Name: ISO/IEC 27001 Lead Auditor for Information Security
Rating: 4.6 (383 reviews)

Hier kannst du dein Wissen und Können an Millionen von Teilnehmer:innen in aller Welt weitergeben und damit richtig Geld verdienen!

Weitere Infos

Dein Einkaufswagen ist leer.

Weiter einkaufen

Anmelden

Registrieren

Erstellt vonCristian Vlad Lupa, rigcert.education

Zuletzt aktualisiert 9/2025

Englisch

Das wirst du lernen

Management system auditing principles and basics
Requirements of ISO/IEC 27001 from the auditor's perspective
Assessing the information security controls from ISO/IEC 27001
Formulating findings and conculsions for the ISMS audit

Kursinhalt

8 Abschnitte • 120 Lektionen • 12 Std. 15 Min. Gesamtdauer

Introduction5:47
An introduction to the course with an overview of the structure and important aspects for a pleasant viewing experience
What is an ISMS (Information Security Management System)?5:44
What represents an Information Security Management System (ISMS). Definition and details
The ISO/IEC 27000 series of standards7:08
About the standards in the ISO/IEC 27000 series. What they refer to and why they how they can be used by an organization implementing an ISMS
About ISO/IEC 27001:20228:14
About the purpose, structure and history of ISO/IEC 27001, the reference standard for information security management
Certification to ISO/IEC 270016:30
About the certification process to ISO/IEC 27001 for both organizations and for individuals. A short description of the certification process

What is a management system audit?4:23
What is an audit? What are the audit objectives, scope and criteria? Internal vs external audits
Principles of management system auditing5:20
About the seven principles of management system auditing according to ISO 19011
What is an audit programme?5:42
What represents an audit programme? What is the purpose and the content of the audit programme?
Preparing for an audit4:23
How to prepare for a management system audit? Why preparation is important and what it should include.
The audit team4:15
Details about the composition of an audit team. Who appoints the audit team and what important aspects should be considered in the appointment
Lead auditor vs. Auditor4:48
What is the difference between a lead auditor and an auditor?
The audit plan3:52
What is the purpose of an audit plan and what elements must be part of any audit plan
Conducting an audit5:35
About the opening meeting for an audit. What is the process for the on-site audit and how auditors collect information. Guidelines for the closing meeting
Collecting and recording evidence7:04
How do auditors collect and record information. What is to be considered audit evidence
Remote auditing4:24
Guidelines for remote audits. Benefits and downsides of conducting audits remotely
Audit findings and conclusions5:25
Definitions and considerations about audit findings and conclusions. What is the difference between nonconformities and opportunities for improvement
The audit report and post-audit activities5:46
Generic information about the audit report. What it should include and who is responsible for its elaboration. About post-audit activities and how they can be conducted
Opening meeting for an ISMS audit

