COURSE FORMAT & DELIVERY DETAILS Self-Paced, On-Demand Learning with Immediate Online Access
Enrol once, and gain structured, step-by-step access to a comprehensive curriculum designed specifically for enterprise security leaders who demand clarity, precision, and proven results. This course is fully self-paced, allowing you to progress at your own speed, on your schedule, without rigid deadlines or mandatory live sessions. Whether you have 30 minutes during lunch or a full evening to focus, the learning adapts to you - not the other way around. Designed for Maximum Flexibility and Real-World Application
Most learners complete the course within 6 to 8 weeks by investing just 4 to 5 hours per week. More importantly, you can begin applying key implementation strategies immediately - many report significant clarity on their organisation’s ISMS roadmap within the first 72 hours of starting. This isn’t theoretical training. Every module is engineered to generate actionable insight from day one. Lifetime Access with Continuous Future Updates
Your investment includes unrestricted lifetime access to the entire course content. As ISO/IEC 27001 evolves and new best practices emerge, you’ll receive all updates at no additional cost. This ensures your knowledge remains current, your certification preparation stays accurate, and your leadership edge is sustained over time. 24/7 Global Access, Fully Optimised for Mobile
Access your course materials anytime, from any device. Whether you’re reviewing controls on a tablet during a flight, reading through policy templates on your phone, or working through implementation checklists from your desktop, the experience is seamless and responsive. Mobile-friendly compatibility means your progress is never interrupted by location or device. Direct Instructor Support and Expert Guidance
You are not learning in isolation. Throughout the course, you’ll have access to dedicated instructor support through structured guidance channels. Ask precise questions, receive expert feedback, and clarify complex compliance requirements with confidence. This is not automated chat or AI responses - it’s human-to-human support from professionals with deep ISO 27001 implementation experience across global enterprises. Official Certificate of Completion from The Art of Service
Upon successfully finishing the course, you will receive a Certificate of Completion issued by The Art of Service. This credential is globally recognised by security, audit, and compliance teams across industries including finance, healthcare, government, and technology. It validates your mastery of ISO 27001 implementation fundamentals and demonstrates your leadership capability in building resilient security frameworks. Employers trust this certification because it reflects real competence, not just participation. Transparent, One-Time Pricing - No Hidden Fees
The price you see is the price you pay. There are no recurring charges, upsells, or surprise costs. This is a straightforward, one-time investment in your professional capability. What you gain - lifetime access, expert support, a respected certificate, and practical implementation tools - is delivered in full, with nothing held back. Secure Payment via Visa, Mastercard, and PayPal
We accept all major payment methods, including Visa, Mastercard, and PayPal. Transactions are processed through a fully encrypted, PCI-compliant system to ensure your financial information remains protected at all times. 100% Money-Back Guarantee - Satisfied or Refunded
We stand behind the value of this course with a complete satisfaction guarantee. If at any point within 30 days you find the content does not meet your expectations for depth, clarity, or professional relevance, simply request a refund. There are no questions, no hurdles, and no risk to your investment - just a simple promise to deliver exceptional value or return your money. What to Expect After Enrolment
After registration, you will receive a confirmation email acknowledging your enrolment. A separate communication containing your secure access details will be delivered once your course materials are fully prepared. This ensures all content is accurately configured and ready for immediate use when you begin. This Course Works - Even If You’ve Struggled Before
This course is specifically designed for professionals who have encountered confusion during past compliance initiatives or found existing standards documentation too abstract. It works even if you have limited prior ISMS experience, even if your organisation lacks formal policies, and even if your team resists change. The structured approach breaks down complexity into repeatable, manageable actions - so you can lead with clarity. Role-specific examples include: - For CISOs: How to align ISO 27001 with board-level risk reporting and strategic security roadmaps
- For Compliance Managers: Step-by-step techniques to close audit gaps and prepare for certification assessments
- For IT Directors: Integrating security controls into change management and incident response workflows
- For Security Consultants: Frameworks to guide clients through cost-effective, audit-ready implementations
What Learners Are Saying
I’ve read the standard twice and still didn’t know where to start. This course gave me the structure, templates, and confidence to lead our company’s certification project. We passed our Stage 1 audit in 10 weeks. - Mark T., Head of Information Security, UK he clause-by-clause breakdown transformed my understanding. I went from feeling overwhelmed to leading workshops with my legal and operations teams. The certificate has already been recognised in my promotion packet. - Sonia R., Risk Analyst, Singapore he support team answered my detailed question about Annex A controls within 24 hours. That level of attention made all the difference in applying the content correctly. - Daniel K., Security Consultant, Canada Your Risk Is Completely Reversed
There is no downside to starting. You have lifetime access, full updates, a globally recognised certificate, expert support, and a complete money-back guarantee. You only stand to gain - deeper expertise, stronger leadership credibility, faster implementation outcomes, and measurable ROI in your role. The only cost of inaction is continued uncertainty, delayed certification, and missed career opportunities.
EXTENSIVE & DETAILED COURSE CURRICULUM
Module 1: Foundations of Information Security and ISO 27001 - Core principles of information security: confidentiality, integrity, availability
- Understanding the evolution of ISO/IEC 27001 and its global relevance
- Key differences between ISO/IEC 27001 and related standards (e.g. NIST, GDPR, COBIT)
- Defining information assets and data classification levels
- Identifying stakeholders in an ISMS: board, legal, IT, HR, third parties
- The role of risk in enterprise security decision-making
- High-level overview of the Plan-Do-Check-Act (PDCA) model
- Understanding the business case for ISO 27001 adoption
- Baseline security practices for small, mid-sized, and enterprise organisations
- Common myths and misconceptions about ISO 27001 compliance
Module 2: Governance and Leadership Accountability - Establishing executive ownership and top management responsibility
- Drafting formal information security policies approved by leadership
- Creating a culture of security awareness and organisational accountability
- Setting measurable security objectives aligned with business goals
- Linking ISMS performance to board-level risk reporting frameworks
- Integrating security leadership into strategic planning cycles
- Assigning roles and responsibilities for ISMS implementation
- Documenting management review processes for ISMS effectiveness
- Using ISO 27001 to strengthen corporate governance and regulatory compliance
- Developing a leadership communication plan for security initiatives
Module 3: Context of the Organisation and Scope Definition - Analysing internal and external issues affecting information security
- Identifying interested parties and their security expectations
- Conducting organisational context assessments using SWOT and PESTLE
- Defining the scope of the ISMS with precision and clarity
- Mapping geographies, departments, systems, and assets in scope
- Exclusion justification for Annex A controls
- Documenting scope criteria to satisfy auditor requirements
- Avoiding common scoping pitfalls that delay certification
- Aligning scope with business operations and digital transformation goals
- Presenting scope documentation to leadership and auditors
Module 4: Risk Assessment and Treatment Methodology - Selecting a risk assessment approach: qualitative, quantitative, hybrid
- Building a custom risk matrix with likelihood and impact scales
- Identifying information security risks across people, processes, technology
- Classifying risk sources: internal failures, external threats, human error
- Documenting risk scenarios with real-world examples
- Assigning risk owners and accountability for each identified risk
- Establishing risk appetite and tolerance levels
- Evaluating risk treatment options: avoid, transfer, mitigate, accept
- Creating a risk treatment plan with timelines and responsibilities
- Integrating risk treatment into project management workflows
Module 5: Statement of Applicability (SoA) Development - Understanding the purpose and structure of the Statement of Applicability
- Selecting relevant Annex A controls based on risk assessment
- Documenting justification for inclusion and exclusion of controls
- Linking each control to specific risks and treatment decisions
- Using SoA as a living document throughout the ISMS lifecycle
- Audit readiness checklist for SoA verification
- Best practices for formatting, versioning, and maintaining the SoA
- Common auditor feedback on SoA deficiencies
- Aligning SoA with legal, regulatory, and contractual obligations
- Automating SoA updates through templates and tracking systems
Module 6: Annex A Control Implementation - Access Control - User registration and de-registration processes
- Role-based access control (RBAC) design and implementation
- Privileged access management for administrators and third parties
- Password policies and multi-factor authentication requirements
- Access review and recertification procedures
- Secure logon procedures and session timeouts
- Control of access to source code and development environments
- Remote access security policies and monitoring
- Segregation of duties and conflict of interest prevention
- Audit logging and monitoring of access events
Module 7: Annex A Control Implementation - Cryptography - Classifying data requiring encryption at rest and in transit
- Selecting approved cryptographic algorithms and key lengths
- Key management lifecycle: generation, storage, rotation, destruction
- Implementing TLS protocols for web and API security
- Email encryption using S/MIME or PGP standards
- Full disk encryption for mobile devices and laptops
- Secure containerisation for encrypted file sharing
- Managing cryptographic exceptions and legacy system risks
- Documenting cryptographic usage policies
- Preparing cryptographic controls for audit verification
Module 8: Annex A Control Implementation - Physical and Environmental Security - Securing data centres and server rooms with access controls
- Environmental controls: fire suppression, temperature, humidity
- Monitoring physical security with CCTV and access logs
