impacts the system capabilities before the certification or during certificate renewal.

Lecturers at the seminar are specialists for information security problems, communication, and auditors of the international certification and educational organization CIS-Certification & Information Security Services.

The course contains two modules:

    * Psychology basics for Information Security Auditor

    * IS audit techniques, including practical auditing games

The course ends with final exam. When successfully completed, the participant receives prestigious entry certificate.

Preliminary entry knowledge: Valid IS Manager certificate; basic knowledge of information technologies and relevant terminology

Who should attend?

    * The course is aimed at personnel who already have an understanding of ISO/IEC 27001:2005 (Delegates who do not

       have this understanding are recommended to attend the 1 day Introduction Training Course)

    * Managers who are co-ordinating audit activities

    * Persons who have been given the responsibility to audit an Information Security Management System

    * Existing auditors who wish to refresh their skills

Benefits to Your Business

    * To have competent auditors within the organization

    * To ensure compliance to an international standard for Information Security Management Systems

    * Ensure that the organization demonstrates its ability to provide managed information security that meet customer

      requirements through internal audit

    * Enable the organization to benchmark the Information Security Management System

Course Structure

    * To show how an understanding of ISO/IEC 27001:2005, will provide the basis for audits

    * Through sessions and exercises, delegates will be able to identify the stages of audits:

          o Principles of auditing

          o Managing an audit programme

          o Audit activities

          o Initiating the audit

          o Preparing for audit

          o Conducting audit

          o Finalizing the audit

          o Audit follow-up

Course duration: 3 days

Course No.3

ISO 27001 Lead Auditor. In accordance with ISO 19011

Course Description

Auditing is crucial to the success of any management system. As a result, it carries with it heavy responsibilities, tough challenges and complex problems. This five-day intensive course prepares delegates for the qualification process for ISO 27001:2005 and trains them on how to conduct audits for certification bodies. It also empowers them to give practical help and information to those who are working towards compliance and certification.

Who should attend?

    * Those wishing to implement a formal Information Security Management System (ISMS) in accordance with ISO


    * Existing security auditors who wish to expand their auditing skills

    * Consultants who wish to provide advice on ISO 27001:2005 systems certification

    * IT and Quality Professionals.

Benefits to Your Business

Effective auditing is the only way to ensure that the measures you put in place to protect your organization and your customers are properly managed and achieve the desired result.

Course Structure

A combination of tutorials, syndicate exercises and role-play, including the following topics:

    * Information security

    * The importance of information security

    * ISO 27001:2005

    * Reviewing security threats and vulnerabilities

    * Management of security risks

    * Selecting security controls

    * How to build an Information Security Management System (ISMS)

    * ISO 27001:2005 auditing techniques

    * Managing and leading an ISO 27001:2005 audit team

    * Interview techniques

    * Audit reporting

    * Examination to prove competency

    * Reviewing security threats and vulnerabilities

    * Management of security risks

    * Selecting security controls

    * How to build an Information Security Management System (ISMS)

    * ISO 27001:2005 auditing techniques

    * Managing and leading an ISO 27001:2005 audit team

    * Interview techniques

    * Audit reporting

    * Examination to prove competency


Internal training (in-house training) & effective solution to

individual needs of your company

The most effective way to receive qualification is training directly within your company – in the ring of your colleagues and superiors, based on examples from within your own work area. Due to this reason we offer courses for IS Manager and Internal IS Auditor also as an in-house variant, where you can order the whole course or separate modules.

Besides its standard offer, CIS enables trainings based on individual agreement that focus on special topics related to information security.

Internal trainings are cost effective and efficient mainly for larger organizations. It is also guaranteed that company’s know-how would not get beyond the company’s borders.

One of the main benefits of internal training is its customization: the content is configured to meet individual requirements, and during the training it is possible to focus on various specific issues within the company.

Our lecturers work in the area of information security and thus link expert theoretical knowledge with permanent development of skills based on the experiences. This way they can provide valuable guidance not only for specific situations, but also for complex system of information security management.

Our goal is to mediate to you new and required knowledge that would be applicable directly at your work!