Strategy for auditing an ISMS5:04
The strategy proposed for auditing the information security management system. How the requirements in the standard will be audited
Audit and documented information6:14
What represents documented information and why documented information is key for an auditor
Auditing top management3:58
Guidelines for auditing top management during an ISMS audit. Preparation and advice for interviewing top management
Context of the organization6:53
Guidelines for auditing context identification, including internal and external issues and stakeholders and their needs and expectations
The scope of the ISMS5:45
Suggestions for auditing the scope of the ISMS. Which are the requirements for the scope and how the auditor can evaluate compliance
Leadership and commitment5:57
About auditing the requirements for leadership and commitment from ISO/IEC 27001. How the auditor can evaluate compliance with the requirements for leadership and commitment
The information security policy5:33
Suggestions for how to audit the information security policy. What is the policy expected to include and how it should be implemented
Organizational roles, responsibilities and authorities4:58
About auditing the requirements of ISO/IEC 27001 for establishing and communicating roles, responsibilities and authorities relevant for information security
Addressing risks and opportunities5:41
How to assess compliance with the requirements of ISO/IEC 27001 about risks and opportunities relevant for the ISMS
The information security risk assessment7:31
Suggestions for auditing the information security risk assessment. What the organization should implement and how to assess compliance
Information security risk treatment9:27
About auditing the information security risk treatment process of an organization. Which are the options available for treating a risk
The Statement of Applicability (SoA)6:41
About the Statement of Applicability (SoA). What it should include and how to audit compliance with the requirements of ISO/IEC 27001:2022 about the SoA
Information security objectives and planning to achieve them6:06
Suggestions for auditing compliance with the requirements of ISO/IEC 27001 on the informations security objectives and the plans of the organization for their achievement
Planning of changes3:59
Auditing the change management process of the organization relevant for the ISMS
Resources3:30
About auditing the requirements of ISO/IEC 27001 for the availability of resources relevant for the ISMS
Competence and awareness6:37
Guidelines for auditing compliance with ther requirements about competence and awareness
Communication4:45
About the internal and external communication processes and auditing compliance with the requirements of ISO/IEC 27001 for communication
The ISMS documented information8:09
About the documented information of the ISMS, what it should include and how to assess the effectiveness of the controls implemented for documented information
Operational planning and control5:36
Auditing the requirements of ISO/IEC 27001 for controling the processes of the ISMS, including outsourced processes, planned and unexpected changes
Monitoring, measurement, analysis and evaluation5:34
About KPIs, measuring and monitoring the information security performance and the ISMS and evaluating compliance with the requirements of the standard
Internal audit5:39
What the auditor should look for when evaluating compliance with the requirements of ISO/IEC 27001 about the internal audit of the ISMS
Management review5:18
The management review process and how to evaluate the process through which top management reviews periodically the ISMS for adquacy, suitability and effectiveness
Continual improvement6:15
About the continual improvement of the ISMS and how to audit compliance with the requirements of ISO/IEC 27001 for improvement
Management of nonconformities6:20
About the process for managing nonconformities and how to evaluate compliance with the requirements for identifying and addressing nonconformities and their root causes
Recapitulation - Management system requirements of ISO/IEC 27001:20229:23
A recapitulation of the management system requirements in ISO/IEC 27001 and the key points that auditors should look for during the ISMS audit
Auditing the management system requirements of ISO/IEC 27001:2022

Considerations about the organizational controls5:00
Generic aspects about the organizational controls - what they focus on and what could be the approach to their assessment during the ISMS audit
Policies and procedures for information security8:43
About topic-specific policies for information security, about procedures and what the auditor should look for when assessing these during the ISMS audit
Information security roles and responsibilities6:07
Suggestions for assessing the allocation and communication of information security responsibilities
Segregation of duties5:24
About the principle of duties segregation and its implementation. How to assess the segregation of duties during an ISMS audit to ISO/IEC 27001
Contact with authorities and with special interest groups4:30
Assessing the controls that require maintaining contact with information security authorities and relevant interest groups (forums, associations, etc.).
Threat intelligence5:57
Guidelines for assessing the mechanisms used by an organization to collect and analyze information about security threats
Information security in project management5:48
Assessing the integration of information security into project management, regardless of the types of projects
Inventory of information and associated assets6:50
Guidelines for assessing compliance with the requirements of ISO/IEC 27001 for the inventory of information and assets
Acceptable use of information and assets. Return of assets6:08
Suggestions for evaluating compliance with the controls that refer to the acceptable use and return of assets, during an ISMS audit to ISO/IEC 27001:2022
Classification and labelling of information7:14
Guidelines for assessing compliance with the requirements on the classification and labelling of information
Information transfer7:13
How auditors can evaluate the security of the processes for transferring information through electronic means, in physical form and verbally
Access control and access rights7:40
Guidelines for assessing compliance with the requirements for access controls and the provisioning and management of access rights
Identity management4:12
About managing the full cycle of identities and how auditors can evaluate compliance with the requirements of ISO/IEC 27001 for identity management
Authentication information6:18
How to assess compliance with the requirements of ISO/IEC 27001 about the protection of authentication information and the password management system
Information security in supplier relationships and agreeements10:48
Suggestions for assessing the controls that relate to information security in supplier relationships and contracts
Information security in the ICT supply chain5:36
Auditing the security measures relevant for the ICT supply chain
Information security for use of cloud services4:59
Guidelines for assessing compliance with the requirements for the security of cloud services including the acquisition, management or exit from cloud services
Information security incident management11:31
About the process for managing information security incidents and how to assess compliance with the requriements of ISO/IEC 27001 that refer to incidents
Information security aspects of business continuity6:52
Suggestions for assessing the controls about business continuity and how information security is integrated into business continuity
Compliance with legal, statutory and regulatory requirements9:33
About addressing the issue of legal and regulatory compliance during an ISMS audit to ISO/IEC 27001. Examples of regulatory issues that auditors should consider
Privacy and protection of PII5:00
Addressing the issue of compliance with privacy matters during an ISMS audit to ISO/IEC 27001
Independent review of information security. Compliance with policies and rules4:23
Guidelines for auditing the requirements of ISO/IEC 27001 that refer to the reviews of information security and compliance with policies and rules
Recapitulation - Organizational controls12:30
A recapitulation of the organizational controls and the key aspects that auditors should follow when assessing this category of controls during the ISMS audit
Quiz Organizational controls

