ISO/IEC 27001 (ISO 27001) is an international standard for Information Security management. It provides a model to establish, implement, maintain and continually improve a risk-managed Information Security Management System (ISMS).
The standard forms the basis for effective management of sensitive, confidential information and for the application of information security controls. An organization that conforms to the ISO 27001 standard possesses clear, objective proof of its commitment to continued improvement of control over its sensitive and confidential information.
ISO 27001 therefore provides reassurance to sponsors, shareholders and customers that the organization has expert control over its risk management and data security. Due to the diversity of different organizations’ information assets – the ISO 27001 standard is adaptable according to an organization’s requirements. The design and implementation of the ISMS is tailored to the organization’s objectives, information assets, operational processes, governing legal requirements and regulatory security requirements.
The purpose of the ISO 27001 Auditor qualification is to confirm whether the candidate has achieved sufficient understanding of ISO 27001 and its application in a given situation. A successful Auditor candidate should be able to perform audits against ISO 27001, lead organizations through an audit program and direct audit teams. Their individual information security expertise, complexity of the information security management system and the support given for the use of ISO 27001 in their work environment will all be factors that impact what the ISO27001 Auditor can achieve.
Candidates must exhibit the competences required for the Information Security qualification and show that they can apply ISMS concepts to achieve the objectives and requirements of ISO 27001 and supporting standards within an organizational context. Further, the candidate should understand the main elements of the certification process and the principles of auditing.
The ISO 27001 Auditor training course will help candidates to:
- The purpose of internal and external audits, their operation and the associated terminology;
- Analyze and evaluate issues regarding scope definition, applicability and its objectives and processes within an organizational context;
- Evaluate how the principles of risk management including risk identification, analysis and evaluation and propose appropriate treatments and controls to reduce information security risk, support business objectives and improve information security have been applied;
- Analyze and evaluate deployed risk treatments and controls to assess their effectiveness and opportunities for continual improvement;
- Analyze and evaluate the effectiveness of the ISMS through the use of internal and external audit and management review to continually improve the suitability, adequacy and effectiveness of the ISMS;
- Audit organizations to identify conformity and improvements against ISO 27001;
- Understand, create, apply and evaluate the suitability, adequacy and effectiveness of documented information and records required by ISO 27001;
- Evaluate how appropriate corrective actions to maintain ISMS conformity with ISO 27001 have been identified and applied;
- Understand the requirements for and responsibilities of bodies providing audits and how they impact the activities of the auditor.
An ISO 27001 Practitioner – Information Security Officer certificate (or equivalent if accepted by APMG) is a pre-requisite for the Auditor qualification.