Information Technology ISO27001 Auditor/Lead Auditor

Course details

This course is conducted via SGS Singapore. All instruction and examinations are in English.

ISO/IEC 27001 is an information security management system (ISMS) standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001– Information technology – Security techniques – Information security management systems – Requirements. ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard.

THE STANDARD CONTAINS 11 DOMAINS(APART FROM INTRODUCTORY SECTIONS)

• Security policy - management direction
• Organization of information security - governance of information security
• Asset management - inventory and classification of information assets
• Human resources security - security aspects for employees joining, moving and leaving an organization
• Physical and environmental security - protection of the computer facilities
• Communications and operations management - management of technical security controls in systems and networks
• Access control - restriction of access rights to networks, systems, applications, functions and data
• Information systems acquisition, development and maintenance - building security into applications
• Information security incident management - anticipating and responding appropriately to information security breaches
• Business continuity management - protecting, maintaining and recovering business-critical processes and systems
• Compliance - ensuring conformance with information security policies, standards, laws and regulations

ISO/IEC 27001 REQUIRES THAT MANAGEMENT:

• Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts;
• Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
• Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.

THE KEY BENEFITS OF 27001 ARE:

• It can act as the extension of the current quality system to include security
• It provides an opportunity to identify and manage risks to key information and systems assets
• Provides confidence and assurance to trading partners and clients; acts as a marketing tool
• Allows an independent review and assurance to you on information security practices

A company may want to adopt ISO 27001 for the following reasons:

• It is suitable for protecting critical and sensitive information
• It provides a holistic, risk-based approach to secure information and compliance
• Demonstrates credibility, trust, satisfaction and confidence with stakeholders, partners, citizens and customers
• Demonstrates security status according to internationally accepted criteria
• Creates a market differentiation due to prestige, image and external goodwill
• If a company is certified once, it is accepted globally.

Updated on 17 September, 2018