Considerations about the people controls3:04
Generic aspects about the people controls - what they refer to and what their assessment will be focused on
Screening5:58
Guidelines for assessing compliance with the requirements of ISO/IEC 27001 for background checks on candidates to become employees
Terms & conditions of employment. Confidentiality and non-disclosure agreements4:51
Suggestions on auditing the requirements about terms and conditions for employment, including confidentiality and non-disclosure requirements
Information security awareness, education and training5:54
About the requirements of ISO/IEC 27001 for training, education and awareness for information security and how compliance with these requirements can be assessed during an ISMS audit
Disciplinary process4:34
Suggestions for auditing the disciplinary process applied in cases of violations of the information security policy
Responsibilities after termination or change of employment4:24
About the responsibilities that remain valid after an employment or contract is terminated or changed and how compliance with these requirements can be assessed during an ISMS audit
Remote working8:02
About the security measures implemented when employees work from locations outside the organization's control and how to assess the effectiveness of these measures during an ISMS audit
Information security event reporting4:42
Guidelines for auditing the process mechanisms of the organization for reporting information security events
Recapitulation - People controls7:04
Recapitulation of the people controls in ISO/IEC 27001:2022, including key aspects for auditors to focus on during the ISMS audit
Quiz People controls

Considerations about the physical controls2:57
Generic information about the physical controls in ISO/IEC 27001:2022, what they address and how auditors should approach their assessment
Security perimeters. Phyiscal entry. Securing rooms and facilities8:10
Guidelines for auditing the requirements for defining physical security perimeters, protecting entries and securing offices, rooms and facilities
Physical security monitoring3:46
Guidelines for assessing the solutions used to monitor physical security, prevent and detect unauthorized access
Protection against physical and environmental threats5:03
Suggestions on how auditors could approach the assessment of the control regarding natural disasters and man-made threats to infrastructure
Work in secure areas4:43
About secure areas, what they represent, what controls should be applied in secure areas and how to assess compliance with the standard during an ISMS audit
Clear desk and clear screen4:18
About the clear screen and clear desk rules required by ISO/IEC 27001 and how auditors can assess compliance with requirements
Equipment siting, protection and maintenance6:45
Guidelines for assessing the protection measures for equipment, including its preventive and corrective maintenance.
Security of assets off-premises4:55
How can an organization protect assets taken outside its premises and how to evaluate compliance with the standard's requirements. This control addresses also the security of equipment intended to operate off-premises
Storage media6:40
About storage media and the need to protect it throughout its entire life cycle. How to assess compliance with the requirements of ISO/IEC 27001 as part of the ISMS audit
Supporting utilities6:48
About utilities and their critical importance for maintaining availability. How can auditors evaluate compliance with this control during an ISMS audit
Cabling security4:03
Suggestions for auditing the security measures for telecommunications and power cables during an ISMS audit
Secure disposal and re-use of equipment4:52
Suggestions for assessing compliance with the control regarding the disposal and reuse of equipment and how the organization prevents sensitive information being leaked
Recapitulation Physical controls9:02
A recapitulation of the thrid category of security controls in ISO/IEC 27001, the physical controls, with a focus on how to assess compliance during an ISMS audit
Quiz Physical controls

