A tailored course, built for your situation
Deeper command of the ISO 27001 control mapping
A 199 tailored course for Chad Holmes building total fluency in ISO 27001 control implementation at the practitioner level
The situation this course is for
Even strong practitioners lose time when control logic isn't internalized. Teams default to templates without understanding the 'why' behind controls, leading to inconsistent mappings, audit rework, and delays in sign-off. The gap isn't knowledge, it's mastery of the framework at a granular level.
Who this is for
Mid-level compliance and risk practitioner at a consulting firm, contributing to ISO 27001 implementations and audit support across federal and commercial clients
Who this is not for
Executives looking for board-level summaries or vendors selling ISO 27001 tooling
What you walk away with
- Map ISO 27001 controls to technical and procedural controls with confidence
- Produce audit-ready statements of applicability without senior review
- Justify control exclusions with source-backed, defensible logic
- Reduce time spent reconciling control evidence by 50%
- Become the reference point for peers on nuanced control interpretation
The 12 modules (with all 144 chapters)
- Control purpose vs implementation
- Mapping scope to Annex A sections
- Understanding control hierarchies
- Common misinterpretations of control 5.1
- Control 5.2 documentation essentials
- Control 5.3 roles and responsibilities
- Control 5.4 alignment with business objectives
- Control 5.5 due diligence specifics
- Control 5.6 risk assessment criteria
- Control 5.7 risk treatment planning
- Control 5.8 statement of applicability
- Control 5.9 policy maintenance
- Control 6.1 access control policy
- User access provisioning workflows
- Privileged account controls
- Control 6.2 asset ownership rules
- Asset inventory completeness
- Asset classification tiers
- Control 6.3 media handling procedures
- Classification labels in practice
- Cross-domain data flows
- Handling off-site media
- Media disposal compliance
- User equipment policies
- Control 7.1 cryptographic usage policy
- Key management lifecycle
- Encrypted data in transit
- Encrypted data at rest
- Control 7.2 network controls
- Segmentation design
- Firewall rule documentation
- Remote access controls
- Secure configuration baselines
- Control 7.3 vulnerability management
- Patch management frequency
- Configuration drift tracking
- Control 8.1 event logging policy
- Log retention duration
- Log access controls
- Log review frequency
- Control 8.2 monitoring tools
- Incident detection thresholds
- Control 8.3 test procedures
- Penetration testing scope
- Vulnerability scanning cadence
- Audit trail completeness
- Log correlation examples
- Monitoring exception tracking
- Control 9.1 screening procedures
- Background checks scope
- Reference verification
- Control 9.2 confidentiality agreements
- NDAs and compliance
- Role-specific agreements
- Control 9.3 onboarding training
- Security awareness delivery
- Role-based training
- Control 9.4 offboarding steps
- Access revocation workflows
- Exit interview documentation
- Control 10.1 secure areas policy
- Access control to servers
- Visitor management
- Control 10.2 equipment protection
- Environmental controls
- UPS and power redundancy
- Fire suppression systems
- Control 10.3 maintenance procedures
- Equipment disposal
- Leased equipment handling
- Control 10.4 downgrading procedures
- Secure sanitization
- Control 11.1 change management
- Change approval workflows
- Rollback procedures
- Control 11.2 backup policies
- Backup frequency
- Test restoration
- Data retention alignment
- Control 11.3 event logs
- Log integrity checks
- Time synchronization
- Clock source accuracy
- Log correlation across systems
- Control 12.1 security requirements
- Procurement specifications
- Vendor questionnaires
- Control 12.2 development lifecycle
- Security by design
- Code review practices
- Control 12.3 test data protection
- Masking production data
- Test environment isolation
- Control 12.4 secure deployment
- Deployment window controls
- Post-deployment validation
- Control 13.1 supplier policies
- Third-party risk categories
- Due diligence depth
- Control 13.2 agreements with security
- SLA security clauses
- Audit rights inclusion
- Control 13.3 monitoring performance
- KPIs for security
- Supplier review meetings
- Incident reporting expectations
- Contract termination clauses
- Onsite audit rights
- Control 14.1 incident reporting
- Reporting channels
- Mandatory events
- Control 14.2 response procedures
- Incident triage
- Containment steps
- Eradication workflows
- Recovery validation
- Control 14.3 forensic readiness
- Evidence preservation
- Chain of custody
- Legal hold procedures
- Control 15.1 business continuity
- BCP integration
- Impact analysis
- Recovery time objectives
- Control 15.2 testing frequency
- DR test scheduling
- Tabletop exercise design
- Failover validation
- Recovery point objectives
- Test result documentation
- Improvement tracking
- Stakeholder communication
- Control 16.1 legal compliance
- Applicable regulations
- License tracking
- Control 16.2 intellectual property
- Software audits
- Compliance checks
- Control 16.3 personal data
- GDPR alignment
- PII handling
- Control 16.4 proof of compliance
- Audit evidence packaging
- Compliance dashboards
How this maps to your situation
- When onboarding to a new client engagement
- Before audit fieldwork begins
- During control gap assessment
- When building a new statement of applicability
Before vs. after
What's included with your purchase
- 12 modules with 12 chapters each (144 chapters)
- Downloadable templates and worked examples for every module
- Hand-built implementation playbook delivered alongside course access
- 30-day money-back guarantee
Delivery and format
- Course and learning environment access provisioned within 24 hours of purchase
- Hand-built implementation playbook delivered alongside course access
Format: Text-based modules and chapters in the Art of Service learning environment, plus downloadable templates and worked examples for every chapter, plus the hand-built implementation playbook delivered alongside course access.
Time investment: Approximately 3 hours per module, designed to fit around client work. Most complete the course in under 6 weeks.
How this compares to the alternatives
Generic ISO 27001 training covers broad policy. This course focuses on the 23% of controls that drive 80% of audit friction and gives you concrete, reusable implementation patterns.
Frequently asked
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.