- Protecting against electromagnetic interference and eavesdropping
- Secure disposal of hardware and storage media
- Visitor management and escort procedures
- Locking mechanisms for offices and IT cabinets
- Protection against natural disasters and utility failures
- Mobile device security policies for remote workers
- Security considerations for co-location and cloud provider facilities
Module 9: Annex A Control Implementation - Operations Security - Documented operating procedures for IT systems
- Change management processes with risk assessment integration
- Capacity planning and performance monitoring
- Back-up strategies: frequency, testing, offsite storage
- Malware protection policies and endpoint detection tools
- Logging and monitoring: retention periods, analysis, alerts
- Privileged operation management and segregation
- Secure system development and testing environments
- Network configuration and firewall rule management
- Monitoring third-party cloud service operations
Module 10: Annex A Control Implementation - Human Resource Security - Pre-employment screening and background checks
- Drafting employment contracts with security clauses
- Onboarding security training and policy acknowledgment
- Confidentiality agreements and NDAs
- Handling security violations during employment
- Exit procedures: access revocation, asset return
- Post-employment obligations and monitoring
- Security awareness training frequency and content
- Phishing simulation and behaviour tracking
- Reporting security incidents: internal hotlines and channels
Module 11: Annex A Control Implementation - Communications and Operations - Electronic messaging security policies (email, chat, collaboration tools)
- Protection against business email compromise (BEC)
- Secure software installation and patch management
- Monitoring network traffic and anomaly detection
- Use of cryptography in public networks
- Segregation of networks by function and sensitivity
- Secure provisioning of wireless networks
- Web filtering and content inspection
- Cloud communication security: SaaS application controls
- Monitoring third-party access to internal systems
Module 12: Annex A Control Implementation - System Acquisition and Development - Security requirements in software procurement and vendor selection
- Secure development lifecycle (SDLC) integration
- Threat modelling and security architecture reviews
- Secure coding guidelines and peer review processes
- Web application security: OWASP Top 10 alignment
- Secure API design and authentication mechanisms
- Penetration testing and vulnerability assessment protocols
- Third-party code review and open source licence compliance
- Data privacy by design and data minimisation principles
- DevSecOps integration into CI/CD pipelines
Module 13: Incident Management and Business Continuity - Developing a formal incident response policy
- Establishing an incident response team with clear roles
- Incident classification and escalation procedures
- Preserving digital evidence and chain of custody
- Notifying regulators, customers, and stakeholders after breaches
- Post-incident reviews and lessons learned documentation
- Linking incident data to risk assessment updates
- Business impact analysis (BIA) for critical functions
- Recovery time objectives (RTO) and recovery point objectives (RPO)
- Testing business continuity and disaster recovery plans
Module 14: Supplier Relationships and Third-Party Risk - Evaluating security capabilities during vendor selection
- Contractual security requirements and SLAs
- Onboarding security assessments for new suppliers
- Ongoing monitoring of third-party compliance
- Handling data protection in outsourcing arrangements
- Cloud provider security responsibilities (shared responsibility model)
- Conducting supplier audits and questionnaires
- Incident reporting expectations from vendors
- Exit strategies and data retrieval from terminated suppliers
- Maintaining a centralised supplier risk register
Module 15: Performance Evaluation and Internal Audit - Defining key performance indicators (KPIs) for ISMS effectiveness
- Conducting internal audits using ISO 19011 principles
- Selecting and training internal auditors
- Developing audit checklists based on ISO 27001 clauses
- Planning audit schedules and coverage cycles
- Reporting audit findings and tracking corrective actions
- Using audit results to inform management reviews
- Preparing for certification audits through mock assessments
- Gap analysis between current state and ISO 27001 compliance
- Linking audit outcomes to continuous improvement goals
Module 16: Management Review and Continuous Improvement - Conducting formal management review meetings
- Presenting ISMS performance, audit results, and risk status
- Documenting decisions and action items from reviews
- Updating objectives, scope, and policies based on findings
- Ensuring alignment with evolving business strategy
- Integrating feedback from staff, auditors, customers
- Driving continual improvement through PDCA cycles
- Resource planning for sustainment and scalability
- Tracking the cost-benefit of security investments
- Creating a culture of iterative refinement in security practices
Module 17: Documentation and Record Keeping - Identifying required ISO 27001 documents and records
- Drafting the Information Security Policy document
- Creating versions, owners, and approval trails for documentation
- Secure storage and access controls for sensitive records
- Retention periods aligned with legal and regulatory needs
- Electronic document management system (EDMS) best practices
- Templates for risk assessment reports, SoA, audit plans
- Ensuring documentation is accessible for audits
- Updating documents after changes in scope or controls
- Automating document lifecycle management processes
Module 18: Preparing for Certification and External Audit - Choosing an accredited certification body
- Understanding the two-stage certification process
- Submitting preliminary documentation for Stage 1
- Conducting a pre-certification readiness assessment
- Preparing staff for auditor interviews
- Responding to non-conformities and corrective actions
- Hosting the Stage 2 audit with confidence
- Obtaining and maintaining certification
- Preparing for annual surveillance audits
- Re-certification cycles and scope changes
Module 19: Integration with Other Management Systems - Aligning ISO 27001 with ISO 9001 (QMS) requirements
- Integrating with ISO 14001 (Environmental Management)
- Harmonising with ISO 22301 (Business Continuity)
- Using common documentation structures across standards
- Cross-functional audit planning and scheduling
- Unified risk register for multiple compliance frameworks
- Efficient management review for integrated systems
- Shared training programs and awareness initiatives
- Consolidated KPIs and performance reporting
- Resource optimisation in compliance staffing and tools
Module 20: Strategic Leadership and Career Advancement - Positioning yourself as a security leader within your organisation
- Translating technical compliance into business value
- Negotiating budget and resources using ISO 27001 frameworks
- Using certification as a competitive differentiator in client contracts
- Benchmarking your ISMS against industry peers
- Communicating progress to non-technical executives
- Building a personal portfolio of implementation work
- Leveraging the Certificate of Completion in job applications
- Networking with the global community of certified professionals
- Planning your next certification: ISO 27005, 27701, or 27017
Module 1: Foundations of Information Security and ISO 27001 - Core principles of information security: confidentiality, integrity, availability
- Understanding the evolution of ISO/IEC 27001 and its global relevance
- Key differences between ISO/IEC 27001 and related standards (e.g. NIST, GDPR, COBIT)
- Defining information assets and data classification levels
- Identifying stakeholders in an ISMS: board, legal, IT, HR, third parties
- The role of risk in enterprise security decision-making
- High-level overview of the Plan-Do-Check-Act (PDCA) model
- Understanding the business case for ISO 27001 adoption
- Baseline security practices for small, mid-sized, and enterprise organisations
- Common myths and misconceptions about ISO 27001 compliance
Module 2: Governance and Leadership Accountability - Establishing executive ownership and top management responsibility
- Drafting formal information security policies approved by leadership
- Creating a culture of security awareness and organisational accountability
- Setting measurable security objectives aligned with business goals
- Linking ISMS performance to board-level risk reporting frameworks
- Integrating security leadership into strategic planning cycles
- Assigning roles and responsibilities for ISMS implementation
- Documenting management review processes for ISMS effectiveness
- Using ISO 27001 to strengthen corporate governance and regulatory compliance
- Developing a leadership communication plan for security initiatives
Module 3: Context of the Organisation and Scope Definition - Analysing internal and external issues affecting information security
- Identifying interested parties and their security expectations
- Conducting organisational context assessments using SWOT and PESTLE
- Defining the scope of the ISMS with precision and clarity
- Mapping geographies, departments, systems, and assets in scope
- Exclusion justification for Annex A controls
- Documenting scope criteria to satisfy auditor requirements
- Avoiding common scoping pitfalls that delay certification
- Aligning scope with business operations and digital transformation goals
- Presenting scope documentation to leadership and auditors
Module 4: Risk Assessment and Treatment Methodology - Selecting a risk assessment approach: qualitative, quantitative, hybrid
- Building a custom risk matrix with likelihood and impact scales
- Identifying information security risks across people, processes, technology
- Classifying risk sources: internal failures, external threats, human error
- Documenting risk scenarios with real-world examples
- Assigning risk owners and accountability for each identified risk
- Establishing risk appetite and tolerance levels
- Evaluating risk treatment options: avoid, transfer, mitigate, accept
- Creating a risk treatment plan with timelines and responsibilities
- Integrating risk treatment into project management workflows
Module 5: Statement of Applicability (SoA) Development - Understanding the purpose and structure of the Statement of Applicability
- Selecting relevant Annex A controls based on risk assessment
- Documenting justification for inclusion and exclusion of controls
- Linking each control to specific risks and treatment decisions
- Using SoA as a living document throughout the ISMS lifecycle
- Audit readiness checklist for SoA verification
- Best practices for formatting, versioning, and maintaining the SoA
- Common auditor feedback on SoA deficiencies
- Aligning SoA with legal, regulatory, and contractual obligations
- Automating SoA updates through templates and tracking systems
Module 6: Annex A Control Implementation - Access Control - User registration and de-registration processes
- Role-based access control (RBAC) design and implementation
- Privileged access management for administrators and third parties
- Password policies and multi-factor authentication requirements
- Access review and recertification procedures
- Secure logon procedures and session timeouts
- Control of access to source code and development environments
- Remote access security policies and monitoring
- Segregation of duties and conflict of interest prevention
- Audit logging and monitoring of access events
Module 7: Annex A Control Implementation - Cryptography - Classifying data requiring encryption at rest and in transit
- Selecting approved cryptographic algorithms and key lengths
- Key management lifecycle: generation, storage, rotation, destruction
- Implementing TLS protocols for web and API security
- Email encryption using S/MIME or PGP standards
- Full disk encryption for mobile devices and laptops
- Secure containerisation for encrypted file sharing
- Managing cryptographic exceptions and legacy system risks
- Documenting cryptographic usage policies
- Preparing cryptographic controls for audit verification
Module 8: Annex A Control Implementation - Physical and Environmental Security - Securing data centres and server rooms with access controls
- Environmental controls: fire suppression, temperature, humidity
- Monitoring physical security with CCTV and access logs
- Protecting against electromagnetic interference and eavesdropping
- Secure disposal of hardware and storage media
- Visitor management and escort procedures
- Locking mechanisms for offices and IT cabinets
- Protection against natural disasters and utility failures
- Mobile device security policies for remote workers
- Security considerations for co-location and cloud provider facilities
Module 9: Annex A Control Implementation - Operations Security - Documented operating procedures for IT systems
- Change management processes with risk assessment integration
- Capacity planning and performance monitoring
- Back-up strategies: frequency, testing, offsite storage
- Malware protection policies and endpoint detection tools
- Logging and monitoring: retention periods, analysis, alerts
- Privileged operation management and segregation
- Secure system development and testing environments
- Network configuration and firewall rule management
- Monitoring third-party cloud service operations
Module 10: Annex A Control Implementation - Human Resource Security - Pre-employment screening and background checks
- Drafting employment contracts with security clauses
- Onboarding security training and policy acknowledgment
- Confidentiality agreements and NDAs
- Handling security violations during employment
- Exit procedures: access revocation, asset return
- Post-employment obligations and monitoring
- Security awareness training frequency and content
- Phishing simulation and behaviour tracking
- Reporting security incidents: internal hotlines and channels
Module 11: Annex A Control Implementation - Communications and Operations - Electronic messaging security policies (email, chat, collaboration tools)
- Protection against business email compromise (BEC)
- Secure software installation and patch management
- Monitoring network traffic and anomaly detection
- Use of cryptography in public networks
- Segregation of networks by function and sensitivity
- Secure provisioning of wireless networks
- Web filtering and content inspection
- Cloud communication security: SaaS application controls
- Monitoring third-party access to internal systems
Module 12: Annex A Control Implementation - System Acquisition and Development - Security requirements in software procurement and vendor selection
- Secure development lifecycle (SDLC) integration
- Threat modelling and security architecture reviews
- Secure coding guidelines and peer review processes
- Web application security: OWASP Top 10 alignment
- Secure API design and authentication mechanisms
- Penetration testing and vulnerability assessment protocols
- Third-party code review and open source licence compliance
- Data privacy by design and data minimisation principles
- DevSecOps integration into CI/CD pipelines
Module 13: Incident Management and Business Continuity - Developing a formal incident response policy
- Establishing an incident response team with clear roles
- Incident classification and escalation procedures
- Preserving digital evidence and chain of custody
- Notifying regulators, customers, and stakeholders after breaches
- Post-incident reviews and lessons learned documentation
- Linking incident data to risk assessment updates
- Business impact analysis (BIA) for critical functions
- Recovery time objectives (RTO) and recovery point objectives (RPO)
- Testing business continuity and disaster recovery plans
Module 14: Supplier Relationships and Third-Party Risk - Evaluating security capabilities during vendor selection
- Contractual security requirements and SLAs
- Onboarding security assessments for new suppliers
- Ongoing monitoring of third-party compliance
- Handling data protection in outsourcing arrangements
- Cloud provider security responsibilities (shared responsibility model)
- Conducting supplier audits and questionnaires
- Incident reporting expectations from vendors
- Exit strategies and data retrieval from terminated suppliers
- Maintaining a centralised supplier risk register
Module 15: Performance Evaluation and Internal Audit - Defining key performance indicators (KPIs) for ISMS effectiveness
- Conducting internal audits using ISO 19011 principles
- Selecting and training internal auditors
- Developing audit checklists based on ISO 27001 clauses
- Planning audit schedules and coverage cycles
- Reporting audit findings and tracking corrective actions
- Using audit results to inform management reviews
- Preparing for certification audits through mock assessments
- Gap analysis between current state and ISO 27001 compliance
- Linking audit outcomes to continuous improvement goals
Module 16: Management Review and Continuous Improvement - Conducting formal management review meetings
- Presenting ISMS performance, audit results, and risk status
- Documenting decisions and action items from reviews
- Updating objectives, scope, and policies based on findings
- Ensuring alignment with evolving business strategy
- Integrating feedback from staff, auditors, customers
- Driving continual improvement through PDCA cycles
- Resource planning for sustainment and scalability
- Tracking the cost-benefit of security investments
- Creating a culture of iterative refinement in security practices
Module 17: Documentation and Record Keeping - Identifying required ISO 27001 documents and records
- Drafting the Information Security Policy document
- Creating versions, owners, and approval trails for documentation
- Secure storage and access controls for sensitive records
- Retention periods aligned with legal and regulatory needs
- Electronic document management system (EDMS) best practices
- Templates for risk assessment reports, SoA, audit plans
- Ensuring documentation is accessible for audits
- Updating documents after changes in scope or controls
- Automating document lifecycle management processes
Module 18: Preparing for Certification and External Audit - Choosing an accredited certification body
- Understanding the two-stage certification process
- Submitting preliminary documentation for Stage 1
- Conducting a pre-certification readiness assessment
- Preparing staff for auditor interviews
- Responding to non-conformities and corrective actions
- Hosting the Stage 2 audit with confidence
- Obtaining and maintaining certification
- Preparing for annual surveillance audits
- Re-certification cycles and scope changes
Module 19: Integration with Other Management Systems - Aligning ISO 27001 with ISO 9001 (QMS) requirements
- Integrating with ISO 14001 (Environmental Management)
- Harmonising with ISO 22301 (Business Continuity)
- Using common documentation structures across standards
- Cross-functional audit planning and scheduling
- Unified risk register for multiple compliance frameworks
- Efficient management review for integrated systems
- Shared training programs and awareness initiatives
- Consolidated KPIs and performance reporting
- Resource optimisation in compliance staffing and tools
Module 20: Strategic Leadership and Career Advancement - Positioning yourself as a security leader within your organisation
- Translating technical compliance into business value
- Negotiating budget and resources using ISO 27001 frameworks
- Using certification as a competitive differentiator in client contracts
- Benchmarking your ISMS against industry peers
- Communicating progress to non-technical executives
- Building a personal portfolio of implementation work
- Leveraging the Certificate of Completion in job applications
- Networking with the global community of certified professionals
- Planning your next certification: ISO 27005, 27701, or 27017
- Establishing executive ownership and top management responsibility
- Drafting formal information security policies approved by leadership
- Creating a culture of security awareness and organisational accountability
- Setting measurable security objectives aligned with business goals
- Linking ISMS performance to board-level risk reporting frameworks
- Integrating security leadership into strategic planning cycles
- Assigning roles and responsibilities for ISMS implementation
- Documenting management review processes for ISMS effectiveness
- Using ISO 27001 to strengthen corporate governance and regulatory compliance
- Developing a leadership communication plan for security initiatives
Module 3: Context of the Organisation and Scope Definition - Analysing internal and external issues affecting information security
- Identifying interested parties and their security expectations
- Conducting organisational context assessments using SWOT and PESTLE
- Defining the scope of the ISMS with precision and clarity
- Mapping geographies, departments, systems, and assets in scope
- Exclusion justification for Annex A controls
- Documenting scope criteria to satisfy auditor requirements
- Avoiding common scoping pitfalls that delay certification
- Aligning scope with business operations and digital transformation goals
- Presenting scope documentation to leadership and auditors
Module 4: Risk Assessment and Treatment Methodology - Selecting a risk assessment approach: qualitative, quantitative, hybrid
- Building a custom risk matrix with likelihood and impact scales
- Identifying information security risks across people, processes, technology
- Classifying risk sources: internal failures, external threats, human error
- Documenting risk scenarios with real-world examples
- Assigning risk owners and accountability for each identified risk
- Establishing risk appetite and tolerance levels
- Evaluating risk treatment options: avoid, transfer, mitigate, accept
- Creating a risk treatment plan with timelines and responsibilities
- Integrating risk treatment into project management workflows
Module 5: Statement of Applicability (SoA) Development - Understanding the purpose and structure of the Statement of Applicability
- Selecting relevant Annex A controls based on risk assessment
- Documenting justification for inclusion and exclusion of controls
- Linking each control to specific risks and treatment decisions
- Using SoA as a living document throughout the ISMS lifecycle
- Audit readiness checklist for SoA verification
- Best practices for formatting, versioning, and maintaining the SoA
- Common auditor feedback on SoA deficiencies
- Aligning SoA with legal, regulatory, and contractual obligations
- Automating SoA updates through templates and tracking systems
Module 6: Annex A Control Implementation - Access Control - User registration and de-registration processes
- Role-based access control (RBAC) design and implementation
- Privileged access management for administrators and third parties
- Password policies and multi-factor authentication requirements
- Access review and recertification procedures
- Secure logon procedures and session timeouts
- Control of access to source code and development environments
- Remote access security policies and monitoring
- Segregation of duties and conflict of interest prevention
- Audit logging and monitoring of access events
Module 7: Annex A Control Implementation - Cryptography - Classifying data requiring encryption at rest and in transit
- Selecting approved cryptographic algorithms and key lengths
- Key management lifecycle: generation, storage, rotation, destruction
- Implementing TLS protocols for web and API security
- Email encryption using S/MIME or PGP standards
- Full disk encryption for mobile devices and laptops
- Secure containerisation for encrypted file sharing
- Managing cryptographic exceptions and legacy system risks
- Documenting cryptographic usage policies
- Preparing cryptographic controls for audit verification
Module 8: Annex A Control Implementation - Physical and Environmental Security - Securing data centres and server rooms with access controls
- Environmental controls: fire suppression, temperature, humidity
- Monitoring physical security with CCTV and access logs
- Protecting against electromagnetic interference and eavesdropping
- Secure disposal of hardware and storage media
- Visitor management and escort procedures
- Locking mechanisms for offices and IT cabinets
- Protection against natural disasters and utility failures
- Mobile device security policies for remote workers
- Security considerations for co-location and cloud provider facilities
Module 9: Annex A Control Implementation - Operations Security - Documented operating procedures for IT systems
- Change management processes with risk assessment integration
- Capacity planning and performance monitoring
- Back-up strategies: frequency, testing, offsite storage
- Malware protection policies and endpoint detection tools
- Logging and monitoring: retention periods, analysis, alerts
- Privileged operation management and segregation
- Secure system development and testing environments
- Network configuration and firewall rule management
- Monitoring third-party cloud service operations
Module 10: Annex A Control Implementation - Human Resource Security - Pre-employment screening and background checks
- Drafting employment contracts with security clauses
- Onboarding security training and policy acknowledgment
- Confidentiality agreements and NDAs
- Handling security violations during employment
- Exit procedures: access revocation, asset return
- Post-employment obligations and monitoring
- Security awareness training frequency and content
- Phishing simulation and behaviour tracking
- Reporting security incidents: internal hotlines and channels
Module 11: Annex A Control Implementation - Communications and Operations - Electronic messaging security policies (email, chat, collaboration tools)
- Protection against business email compromise (BEC)
- Secure software installation and patch management
- Monitoring network traffic and anomaly detection
- Use of cryptography in public networks
- Segregation of networks by function and sensitivity
- Secure provisioning of wireless networks
- Web filtering and content inspection
- Cloud communication security: SaaS application controls
- Monitoring third-party access to internal systems
Module 12: Annex A Control Implementation - System Acquisition and Development - Security requirements in software procurement and vendor selection
- Secure development lifecycle (SDLC) integration
- Threat modelling and security architecture reviews
- Secure coding guidelines and peer review processes
- Web application security: OWASP Top 10 alignment
- Secure API design and authentication mechanisms
- Penetration testing and vulnerability assessment protocols
- Third-party code review and open source licence compliance
- Data privacy by design and data minimisation principles
- DevSecOps integration into CI/CD pipelines
Module 13: Incident Management and Business Continuity - Developing a formal incident response policy
- Establishing an incident response team with clear roles
- Incident classification and escalation procedures
- Preserving digital evidence and chain of custody
- Notifying regulators, customers, and stakeholders after breaches
- Post-incident reviews and lessons learned documentation
- Linking incident data to risk assessment updates
- Business impact analysis (BIA) for critical functions
- Recovery time objectives (RTO) and recovery point objectives (RPO)
- Testing business continuity and disaster recovery plans
Module 14: Supplier Relationships and Third-Party Risk - Evaluating security capabilities during vendor selection
- Contractual security requirements and SLAs
- Onboarding security assessments for new suppliers
- Ongoing monitoring of third-party compliance
- Handling data protection in outsourcing arrangements
- Cloud provider security responsibilities (shared responsibility model)
- Conducting supplier audits and questionnaires
- Incident reporting expectations from vendors
- Exit strategies and data retrieval from terminated suppliers
- Maintaining a centralised supplier risk register
Module 15: Performance Evaluation and Internal Audit - Defining key performance indicators (KPIs) for ISMS effectiveness
- Conducting internal audits using ISO 19011 principles
- Selecting and training internal auditors
- Developing audit checklists based on ISO 27001 clauses
- Planning audit schedules and coverage cycles
- Reporting audit findings and tracking corrective actions
- Using audit results to inform management reviews
- Preparing for certification audits through mock assessments
- Gap analysis between current state and ISO 27001 compliance
- Linking audit outcomes to continuous improvement goals
Module 16: Management Review and Continuous Improvement - Conducting formal management review meetings
- Presenting ISMS performance, audit results, and risk status
- Documenting decisions and action items from reviews
- Updating objectives, scope, and policies based on findings
- Ensuring alignment with evolving business strategy
- Integrating feedback from staff, auditors, customers
- Driving continual improvement through PDCA cycles
- Resource planning for sustainment and scalability
- Tracking the cost-benefit of security investments
- Creating a culture of iterative refinement in security practices
Module 17: Documentation and Record Keeping - Identifying required ISO 27001 documents and records
- Drafting the Information Security Policy document
- Creating versions, owners, and approval trails for documentation
- Secure storage and access controls for sensitive records
- Retention periods aligned with legal and regulatory needs
- Electronic document management system (EDMS) best practices
- Templates for risk assessment reports, SoA, audit plans
- Ensuring documentation is accessible for audits
- Updating documents after changes in scope or controls
- Automating document lifecycle management processes
Module 18: Preparing for Certification and External Audit - Choosing an accredited certification body
- Understanding the two-stage certification process
- Submitting preliminary documentation for Stage 1
- Conducting a pre-certification readiness assessment
- Preparing staff for auditor interviews
- Responding to non-conformities and corrective actions
- Hosting the Stage 2 audit with confidence
- Obtaining and maintaining certification
- Preparing for annual surveillance audits
- Re-certification cycles and scope changes
Module 19: Integration with Other Management Systems - Aligning ISO 27001 with ISO 9001 (QMS) requirements
- Integrating with ISO 14001 (Environmental Management)
- Harmonising with ISO 22301 (Business Continuity)
- Using common documentation structures across standards
- Cross-functional audit planning and scheduling
- Unified risk register for multiple compliance frameworks
- Efficient management review for integrated systems
- Shared training programs and awareness initiatives
- Consolidated KPIs and performance reporting
- Resource optimisation in compliance staffing and tools
Module 20: Strategic Leadership and Career Advancement - Positioning yourself as a security leader within your organisation
- Translating technical compliance into business value
- Negotiating budget and resources using ISO 27001 frameworks
- Using certification as a competitive differentiator in client contracts
- Benchmarking your ISMS against industry peers
- Communicating progress to non-technical executives
- Building a personal portfolio of implementation work
- Leveraging the Certificate of Completion in job applications
- Networking with the global community of certified professionals
- Planning your next certification: ISO 27005, 27701, or 27017
- Selecting a risk assessment approach: qualitative, quantitative, hybrid
- Building a custom risk matrix with likelihood and impact scales
- Identifying information security risks across people, processes, technology
- Classifying risk sources: internal failures, external threats, human error
- Documenting risk scenarios with real-world examples
- Assigning risk owners and accountability for each identified risk
- Establishing risk appetite and tolerance levels
- Evaluating risk treatment options: avoid, transfer, mitigate, accept
- Creating a risk treatment plan with timelines and responsibilities
- Integrating risk treatment into project management workflows
Module 5: Statement of Applicability (SoA) Development - Understanding the purpose and structure of the Statement of Applicability
- Selecting relevant Annex A controls based on risk assessment
- Documenting justification for inclusion and exclusion of controls
- Linking each control to specific risks and treatment decisions
- Using SoA as a living document throughout the ISMS lifecycle
- Audit readiness checklist for SoA verification
- Best practices for formatting, versioning, and maintaining the SoA
- Common auditor feedback on SoA deficiencies
- Aligning SoA with legal, regulatory, and contractual obligations
- Automating SoA updates through templates and tracking systems
Module 6: Annex A Control Implementation - Access Control - User registration and de-registration processes
- Role-based access control (RBAC) design and implementation
- Privileged access management for administrators and third parties
- Password policies and multi-factor authentication requirements
- Access review and recertification procedures
- Secure logon procedures and session timeouts
- Control of access to source code and development environments
- Remote access security policies and monitoring
- Segregation of duties and conflict of interest prevention
- Audit logging and monitoring of access events
Module 7: Annex A Control Implementation - Cryptography - Classifying data requiring encryption at rest and in transit
- Selecting approved cryptographic algorithms and key lengths
- Key management lifecycle: generation, storage, rotation, destruction
- Implementing TLS protocols for web and API security
- Email encryption using S/MIME or PGP standards
- Full disk encryption for mobile devices and laptops
- Secure containerisation for encrypted file sharing
- Managing cryptographic exceptions and legacy system risks
- Documenting cryptographic usage policies
- Preparing cryptographic controls for audit verification
Module 8: Annex A Control Implementation - Physical and Environmental Security - Securing data centres and server rooms with access controls
- Environmental controls: fire suppression, temperature, humidity
- Monitoring physical security with CCTV and access logs
- Protecting against electromagnetic interference and eavesdropping
- Secure disposal of hardware and storage media
- Visitor management and escort procedures
- Locking mechanisms for offices and IT cabinets
- Protection against natural disasters and utility failures
- Mobile device security policies for remote workers
- Security considerations for co-location and cloud provider facilities
Module 9: Annex A Control Implementation - Operations Security - Documented operating procedures for IT systems
- Change management processes with risk assessment integration
- Capacity planning and performance monitoring
- Back-up strategies: frequency, testing, offsite storage
- Malware protection policies and endpoint detection tools
- Logging and monitoring: retention periods, analysis, alerts
- Privileged operation management and segregation
- Secure system development and testing environments
- Network configuration and firewall rule management
- Monitoring third-party cloud service operations
Module 10: Annex A Control Implementation - Human Resource Security - Pre-employment screening and background checks
- Drafting employment contracts with security clauses
- Onboarding security training and policy acknowledgment
- Confidentiality agreements and NDAs
- Handling security violations during employment
- Exit procedures: access revocation, asset return
- Post-employment obligations and monitoring
- Security awareness training frequency and content
- Phishing simulation and behaviour tracking
- Reporting security incidents: internal hotlines and channels
Module 11: Annex A Control Implementation - Communications and Operations - Electronic messaging security policies (email, chat, collaboration tools)
- Protection against business email compromise (BEC)
- Secure software installation and patch management
- Monitoring network traffic and anomaly detection
- Use of cryptography in public networks
- Segregation of networks by function and sensitivity
- Secure provisioning of wireless networks
- Web filtering and content inspection
- Cloud communication security: SaaS application controls
- Monitoring third-party access to internal systems
Module 12: Annex A Control Implementation - System Acquisition and Development - Security requirements in software procurement and vendor selection
- Secure development lifecycle (SDLC) integration
- Threat modelling and security architecture reviews
- Secure coding guidelines and peer review processes
- Web application security: OWASP Top 10 alignment
- Secure API design and authentication mechanisms
- Penetration testing and vulnerability assessment protocols
- Third-party code review and open source licence compliance
- Data privacy by design and data minimisation principles
- DevSecOps integration into CI/CD pipelines
Module 13: Incident Management and Business Continuity - Developing a formal incident response policy
- Establishing an incident response team with clear roles
- Incident classification and escalation procedures
- Preserving digital evidence and chain of custody
- Notifying regulators, customers, and stakeholders after breaches
- Post-incident reviews and lessons learned documentation
- Linking incident data to risk assessment updates
- Business impact analysis (BIA) for critical functions
- Recovery time objectives (RTO) and recovery point objectives (RPO)
- Testing business continuity and disaster recovery plans
Module 14: Supplier Relationships and Third-Party Risk - Evaluating security capabilities during vendor selection
- Contractual security requirements and SLAs
- Onboarding security assessments for new suppliers
- Ongoing monitoring of third-party compliance
- Handling data protection in outsourcing arrangements
- Cloud provider security responsibilities (shared responsibility model)
- Conducting supplier audits and questionnaires
- Incident reporting expectations from vendors
- Exit strategies and data retrieval from terminated suppliers
- Maintaining a centralised supplier risk register
Module 15: Performance Evaluation and Internal Audit - Defining key performance indicators (KPIs) for ISMS effectiveness
- Conducting internal audits using ISO 19011 principles
- Selecting and training internal auditors
- Developing audit checklists based on ISO 27001 clauses
- Planning audit schedules and coverage cycles
- Reporting audit findings and tracking corrective actions
- Using audit results to inform management reviews
- Preparing for certification audits through mock assessments
- Gap analysis between current state and ISO 27001 compliance
- Linking audit outcomes to continuous improvement goals
Module 16: Management Review and Continuous Improvement - Conducting formal management review meetings
- Presenting ISMS performance, audit results, and risk status
- Documenting decisions and action items from reviews
- Updating objectives, scope, and policies based on findings
- Ensuring alignment with evolving business strategy
- Integrating feedback from staff, auditors, customers
- Driving continual improvement through PDCA cycles
- Resource planning for sustainment and scalability
- Tracking the cost-benefit of security investments
- Creating a culture of iterative refinement in security practices
Module 17: Documentation and Record Keeping - Identifying required ISO 27001 documents and records
- Drafting the Information Security Policy document
- Creating versions, owners, and approval trails for documentation
- Secure storage and access controls for sensitive records
- Retention periods aligned with legal and regulatory needs
- Electronic document management system (EDMS) best practices
- Templates for risk assessment reports, SoA, audit plans
- Ensuring documentation is accessible for audits
- Updating documents after changes in scope or controls
- Automating document lifecycle management processes
Module 18: Preparing for Certification and External Audit - Choosing an accredited certification body
- Understanding the two-stage certification process
- Submitting preliminary documentation for Stage 1
- Conducting a pre-certification readiness assessment
- Preparing staff for auditor interviews
- Responding to non-conformities and corrective actions
- Hosting the Stage 2 audit with confidence
- Obtaining and maintaining certification
- Preparing for annual surveillance audits
- Re-certification cycles and scope changes
Module 19: Integration with Other Management Systems - Aligning ISO 27001 with ISO 9001 (QMS) requirements
- Integrating with ISO 14001 (Environmental Management)
- Harmonising with ISO 22301 (Business Continuity)
- Using common documentation structures across standards
- Cross-functional audit planning and scheduling
- Unified risk register for multiple compliance frameworks
- Efficient management review for integrated systems
- Shared training programs and awareness initiatives
- Consolidated KPIs and performance reporting
- Resource optimisation in compliance staffing and tools
Module 20: Strategic Leadership and Career Advancement - Positioning yourself as a security leader within your organisation
- Translating technical compliance into business value
- Negotiating budget and resources using ISO 27001 frameworks
- Using certification as a competitive differentiator in client contracts
- Benchmarking your ISMS against industry peers
- Communicating progress to non-technical executives
- Building a personal portfolio of implementation work
- Leveraging the Certificate of Completion in job applications
- Networking with the global community of certified professionals
- Planning your next certification: ISO 27005, 27701, or 27017
- User registration and de-registration processes
- Role-based access control (RBAC) design and implementation
- Privileged access management for administrators and third parties
- Password policies and multi-factor authentication requirements
- Access review and recertification procedures
- Secure logon procedures and session timeouts
- Control of access to source code and development environments
- Remote access security policies and monitoring
- Segregation of duties and conflict of interest prevention
- Audit logging and monitoring of access events
Module 7: Annex A Control Implementation - Cryptography - Classifying data requiring encryption at rest and in transit
- Selecting approved cryptographic algorithms and key lengths
- Key management lifecycle: generation, storage, rotation, destruction
- Implementing TLS protocols for web and API security
- Email encryption using S/MIME or PGP standards
- Full disk encryption for mobile devices and laptops
- Secure containerisation for encrypted file sharing
- Managing cryptographic exceptions and legacy system risks
- Documenting cryptographic usage policies
- Preparing cryptographic controls for audit verification
Module 8: Annex A Control Implementation - Physical and Environmental Security - Securing data centres and server rooms with access controls
- Environmental controls: fire suppression, temperature, humidity
- Monitoring physical security with CCTV and access logs
- Protecting against electromagnetic interference and eavesdropping
- Secure disposal of hardware and storage media
- Visitor management and escort procedures
- Locking mechanisms for offices and IT cabinets
- Protection against natural disasters and utility failures
- Mobile device security policies for remote workers
- Security considerations for co-location and cloud provider facilities
Module 9: Annex A Control Implementation - Operations Security - Documented operating procedures for IT systems
- Change management processes with risk assessment integration
- Capacity planning and performance monitoring
- Back-up strategies: frequency, testing, offsite storage
- Malware protection policies and endpoint detection tools
- Logging and monitoring: retention periods, analysis, alerts
- Privileged operation management and segregation
- Secure system development and testing environments
- Network configuration and firewall rule management
- Monitoring third-party cloud service operations
Module 10: Annex A Control Implementation - Human Resource Security - Pre-employment screening and background checks
- Drafting employment contracts with security clauses
- Onboarding security training and policy acknowledgment
- Confidentiality agreements and NDAs
- Handling security violations during employment
- Exit procedures: access revocation, asset return
- Post-employment obligations and monitoring
- Security awareness training frequency and content
- Phishing simulation and behaviour tracking
- Reporting security incidents: internal hotlines and channels
Module 11: Annex A Control Implementation - Communications and Operations - Electronic messaging security policies (email, chat, collaboration tools)
- Protection against business email compromise (BEC)
- Secure software installation and patch management
- Monitoring network traffic and anomaly detection
- Use of cryptography in public networks
- Segregation of networks by function and sensitivity
- Secure provisioning of wireless networks
- Web filtering and content inspection
- Cloud communication security: SaaS application controls
- Monitoring third-party access to internal systems
Module 12: Annex A Control Implementation - System Acquisition and Development - Security requirements in software procurement and vendor selection
- Secure development lifecycle (SDLC) integration
- Threat modelling and security architecture reviews
- Secure coding guidelines and peer review processes
- Web application security: OWASP Top 10 alignment
- Secure API design and authentication mechanisms
- Penetration testing and vulnerability assessment protocols
- Third-party code review and open source licence compliance
- Data privacy by design and data minimisation principles
- DevSecOps integration into CI/CD pipelines
Module 13: Incident Management and Business Continuity - Developing a formal incident response policy
- Establishing an incident response team with clear roles
- Incident classification and escalation procedures
- Preserving digital evidence and chain of custody
- Notifying regulators, customers, and stakeholders after breaches
- Post-incident reviews and lessons learned documentation
- Linking incident data to risk assessment updates
- Business impact analysis (BIA) for critical functions
- Recovery time objectives (RTO) and recovery point objectives (RPO)
- Testing business continuity and disaster recovery plans
Module 14: Supplier Relationships and Third-Party Risk - Evaluating security capabilities during vendor selection
- Contractual security requirements and SLAs
- Onboarding security assessments for new suppliers
- Ongoing monitoring of third-party compliance
- Handling data protection in outsourcing arrangements
- Cloud provider security responsibilities (shared responsibility model)
- Conducting supplier audits and questionnaires
- Incident reporting expectations from vendors
- Exit strategies and data retrieval from terminated suppliers
- Maintaining a centralised supplier risk register
Module 15: Performance Evaluation and Internal Audit - Defining key performance indicators (KPIs) for ISMS effectiveness
- Conducting internal audits using ISO 19011 principles
- Selecting and training internal auditors
- Developing audit checklists based on ISO 27001 clauses
- Planning audit schedules and coverage cycles
- Reporting audit findings and tracking corrective actions
- Using audit results to inform management reviews
- Preparing for certification audits through mock assessments
- Gap analysis between current state and ISO 27001 compliance
- Linking audit outcomes to continuous improvement goals
Module 16: Management Review and Continuous Improvement - Conducting formal management review meetings
- Presenting ISMS performance, audit results, and risk status
- Documenting decisions and action items from reviews
- Updating objectives, scope, and policies based on findings
- Ensuring alignment with evolving business strategy
- Integrating feedback from staff, auditors, customers
- Driving continual improvement through PDCA cycles
- Resource planning for sustainment and scalability
- Tracking the cost-benefit of security investments
- Creating a culture of iterative refinement in security practices
Module 17: Documentation and Record Keeping - Identifying required ISO 27001 documents and records
- Drafting the Information Security Policy document
- Creating versions, owners, and approval trails for documentation
- Secure storage and access controls for sensitive records
- Retention periods aligned with legal and regulatory needs
- Electronic document management system (EDMS) best practices
- Templates for risk assessment reports, SoA, audit plans
- Ensuring documentation is accessible for audits
- Updating documents after changes in scope or controls
- Automating document lifecycle management processes
Module 18: Preparing for Certification and External Audit - Choosing an accredited certification body
- Understanding the two-stage certification process
- Submitting preliminary documentation for Stage 1
- Conducting a pre-certification readiness assessment
- Preparing staff for auditor interviews
- Responding to non-conformities and corrective actions
- Hosting the Stage 2 audit with confidence
- Obtaining and maintaining certification
- Preparing for annual surveillance audits
- Re-certification cycles and scope changes
Module 19: Integration with Other Management Systems - Aligning ISO 27001 with ISO 9001 (QMS) requirements
- Integrating with ISO 14001 (Environmental Management)
- Harmonising with ISO 22301 (Business Continuity)
- Using common documentation structures across standards
- Cross-functional audit planning and scheduling
- Unified risk register for multiple compliance frameworks
- Efficient management review for integrated systems
- Shared training programs and awareness initiatives
- Consolidated KPIs and performance reporting
- Resource optimisation in compliance staffing and tools
Module 20: Strategic Leadership and Career Advancement - Positioning yourself as a security leader within your organisation
- Translating technical compliance into business value
- Negotiating budget and resources using ISO 27001 frameworks
- Using certification as a competitive differentiator in client contracts
- Benchmarking your ISMS against industry peers
- Communicating progress to non-technical executives
- Building a personal portfolio of implementation work
- Leveraging the Certificate of Completion in job applications
- Networking with the global community of certified professionals
- Planning your next certification: ISO 27005, 27701, or 27017
- Securing data centres and server rooms with access controls
- Environmental controls: fire suppression, temperature, humidity
- Monitoring physical security with CCTV and access logs
- Protecting against electromagnetic interference and eavesdropping
- Secure disposal of hardware and storage media
- Visitor management and escort procedures
- Locking mechanisms for offices and IT cabinets
- Protection against natural disasters and utility failures
- Mobile device security policies for remote workers
- Security considerations for co-location and cloud provider facilities
Module 9: Annex A Control Implementation - Operations Security - Documented operating procedures for IT systems
- Change management processes with risk assessment integration
- Capacity planning and performance monitoring
- Back-up strategies: frequency, testing, offsite storage
- Malware protection policies and endpoint detection tools
- Logging and monitoring: retention periods, analysis, alerts
- Privileged operation management and segregation
- Secure system development and testing environments
- Network configuration and firewall rule management
- Monitoring third-party cloud service operations
Module 10: Annex A Control Implementation - Human Resource Security - Pre-employment screening and background checks
- Drafting employment contracts with security clauses
- Onboarding security training and policy acknowledgment
- Confidentiality agreements and NDAs
- Handling security violations during employment
- Exit procedures: access revocation, asset return
- Post-employment obligations and monitoring
- Security awareness training frequency and content
- Phishing simulation and behaviour tracking
- Reporting security incidents: internal hotlines and channels
Module 11: Annex A Control Implementation - Communications and Operations - Electronic messaging security policies (email, chat, collaboration tools)
- Protection against business email compromise (BEC)
- Secure software installation and patch management
- Monitoring network traffic and anomaly detection
- Use of cryptography in public networks
- Segregation of networks by function and sensitivity
- Secure provisioning of wireless networks
- Web filtering and content inspection
- Cloud communication security: SaaS application controls
- Monitoring third-party access to internal systems
Module 12: Annex A Control Implementation - System Acquisition and Development - Security requirements in software procurement and vendor selection
- Secure development lifecycle (SDLC) integration
- Threat modelling and security architecture reviews
- Secure coding guidelines and peer review processes
- Web application security: OWASP Top 10 alignment
- Secure API design and authentication mechanisms
- Penetration testing and vulnerability assessment protocols
- Third-party code review and open source licence compliance
- Data privacy by design and data minimisation principles
- DevSecOps integration into CI/CD pipelines
Module 13: Incident Management and Business Continuity - Developing a formal incident response policy
- Establishing an incident response team with clear roles
- Incident classification and escalation procedures
- Preserving digital evidence and chain of custody
- Notifying regulators, customers, and stakeholders after breaches
- Post-incident reviews and lessons learned documentation
- Linking incident data to risk assessment updates
- Business impact analysis (BIA) for critical functions
- Recovery time objectives (RTO) and recovery point objectives (RPO)
- Testing business continuity and disaster recovery plans
Module 14: Supplier Relationships and Third-Party Risk - Evaluating security capabilities during vendor selection
- Contractual security requirements and SLAs
- Onboarding security assessments for new suppliers
- Ongoing monitoring of third-party compliance
- Handling data protection in outsourcing arrangements
- Cloud provider security responsibilities (shared responsibility model)
- Conducting supplier audits and questionnaires
- Incident reporting expectations from vendors
- Exit strategies and data retrieval from terminated suppliers
- Maintaining a centralised supplier risk register
Module 15: Performance Evaluation and Internal Audit - Defining key performance indicators (KPIs) for ISMS effectiveness
- Conducting internal audits using ISO 19011 principles
- Selecting and training internal auditors
- Developing audit checklists based on ISO 27001 clauses
- Planning audit schedules and coverage cycles
- Reporting audit findings and tracking corrective actions
- Using audit results to inform management reviews
- Preparing for certification audits through mock assessments
- Gap analysis between current state and ISO 27001 compliance
- Linking audit outcomes to continuous improvement goals
Module 16: Management Review and Continuous Improvement - Conducting formal management review meetings
- Presenting ISMS performance, audit results, and risk status
- Documenting decisions and action items from reviews
- Updating objectives, scope, and policies based on findings
- Ensuring alignment with evolving business strategy
- Integrating feedback from staff, auditors, customers
- Driving continual improvement through PDCA cycles
- Resource planning for sustainment and scalability
- Tracking the cost-benefit of security investments
- Creating a culture of iterative refinement in security practices
Module 17: Documentation and Record Keeping - Identifying required ISO 27001 documents and records
- Drafting the Information Security Policy document
- Creating versions, owners, and approval trails for documentation
- Secure storage and access controls for sensitive records
- Retention periods aligned with legal and regulatory needs
- Electronic document management system (EDMS) best practices
- Templates for risk assessment reports, SoA, audit plans
- Ensuring documentation is accessible for audits
- Updating documents after changes in scope or controls
- Automating document lifecycle management processes
Module 18: Preparing for Certification and External Audit - Choosing an accredited certification body
- Understanding the two-stage certification process
- Submitting preliminary documentation for Stage 1
- Conducting a pre-certification readiness assessment
- Preparing staff for auditor interviews
- Responding to non-conformities and corrective actions
- Hosting the Stage 2 audit with confidence
- Obtaining and maintaining certification
- Preparing for annual surveillance audits
- Re-certification cycles and scope changes
Module 19: Integration with Other Management Systems - Aligning ISO 27001 with ISO 9001 (QMS) requirements
- Integrating with ISO 14001 (Environmental Management)
- Harmonising with ISO 22301 (Business Continuity)
- Using common documentation structures across standards
- Cross-functional audit planning and scheduling
- Unified risk register for multiple compliance frameworks
- Efficient management review for integrated systems
- Shared training programs and awareness initiatives
- Consolidated KPIs and performance reporting
- Resource optimisation in compliance staffing and tools
Module 20: Strategic Leadership and Career Advancement - Positioning yourself as a security leader within your organisation
- Translating technical compliance into business value
- Negotiating budget and resources using ISO 27001 frameworks
- Using certification as a competitive differentiator in client contracts
- Benchmarking your ISMS against industry peers
- Communicating progress to non-technical executives
- Building a personal portfolio of implementation work
- Leveraging the Certificate of Completion in job applications
- Networking with the global community of certified professionals
- Planning your next certification: ISO 27005, 27701, or 27017
- Pre-employment screening and background checks
- Drafting employment contracts with security clauses
- Onboarding security training and policy acknowledgment
- Confidentiality agreements and NDAs
- Handling security violations during employment
- Exit procedures: access revocation, asset return
- Post-employment obligations and monitoring
- Security awareness training frequency and content
- Phishing simulation and behaviour tracking
- Reporting security incidents: internal hotlines and channels
Module 11: Annex A Control Implementation - Communications and Operations - Electronic messaging security policies (email, chat, collaboration tools)
- Protection against business email compromise (BEC)
- Secure software installation and patch management
- Monitoring network traffic and anomaly detection
- Use of cryptography in public networks
- Segregation of networks by function and sensitivity
- Secure provisioning of wireless networks
- Web filtering and content inspection
- Cloud communication security: SaaS application controls
- Monitoring third-party access to internal systems
Module 12: Annex A Control Implementation - System Acquisition and Development - Security requirements in software procurement and vendor selection
- Secure development lifecycle (SDLC) integration
- Threat modelling and security architecture reviews
- Secure coding guidelines and peer review processes
- Web application security: OWASP Top 10 alignment
- Secure API design and authentication mechanisms
- Penetration testing and vulnerability assessment protocols
- Third-party code review and open source licence compliance
- Data privacy by design and data minimisation principles
- DevSecOps integration into CI/CD pipelines
Module 13: Incident Management and Business Continuity - Developing a formal incident response policy
- Establishing an incident response team with clear roles
- Incident classification and escalation procedures
- Preserving digital evidence and chain of custody
- Notifying regulators, customers, and stakeholders after breaches
- Post-incident reviews and lessons learned documentation
- Linking incident data to risk assessment updates
- Business impact analysis (BIA) for critical functions
- Recovery time objectives (RTO) and recovery point objectives (RPO)
- Testing business continuity and disaster recovery plans
Module 14: Supplier Relationships and Third-Party Risk - Evaluating security capabilities during vendor selection
- Contractual security requirements and SLAs
- Onboarding security assessments for new suppliers
- Ongoing monitoring of third-party compliance
- Handling data protection in outsourcing arrangements
- Cloud provider security responsibilities (shared responsibility model)
- Conducting supplier audits and questionnaires
- Incident reporting expectations from vendors
- Exit strategies and data retrieval from terminated suppliers
- Maintaining a centralised supplier risk register
Module 15: Performance Evaluation and Internal Audit - Defining key performance indicators (KPIs) for ISMS effectiveness
- Conducting internal audits using ISO 19011 principles
- Selecting and training internal auditors
- Developing audit checklists based on ISO 27001 clauses
- Planning audit schedules and coverage cycles
- Reporting audit findings and tracking corrective actions
- Using audit results to inform management reviews
- Preparing for certification audits through mock assessments
- Gap analysis between current state and ISO 27001 compliance
- Linking audit outcomes to continuous improvement goals
Module 16: Management Review and Continuous Improvement - Conducting formal management review meetings
- Presenting ISMS performance, audit results, and risk status
- Documenting decisions and action items from reviews
- Updating objectives, scope, and policies based on findings
- Ensuring alignment with evolving business strategy
- Integrating feedback from staff, auditors, customers
- Driving continual improvement through PDCA cycles
- Resource planning for sustainment and scalability
- Tracking the cost-benefit of security investments
- Creating a culture of iterative refinement in security practices
Module 17: Documentation and Record Keeping - Identifying required ISO 27001 documents and records
- Drafting the Information Security Policy document
- Creating versions, owners, and approval trails for documentation
- Secure storage and access controls for sensitive records
- Retention periods aligned with legal and regulatory needs
- Electronic document management system (EDMS) best practices
- Templates for risk assessment reports, SoA, audit plans
- Ensuring documentation is accessible for audits
- Updating documents after changes in scope or controls
- Automating document lifecycle management processes
Module 18: Preparing for Certification and External Audit - Choosing an accredited certification body
- Understanding the two-stage certification process
- Submitting preliminary documentation for Stage 1
- Conducting a pre-certification readiness assessment
- Preparing staff for auditor interviews
- Responding to non-conformities and corrective actions
- Hosting the Stage 2 audit with confidence
- Obtaining and maintaining certification
- Preparing for annual surveillance audits
- Re-certification cycles and scope changes
Module 19: Integration with Other Management Systems - Aligning ISO 27001 with ISO 9001 (QMS) requirements
- Integrating with ISO 14001 (Environmental Management)
- Harmonising with ISO 22301 (Business Continuity)
- Using common documentation structures across standards
- Cross-functional audit planning and scheduling
- Unified risk register for multiple compliance frameworks
- Efficient management review for integrated systems
- Shared training programs and awareness initiatives
- Consolidated KPIs and performance reporting
- Resource optimisation in compliance staffing and tools
Module 20: Strategic Leadership and Career Advancement - Positioning yourself as a security leader within your organisation
- Translating technical compliance into business value
- Negotiating budget and resources using ISO 27001 frameworks
- Using certification as a competitive differentiator in client contracts
- Benchmarking your ISMS against industry peers
- Communicating progress to non-technical executives
- Building a personal portfolio of implementation work
- Leveraging the Certificate of Completion in job applications
- Networking with the global community of certified professionals
- Planning your next certification: ISO 27005, 27701, or 27017
- Security requirements in software procurement and vendor selection
- Secure development lifecycle (SDLC) integration
- Threat modelling and security architecture reviews
- Secure coding guidelines and peer review processes
- Web application security: OWASP Top 10 alignment
- Secure API design and authentication mechanisms
- Penetration testing and vulnerability assessment protocols
- Third-party code review and open source licence compliance
- Data privacy by design and data minimisation principles
- DevSecOps integration into CI/CD pipelines
Module 13: Incident Management and Business Continuity - Developing a formal incident response policy
- Establishing an incident response team with clear roles
- Incident classification and escalation procedures
- Preserving digital evidence and chain of custody
- Notifying regulators, customers, and stakeholders after breaches
- Post-incident reviews and lessons learned documentation
- Linking incident data to risk assessment updates
- Business impact analysis (BIA) for critical functions
- Recovery time objectives (RTO) and recovery point objectives (RPO)
- Testing business continuity and disaster recovery plans
Module 14: Supplier Relationships and Third-Party Risk - Evaluating security capabilities during vendor selection
- Contractual security requirements and SLAs
- Onboarding security assessments for new suppliers
- Ongoing monitoring of third-party compliance
- Handling data protection in outsourcing arrangements
- Cloud provider security responsibilities (shared responsibility model)
- Conducting supplier audits and questionnaires
- Incident reporting expectations from vendors
- Exit strategies and data retrieval from terminated suppliers
- Maintaining a centralised supplier risk register
Module 15: Performance Evaluation and Internal Audit - Defining key performance indicators (KPIs) for ISMS effectiveness
- Conducting internal audits using ISO 19011 principles
- Selecting and training internal auditors
- Developing audit checklists based on ISO 27001 clauses
- Planning audit schedules and coverage cycles
- Reporting audit findings and tracking corrective actions
- Using audit results to inform management reviews
- Preparing for certification audits through mock assessments
- Gap analysis between current state and ISO 27001 compliance
- Linking audit outcomes to continuous improvement goals
Module 16: Management Review and Continuous Improvement - Conducting formal management review meetings
- Presenting ISMS performance, audit results, and risk status
- Documenting decisions and action items from reviews
- Updating objectives, scope, and policies based on findings
- Ensuring alignment with evolving business strategy
- Integrating feedback from staff, auditors, customers
- Driving continual improvement through PDCA cycles
- Resource planning for sustainment and scalability
- Tracking the cost-benefit of security investments
- Creating a culture of iterative refinement in security practices
Module 17: Documentation and Record Keeping - Identifying required ISO 27001 documents and records
- Drafting the Information Security Policy document
- Creating versions, owners, and approval trails for documentation
- Secure storage and access controls for sensitive records
- Retention periods aligned with legal and regulatory needs
- Electronic document management system (EDMS) best practices
- Templates for risk assessment reports, SoA, audit plans
- Ensuring documentation is accessible for audits
- Updating documents after changes in scope or controls
- Automating document lifecycle management processes
Module 18: Preparing for Certification and External Audit - Choosing an accredited certification body
- Understanding the two-stage certification process
- Submitting preliminary documentation for Stage 1
- Conducting a pre-certification readiness assessment
- Preparing staff for auditor interviews
- Responding to non-conformities and corrective actions
- Hosting the Stage 2 audit with confidence
- Obtaining and maintaining certification
- Preparing for annual surveillance audits
- Re-certification cycles and scope changes
Module 19: Integration with Other Management Systems - Aligning ISO 27001 with ISO 9001 (QMS) requirements
- Integrating with ISO 14001 (Environmental Management)
- Harmonising with ISO 22301 (Business Continuity)
- Using common documentation structures across standards
- Cross-functional audit planning and scheduling
- Unified risk register for multiple compliance frameworks
- Efficient management review for integrated systems
- Shared training programs and awareness initiatives
- Consolidated KPIs and performance reporting
- Resource optimisation in compliance staffing and tools
Module 20: Strategic Leadership and Career Advancement - Positioning yourself as a security leader within your organisation
- Translating technical compliance into business value
- Negotiating budget and resources using ISO 27001 frameworks
- Using certification as a competitive differentiator in client contracts
- Benchmarking your ISMS against industry peers
- Communicating progress to non-technical executives
- Building a personal portfolio of implementation work
- Leveraging the Certificate of Completion in job applications
- Networking with the global community of certified professionals
- Planning your next certification: ISO 27005, 27701, or 27017
- Evaluating security capabilities during vendor selection
- Contractual security requirements and SLAs
- Onboarding security assessments for new suppliers
- Ongoing monitoring of third-party compliance
- Handling data protection in outsourcing arrangements
- Cloud provider security responsibilities (shared responsibility model)
- Conducting supplier audits and questionnaires
- Incident reporting expectations from vendors
- Exit strategies and data retrieval from terminated suppliers
- Maintaining a centralised supplier risk register
Module 15: Performance Evaluation and Internal Audit - Defining key performance indicators (KPIs) for ISMS effectiveness
- Conducting internal audits using ISO 19011 principles
- Selecting and training internal auditors
- Developing audit checklists based on ISO 27001 clauses
- Planning audit schedules and coverage cycles
- Reporting audit findings and tracking corrective actions
- Using audit results to inform management reviews
- Preparing for certification audits through mock assessments
- Gap analysis between current state and ISO 27001 compliance
- Linking audit outcomes to continuous improvement goals
Module 16: Management Review and Continuous Improvement - Conducting formal management review meetings
- Presenting ISMS performance, audit results, and risk status
- Documenting decisions and action items from reviews
- Updating objectives, scope, and policies based on findings
- Ensuring alignment with evolving business strategy
- Integrating feedback from staff, auditors, customers
- Driving continual improvement through PDCA cycles
- Resource planning for sustainment and scalability
- Tracking the cost-benefit of security investments
- Creating a culture of iterative refinement in security practices
Module 17: Documentation and Record Keeping - Identifying required ISO 27001 documents and records
- Drafting the Information Security Policy document
- Creating versions, owners, and approval trails for documentation
- Secure storage and access controls for sensitive records
- Retention periods aligned with legal and regulatory needs
- Electronic document management system (EDMS) best practices
- Templates for risk assessment reports, SoA, audit plans
- Ensuring documentation is accessible for audits
- Updating documents after changes in scope or controls
- Automating document lifecycle management processes
Module 18: Preparing for Certification and External Audit - Choosing an accredited certification body
- Understanding the two-stage certification process
- Submitting preliminary documentation for Stage 1
- Conducting a pre-certification readiness assessment
- Preparing staff for auditor interviews
- Responding to non-conformities and corrective actions
- Hosting the Stage 2 audit with confidence
- Obtaining and maintaining certification
- Preparing for annual surveillance audits
- Re-certification cycles and scope changes
Module 19: Integration with Other Management Systems - Aligning ISO 27001 with ISO 9001 (QMS) requirements
- Integrating with ISO 14001 (Environmental Management)
- Harmonising with ISO 22301 (Business Continuity)
- Using common documentation structures across standards
- Cross-functional audit planning and scheduling
- Unified risk register for multiple compliance frameworks
- Efficient management review for integrated systems
- Shared training programs and awareness initiatives
- Consolidated KPIs and performance reporting
- Resource optimisation in compliance staffing and tools
Module 20: Strategic Leadership and Career Advancement - Positioning yourself as a security leader within your organisation
- Translating technical compliance into business value
- Negotiating budget and resources using ISO 27001 frameworks
- Using certification as a competitive differentiator in client contracts
- Benchmarking your ISMS against industry peers
- Communicating progress to non-technical executives
- Building a personal portfolio of implementation work
- Leveraging the Certificate of Completion in job applications
- Networking with the global community of certified professionals
- Planning your next certification: ISO 27005, 27701, or 27017
- Conducting formal management review meetings
- Presenting ISMS performance, audit results, and risk status
- Documenting decisions and action items from reviews
- Updating objectives, scope, and policies based on findings
- Ensuring alignment with evolving business strategy
- Integrating feedback from staff, auditors, customers
- Driving continual improvement through PDCA cycles
- Resource planning for sustainment and scalability
- Tracking the cost-benefit of security investments
- Creating a culture of iterative refinement in security practices
Module 17: Documentation and Record Keeping - Identifying required ISO 27001 documents and records
- Drafting the Information Security Policy document
- Creating versions, owners, and approval trails for documentation
- Secure storage and access controls for sensitive records
- Retention periods aligned with legal and regulatory needs
- Electronic document management system (EDMS) best practices
- Templates for risk assessment reports, SoA, audit plans
- Ensuring documentation is accessible for audits
- Updating documents after changes in scope or controls
- Automating document lifecycle management processes
Module 18: Preparing for Certification and External Audit - Choosing an accredited certification body
- Understanding the two-stage certification process
- Submitting preliminary documentation for Stage 1
- Conducting a pre-certification readiness assessment
- Preparing staff for auditor interviews
- Responding to non-conformities and corrective actions
- Hosting the Stage 2 audit with confidence
- Obtaining and maintaining certification
- Preparing for annual surveillance audits
- Re-certification cycles and scope changes
Module 19: Integration with Other Management Systems - Aligning ISO 27001 with ISO 9001 (QMS) requirements
- Integrating with ISO 14001 (Environmental Management)
- Harmonising with ISO 22301 (Business Continuity)
- Using common documentation structures across standards
- Cross-functional audit planning and scheduling
- Unified risk register for multiple compliance frameworks
- Efficient management review for integrated systems
- Shared training programs and awareness initiatives
- Consolidated KPIs and performance reporting
- Resource optimisation in compliance staffing and tools
Module 20: Strategic Leadership and Career Advancement - Positioning yourself as a security leader within your organisation
- Translating technical compliance into business value
- Negotiating budget and resources using ISO 27001 frameworks
- Using certification as a competitive differentiator in client contracts
- Benchmarking your ISMS against industry peers
- Communicating progress to non-technical executives
- Building a personal portfolio of implementation work
- Leveraging the Certificate of Completion in job applications
- Networking with the global community of certified professionals
- Planning your next certification: ISO 27005, 27701, or 27017
- Choosing an accredited certification body
- Understanding the two-stage certification process
- Submitting preliminary documentation for Stage 1
- Conducting a pre-certification readiness assessment
- Preparing staff for auditor interviews
- Responding to non-conformities and corrective actions
- Hosting the Stage 2 audit with confidence
- Obtaining and maintaining certification
- Preparing for annual surveillance audits
- Re-certification cycles and scope changes
Module 19: Integration with Other Management Systems - Aligning ISO 27001 with ISO 9001 (QMS) requirements
- Integrating with ISO 14001 (Environmental Management)
- Harmonising with ISO 22301 (Business Continuity)
- Using common documentation structures across standards
- Cross-functional audit planning and scheduling
- Unified risk register for multiple compliance frameworks
- Efficient management review for integrated systems
- Shared training programs and awareness initiatives
- Consolidated KPIs and performance reporting
- Resource optimisation in compliance staffing and tools
Module 20: Strategic Leadership and Career Advancement - Positioning yourself as a security leader within your organisation
- Translating technical compliance into business value
- Negotiating budget and resources using ISO 27001 frameworks
- Using certification as a competitive differentiator in client contracts
- Benchmarking your ISMS against industry peers
- Communicating progress to non-technical executives
- Building a personal portfolio of implementation work
- Leveraging the Certificate of Completion in job applications
- Networking with the global community of certified professionals
- Planning your next certification: ISO 27005, 27701, or 27017
- Positioning yourself as a security leader within your organisation
- Translating technical compliance into business value
- Negotiating budget and resources using ISO 27001 frameworks
- Using certification as a competitive differentiator in client contracts
- Benchmarking your ISMS against industry peers
- Communicating progress to non-technical executives
- Building a personal portfolio of implementation work
- Leveraging the Certificate of Completion in job applications
- Networking with the global community of certified professionals
- Planning your next certification: ISO 27005, 27701, or 27017