Considerations about the technological controls3:00
Generic considerations about the set of technological controls. What they address and how auditors can approach their assessment
User end-point devices8:05
About security requirements for end-point devices including BYOD (Bring Your Own Device). How auditors can assess compliance with this security control
Privileged access rights6:29
About the allocation and management of privileged access rights. Assessing the measures implemented to prevent unauthorized access and misuse of privileges
Information access restriction. Access to source code7:44
Guidelines for assessing compliance with the controls in ISO/IEC 27001:2022 on the information access restrictions and preventing unauthorized access to source code
Secure authentication4:48
Suggestions for how to audit the security measures implemented by an organization for the secure authentication of users looking to access systems and applications
Capacity management4:25
About the use of resources, including projections for future capacity requirements and how auditors can assess compliance with the standard's requirements for capacity management
Protection against malware6:21
Guidelines for assessing the security measures implemented by an organization to prevent malware infestation
Management of technical vulnerabilities7:09
How auditors can audit compliance with the control in ISO/IEC 27001 on the management of technical vulnerabilities
Configuration management4:55
Guidelines on how the control for configuration management can be approached by auditors during an ISMS audit to ISO/IEC 27001:2022
Information deletion4:47
How information can be securely deleted from systems and applications and how auditors can evaluate compliance with the control on information deletion during an audit
Data masking3:26
About data masking as solution to protect sensitive data and how auditors can evaluate the effectiveness of the data masking techniques employed by the organization
Data leakage prevention4:33
About the control on data leakage prevention and how to audit compliance with the provisions of this security control during the ISMS audit
Information backup5:47
Guidelines for auditing the requirements of ISO/IEC 27001 on information backup and how to assess compliance with this control during an audit
Redundancy of information processing facilities7:49
About redundancy and how to ensure availability in the event of a failure of systems or components. Auditing the security measures for redundancy
Logging, monitoring and clock synchronization11:44
Suggestions for assessing compliance with the controls on logging, monitoring and clock synchronization. How to assess the measures to produce and protect logs and monitor systems to identify anomalous behavior
Use of privileged utility programs4:24
Suggestions for assessing the control on the use of privileged utility programs during an ISMS audit
Installation of software on operational systems6:41
About the installation of software on operational systems and how auditors can assess compliance with this technological control during an ISMS audit
Security of networks and network services10:23
Guidelines on what auditors can look for when assessing the controls in ISO/IEC 27001 that refer to networks, network services, including network segregation
Web filtering4:33
About web filtering, what it should address and how auditors can assess compliance with this control during an ISMS audit to ISO/IEC 27001
Use of cryptography7:43
About the use of cryptography (including cryptographic key management) to protect information and how auditors can assess compliance with the standard's requirements during an ISMS audit
Secure development lifecycle4:14
An overarching control focused on the development life cycle. What auditors should be focused on when assessing this security control in the standard
Application security requirements7:00
About the security measures implemented when an organization develops or purchases applications. How to assess compliance with the requirements for application security during an ISMS audit
Secure system architecture and engineering principles5:36
About the application of principles for engineering secure system and how auditors can approach this security control during an ISMS audit
Secure coding5:28
Guidelines for auditing secure coding aspects during an ISMS audit
Security testing. Test information7:52
Suggestions for assessing compliance with the security controls that refer to security testing, including the protection of test information during an ISMS audit
Separation of development, test and production environments6:37
Guidelines for assessing compliance with the control that requires development, test and production environments to be separated.
Outsourced development5:20
Suggestions for how auditors can assess the controls implemented by an organization when outsourcing development
Change management5:08
Guidelines for assessing change management for information systems and information processing facilities as part of the ISMS audit to ISO/IEC 27001:2022
Protection of information systems during audit testing5:22
What measures should be implemented to protect information whenever audits and other assurance activities are conducted and how auditors can assess compliance the requirements in ISO/IEC 27001 during the ISMS audit
Recapitulation Technological controls19:53
A recapitulation of the 4th theme of information security controls in ISO/IEC 27001:2022 with a focus on assessing them as part of the ISMS audit
Quiz Technological controls

Anforderungen

Familiarity with the framework for information security management proposed by ISO/IEC 27001 is useful but not mandatory

Beschreibung

This course will help you master Information Security Management System (ISMS) auditing and the requirements of ISO/IEC 27001:2022, equipping you with essential skills to advance your career in the rapidly growing field of information security.

Compliance with international standards, such as ISO/IEC 27001, is now a critical requirement for organizations across industries, including finance, engineering, IT, transportation, professional services or manufacturing. Professionals skilled in assessing compliance and in guiding organizations to strengthen their information security are in high demand.

By enrolling in this online course, you will gain a solid understanding of auditing fundamentals, the specific requirements of ISO/IEC 27001, the standard's proposed security controls, and how to evaluate compliance during an ISMS audit.

The first part of the course introduces the foundational concepts of information security management systems. You will explore what an ISMS is, the standards within the ISO/IEC 27000 series, and the purpose and structure of ISO/IEC 27001:2022.

Next, the course provides a comprehensive overview of management system auditing basics. You will learn about the core principles auditors must adhere to, effective methods for collecting audit evidence, and critical documents such as the audit programme, audit plan, and audit report. This section also delves into remote auditing, how to analyze audit findings and conclusions, and the differences between lead auditors and auditors, as well as internal and external audits.

The subsequent section focuses on auditing the management system requirements of ISO/IEC 27001. Key topics include auditing the information security risk assessment, assessing the scope of the ISMS, reviewing the information security policy and objectives, evaluating the management reviews and the internal audits of the ISMS, auditing the statement of applicability and the risk treatment plan or reviewing how the organization manages nonconformities. Each topic is analyzed from an auditor's perspective, emphasizing the critical areas to evaluate during compliance assessments.

The following four sections of the course address the main themes of information security controls as outlined in ISO/IEC 27001:2022:

Organizational Controls, such as policies, supplier relationships, incident management, privacy and protection of personally identifiable information, access control, threat intelligence, information classification and labelling of the inventory of information and assets.
People Controls, including screening, disciplinary process, information security education and training, confidentiality and non-disclosure agreements.
Physical Controls, focusing on securing the infrastructure, protecting against natural and environmental threats, cabling security, protecting assets off-premises or managing storage media throughout its life cycle.
Technological Controls, covering topics like cryptography, malware protection, network security, secure development, capacity management, backups, information deletion, data masking, vulnerability management or system redundancy.

This course provides suggestions for assessing during the ISMS audit challenges such as those posed by remote working, or the use of personal devices for work purposes (BYOD) . You will gain actionable insights into how auditors can evaluate compliance with these controls effectively.

The final section of the course focuses on closing the ISMS audit, covering how to formulate the audit's findings and conclusions, how to conduct the closing meeting and plan the necessary post-audit activities.

This course provides a complete and detailed exploration of ISO/IEC 27001 requirements, with inputs from related standards such as ISO/IEC 27002, ISO/IEC 27005, and ISO/IEC 27035. It combines theoretical knowledge with practical examples, offering auditors valuable guidance on where to focus to gather meaningful evidence.

Whether you are a professional aiming to advance your career as an ISMS auditor or preparing for an upcoming audit, this course offers a structured and comprehensive approach to mastering ISO/IEC 27001:2022 ISMS auditing.

Für wen eignet sich dieser Kurs:

Information security professionals
Aspiring ISMS auditors
IT Managers and System Administrators
Consultants and Advisors
Candidates for ISO/IEC 27001 Auditor exams
Organizational Leaders and Decision-Makers
Students or Recent Graduates in IT or Security Fields
ISO specialists and enthusiasts

Das wirst du lernen

Zugehörige Themengebiete entdecken

Kursinhalt

Introduction5 Lektionen • 33 Min.

Generic aspects about management system auditing13 Lektionen • 1 Std. 1 Min.

Auditing the management system requirements in ISO/IEC 27001:202225 Lektionen • 2 Std. 31 Min.

Organizational controls23 Lektionen • 2 Std. 38 Min.

People controls9 Lektionen • 49 Min.

Physical controls13 Lektionen • 1 Std. 12 Min.

Technological controls30 Lektionen • 3 Std. 17 Min.

Closing the ISMS audit3 Lektionen • 14 Min.

Anforderungen

Beschreibung

Für wen eignet sich dieser Kurs: