information security management qualification using iso ... · of iso/iec 27001, 27002 and the 2014...

Version 2.0 (Status: Live) of 23 Owner: Chief Examiner ©The APM Group Limited 2014

This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited

Information Security Management

Qualification using

ISO/IEC 27001

Foundation & Practitioner Syllabus

10 April 2014

Document history Version

Date Updates made Issued by

1.0 28 Nov 2012 1st issue Andrew

Marlow 2.0 10 April 2014 1. Updated for the 2013 edition

of ISO/IEC 27001, 27002 and the 2014 edition of ISO/IEC 27000

2. Updated to fit with the newly launched ISO/IEC 27001 Practitioner qualification

Andrew Marlow



Introduction

Note: in the following text, ‘ISMS’ is used to refer to an Information Security Management System meeting the requirements of ISO/IEC 27001. ‘IS’ is used to refer to Information Security as, for example, in IS processes.

This syllabus describes the APMG ISO/IEC 27001 Foundation and Practitioner certificate qualifications.

The primary purpose of the syllabus is to provide a basis for accreditation of people involved with ISO/IEC 27001 and information security management at Foundation and Practitioner levels. It documents the learning outcomes related to the use of ISO/IEC 27001 at these levels and describes the requirements a candidate is expected to meet to demonstrate that these learning outcomes have been achieved at each qualification level.

The target audience for this document is:

Exam Board

Exam Panel

APMG Assessment Team

Accredited Training Organizations.

This syllabus informs the design of the exams and provides accredited training organizations with a more detailed breakdown of what the exams will assess. Details on the exam structure and content are documented in the ISO/IEC 27001 Foundation and Practitioner Designs.

1 Foundation Qualification

1.1 Purpose of the Foundation Qualification

The purpose of the Foundation qualification is to confirm that a candidate has sufficient knowledge of the contents and high level requirements of the ISO/IEC 27001 standard, and understands at a foundation level how the standard operates in a typical organization.

The Foundation qualification is designed to provide the basic knowledge of ISO/IEC 27001 required as a pre-requisite for the Practitioner qualification.

1.2 Target Audience

This qualification is aimed at those who are:

Supporting the implementation, operation or maintenance of an ISMS within an organization

Required to audit an ISMS and to have a basic understanding of the standard

Working within an organization with an ISMS, whether the organization is already certified or is considering certification to ISO/IEC 27001

Preparing for the ISO/IEC 27001 Practitioner qualification.

There is no pre-requisite for the Foundation qualification but an interest and/or background in information security or service management would be an advantage.

1.3 High Level Performance Definition of a Successful Information Security Management Foundation Candidate

The candidate should understand the scope, objectives, key terminology and high level requirements of the ISO/IEC 27001 standard, how it is used in an organization for information security, together with the main elements of the certification process.

Specifically, the candidate should understand:

The scope and purpose of ISO/IEC 27001 and how it can be used

The key terms and definitions used in the ISO/IEC 27000 series



The fundamental requirements for an ISMS in ISO/IEC 27001 and the need for continual improvement

The processes, their objectives and high level requirements

Applicability and scope definition requirements

Use of controls to mitigate IS risks

The purpose of internal audits and external certification audits, their operation and the associated terminology

The relationship with best practices and with other related International Standards: ISO 9001 and ISO/IEC 20000.

2 Practitioner Qualification

2.1 Purpose of the Practitioner Qualification

The purpose of the practitioner qualification is to confirm whether the candidate has achieved sufficient understanding of ISO/IEC 27001 and its application in a given situation. A successful Practitioner candidate should, with suitable direction be able to start applying the International Standard to enable the management of information security but may not be sufficiently skilled to do this appropriately for all situations. Their individual information security expertise, complexity of the information security management system and the support given for the use of ISO/IEC 27001 in their work environment will all be factors that impact what the Practitioner can achieve.

2.2 Target Audience

This qualification is aimed at those who are:

Internal managers and personnel working to implement, maintain and operate an ISMS within an organization

External consultants supporting an organization’s implementation, maintenance and operation of an ISMS.

Internal auditors who are required to have an applied knowledge of the standard The pre-requisite for this qualification is the APMG ISO/IEC 27001 Foundation qualification.

2.3 High Level Performance Definition of a Successful Practitioner Candidate

Candidates must exhibit the competences required for the foundation qualification and show that they can apply ISMS concepts to achieve the objectives and requirements of ISO/IEC 27001 and supporting standards within an organizational context.

Specifically, successful candidates should be able to:

Apply the principles of ISMS policy and its information security scope, objectives, and processes within an organizational context.

Apply the principles of risk management including risk identification, analysis and evaluation and propose appropriate treatments and controls to reduce information security risk, support business objectives and improve information security.

Analyze and evaluate deployed risk treatments and controls to assess their effectiveness and opportunities for continual improvement.

Analyze and evaluate the effectiveness of the ISMS through the use of internal audit and management review to continually improve the suitability, adequacy and effectiveness of the ISMS.

Understand, create, apply and evaluate the suitability, adequacy and effectiveness of documented information and records required by ISO/IEC 27001.

Identify and apply appropriate corrective actions to maintain ISMS conformity with ISO/IEC 27001.



3 Learning Outcomes Assessment Model

A classification widely used when designing assessments for certification and education is the Bloom’s Taxonomy of Educational Objectives. This classifies learning objectives into six ascending learning levels, each defining a higher degree of competencies and skills. (Bloom et al, 1956, Taxonomy of Educational Objectives). APMG have incorporated this into a Learning Outcomes Assessment Model which is used to provide a simple and systematic means for assessing and classifying the learning outcomes for APMG qualifications. This structured approach helps to ensure:

A clear delineation in learning level content between different qualification levels

Learning outcomes are documented consistently across different areas of the guidance

Exam questions and papers are consistent and are created to a similar level of difficulty. The Foundation qualification examines learning outcomes at levels 1 (knowledge) and 2 (comprehension). The Practitioner qualification tests learning outcomes at levels 2 (comprehension), 3 (application) and 4 (analysis).

ISO/IEC 27001 Learning Outcomes Assessment Model

1.

Knowledge

2.

Comprehension

3.

Application

4.

Analysis

Generic Definition from APMG Learning Outcomes Assessment Model

Know key facts, terms and concepts from the standard

Understand key concepts from the standard

Be able to apply key concepts relating to the syllabus area for a given scenario

Be able to analyse and distinguish between appropriate and inappropriate use of the standard for a given scenario situation

Information Security Management Foundation Qualification Learning Outcome Assessment Model

Know facts, including terms and definitions, concepts, principles, controls, roles and responsibilities from the standard.

Understand the concepts, responsibilities, controls and the requirements, processes and documents needed to conform to the standard

Be able to apply key ISMS concepts relating to achievement of the requirements of ISO/IEC 27001 for a given scenario.

Be able to identify, analyze and distinguish between appropriate and inappropriate use of ISMS methods and controls for achieving the requirements of ISO/IEC 27001 through assessment of situations outlined in typical scenarios



4 Syllabus Areas

The syllabus is presented by syllabus areas. This is the unit of learning which may relate to a chapter from the standard or several concepts commonly grouped together in a training course module. The following syllabus areas are identified.

Syllabus Area Code

Syllabus Area Title

OV Overview of ISO/IEC 27001 and related best practices, standards and schemes

LE Leadership and support of the ISMS

PL Planning and operation of the ISMS

CO Information security control objectives and controls

AC Achieving ISO/IEC 27001 certification

5 Syllabus Presentation

For each syllabus area learning outcomes for each learning level are identified. Each learning outcome is then supported by a description of the requirements that a candidate is expected to meet to demonstrate that the learning outcome has been achieved at the qualification level indicated. These are shown as syllabus topics. Each of the syllabus areas is presented in a similar format as follows:

Syllabus Area Code

OV [2]

Syllabus Area : The ISO/IEC 27001 foundation qualification syllabus Area(XX) Theme[1]

Fo

un

datio

n

Pra

ctitio

ner

Prim

ary

Refe

ren

ces

Level Topic

Know fact, terms and concepts relating to the syllabus area. [3]

Specifically to recall:

01

[4] 01 [5]

[6] [7] [8]

01 02



Key to the Syllabus Area table

1 Syllabus Area Unit of learning, e.g. chapter of the reference guide or course module.

2 Syllabus Area Code A unique 2 character code identifying the syllabus area.

3 Learning Outcome

(topic header shown in bold)

A statement of what a candidate will be expected to know, understand or do.

4 Level Classification of the learning outcome against the APMG OTE Learning Outcomes Assessment Model.

5 Topic Reference Number of the topic within the learning level.

6 Topic Description Description of what is required of the candidate to demonstrate that a learning outcome has been achieved at the qualification level indicated

7 Foundation/Practitioner Shows at which qualification level the topic is assessed. N.B. A topic is only assessed at one qualification level.

8 Primary Reference The main reference supporting the topic.

6 Important Points

The following points about the use of the syllabus should be noted. It is important to note the correct editions of the reference material.

6.1 ISO/IEC 27001 Foundation Guide References

The primary references for the Foundation qualification are the International Standards:

ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management systems – Requirements

ISO/IEC 27000:2014 Information technology -- Security techniques -- Information security management systems - Overview and vocabulary.

Other references are made to:

Supplementary reference paper for ISO/IEC 27001 Qualification.

The Foundation level requires knowledge of the requirements in ISO/IEC 27001:2013 and the terms, definition and concepts in ISO/IEC 27000:2014 as well as information in the supplementary reference paper as stated in the syllabus topic. It is essential that all delegates have access to a personal copy of ISO/IEC 27001:2013 and the Supplementary Reference Paper during any training course. Delegates should have access to a personal copy of ISO/IEC 27000:2014 or to the information referenced from it in this syllabus. Please note that the examination is closed book. The references provided should be considered to be indicative rather than comprehensive, i.e. there may be other valid references within the guidance.



For the primary reference, the relevant part of the standard is used as the major part of the reference and this is followed by the section number used e.g. ISO/IEC 27001, 4.2 relates to ISO/IEC 27001:2013 Clause 4.2. The syllabus requires awareness of but does not require a detailed knowledge of other referenced standards:

ISO 9001:2008, Quality management systems — Requirements

ISO/IEC 20000-1:2011, Information technology – Service management - Service management system requirements

ISO/IEC 27002:2013, Information technology -- Security techniques -- Code of practice for information security management

ISO/IEC 27003:2010, Information technology -- Security techniques -- Information security management system implementation guidance

ISO/IEC 27004:2009, Information technology -- Security techniques -- Information security management – Measurement

ISO/IEC 27005:2011, Information technology -- Security techniques -- Information security risk management

ISO/IEC 27006:2011, Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems

ISO/IEC 27013:2012, Information technology -- Security techniques – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1.

6.2 ISO/IEC 27001 Practitioner Guide References

All Foundation level requirements are assumed to have been met for Practitioner level and are not directly assessed again, although Foundation level knowledge and understanding will be used when demonstrating Practitioner application and analysis learning outcomes. The primary references for the Practitioner course are the International Standards:

ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management systems – Requirements

ISO/IEC 27000:2014 Information technology -- Security techniques -- Information security management systems - Overview and vocabulary

ISO/IEC 27002:2013, Information technology -- Security techniques -- Code of practice for information security management

ISO/IEC 27005:2011, Information technology -- Security techniques -- Information security risk management

Reference is made to ISO/IEC 27003:2010, Information technology -- Security techniques -- Information security management system implementation guidance, Clause 5.3.2 and Table B.1 only. However, candidates do not need their own copy of this standard as the relevant clause and table are available in the Supplementary reference paper for ISO/IEC 27001 Qualification, Sections 5 and 6. Syllabus topics at levels 3 and 4 provide the primary references but may also include any other topic from the syllabus area. It is essential that all delegates have access to a personal copy of ISO/IEC 27001:2013 and the Supplementary Reference Paper during any training course. Delegates should have access to a personal copy of ISO/IEC 27002:2013 and ISO/IEC 27005:2011. Please note that the examination is open book.

7 Syllabus Exclusions

The syllabus does not require specific knowledge of ISMS implementation and best management practice guidelines



Syllabus Area Code

OV

Syllabus Area : Overview of ISO/IEC 27001 and Related Best Practices, Standards and Schemes

Fo

un

datio

n

Prim

ary

Refe

ren

ces

Level Topic

Know facts, terms and concepts at overview level about ISO/IEC 27001 and related best practices, standards and schemes


01 01 The key standards with their purpose that comprise the ISO/IEC 27000 series:

1. ISO/IEC 27000

2. ISO/IEC 27001

3. ISO/IEC 27002

4. ISO/IEC 27003

5. ISO/IEC 27004

6. ISO/IEC 27005

ISO/IEC 27000, 4.2, 4.3, 4.4 title and purpose sections only

01 02 Compatibility of ISMS with other management system standards, specifically ISO 9001 for quality management

Supplementary paper, 2.1

01 03 1. Compatibility of ISMS with other management system standards, specifically ISO/IEC 20000-1 for service management.

2. The use of ISO/IEC 27013 for guidance on integrated implementation.


01 04 Definitions of the following terms:

1. Asset

2. Availability

3. Confidentiality

4. Integrity

5. Information security

6. Information security event

7. Information security incident

8. Information security management system


ISO/IEC 27000, 2


1. Residual risk

2. Risk acceptance

3. Risk analysis

4. Risk assessment

5. Risk criteria

6. Risk evaluation

7. Risk identification

8. Risk management

9. Risk owner

10. Risk treatment

ISO/IEC 27000, 2



Syllabus Area Code

OV


Fo

un

datio

n

Prim

ary

Refe

ren

ces


1. Consequence

2. Risk

3. Threat

4. Vulnerability

ISO/IEC 27000, 2

01 07 The names of the clauses and sub-clauses covered within requirements of ISO/IEC 27001:

4 Context of the organization

4.1 Understanding the organization and its context

4.2 Understanding the needs and expectations of interested parties

4.3 Determining the scope of the information security management system

4.4 Information security management system

5 Leadership

5.1 Leadership and commitment

5.2 Policy

5.3 Organizational roles, responsibilities and authorities

6 Planning

6.1 Actions to address risks and opportunities

6.2 Information security objectives and planning to achieve them

7 Support

7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented information

8 Operation

8.1 Operational planning and control

8.2 Information security risk assessment

8.3 Information security risk treatment

9 Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal audit

9.3 Management review

10 Improvement

10.1 Nonconformity and corrective action

10.2 Continual improvement

Annex A (normative) Reference control objectives and controls

ISO/IEC 27001,

Contents

01 08 Information about ISO/IEC 27001 qualification and certification:

1. The APMG qualification scheme

2. The principles of ISO/IEC 27001 certification offered by certification bodies




Syllabus Area Code

OV


Fo

un

datio

n

Prim

ary

Refe

ren

ces

Understand how ISO/IEC 27001 and associated best practices, standards and schemes can be used to achieve conformity to ISO/IEC 27001

Specifically to identify:

02 01 The relationships and differences between ISO/IEC 27001 and the following standards within the ISO/IEC 27000 series:

1. ISO/IEC 27000

2. ISO/IEC 27002

3. ISO/IEC 27003

4. ISO/IEC 27004

5. ISO/IEC 27005

ISO/IEC 27000 4.2, 4.3, 4.4 title and purpose sections only

02 02 The roles of the organizations and entities involved in ISO/IEC 27001 Qualification and Certification Schemes

1. APMG-International

2. Certification Bodies (CBs)

3. National Accreditation Bodies (NABs)

4. Accredited Training Organizations (ATOs)

5. Practitioners

6. Consultants

7. Internal Auditors

8. External Auditors


02 03 The benefits of implementing an ISMS ISO/IEC 27000, 3.7

There are no syllabus items at level 3 for this area




Syllabus Area Code

LE

Syllabus Area : Leadership and support of the ISMS

Fo

un

datio

n

Pra

ctitio

ner

Prim

ary

Refe

ren

ces

Level Topic

Know facts and concepts relating to leadership and support of the Information Security Management System within Clauses 4, 5 and 7 of ISO/IEC 27001


01 01 The general requirements to manage an ISMS

ISO/IEC 27001,

4.4

01 02 The integration of the ISMS with the organization’s processes and management structure

ISO/IEC 27001,

0.1 para 3, 5.1 b)

01 03 The decisions and influencing factors for the adoption and implementation of an ISMS

ISO/IEC 27001,

0.1, para 1

01 04 The requirement to understand the organization and its context ISO/IEC 27001, 4.1

01 05 The requirement to understand the needs and expectations of interested parties

ISO/IEC 27001, 4.2

01 06 The characteristics used to define the scope and boundaries of the ISMS

ISO/IEC 27001,

1, 4.3

01 07 The contents of the ISMS policy

ISO/IEC 27001, 5.2 b) c) d)

Understand the concepts, responsibilities, requirements and processes about the context, leadership and support for an ISMS according to Clauses 4, 5 and 7 of ISO/IEC 27001 and ISO/IEC 27003


02 01 The basic principles of top management demonstrating leadership and commitment for the ISMS by: 1. establishing an information security policy and objectives 2. communicating the importance of effective information security

management and of conforming to the ISMS requirements 3. ensuring the ISMS achieves its intended outcomes

ISO/IEC 27001, 5.1 a) d) e)

02 02 Further principles of top management demonstrating leadership and commitment to ISMS processes, specifically:

1. Ensuring integration of ISMS requirements with the organization’s processes (5.1 b)

2. Promoting continual improvement (5.1 g)

3. Supporting other management roles to demonstrate leadership (5.1 h)

ISO/IEC 27001, 5.1 b) g) h)

02 03

The requirements of top management for organizational roles, responsibilities and authorities

ISO/IEC 27001, 5.3, 5.1 f)

02 04 The activities and considerations to be made when defining roles and responsibilities

ISO/IEC 27003 5.3.2/ (Supplementary paper, 6)



Syllabus Area Code

LE


Fo

un

datio

n

Pra

ctitio

ner

Prim

ary

Refe

ren

ces

02 05 The roles and their specific requirements and responsibilities required for information security management and operation, along with their interaction within the organization

ISO/IEC 27003 Table B.1/ (Supplementary paper, 5)

02 06

The basic principles of the requirements related to documented information within an ISMS: 1. The documents required within an ISMS. 2. The control of documented information to ensure availability,

suitability and protection

ISO/IEC 27001, 7.5.1 a) b), 7.5.3 a) b)

02 07 The requirements for the processes and content for the appropriate management of documents for the operation of an ISMS specifically:

1. The creation and updating of documents (7.5.1 NOTE)/ 7.5.2)

2. The control of documented information (7.5.3 c-f, end para & NOTE)

ISO/IEC 27001, 7.5.1 NOTE a-c), 7.5.2, 7.5.3 c-f) end para & NOTE

02 08

The basic principles of the provision of resources and competence within an ISMS:

1. Determining and providing resources needed for the operation of the ISMS

2. Determining and ensuring competence based on education, training or experience

3. Taking necessary actions and retaining documentation as evidence of competence

ISO/IEC 27001,

7.1, 7.2, 5.1c

02 09

The basic principles for awareness and communication for personnel working within an ISMS:

1. Awareness of the information security policy, contribution to the effectiveness of the ISMS, benefits of the ISMS and implications of not complying to the ISMS

2. Determining the need for internal and external communication about the ISMS

ISO/IEC 27001,

7.3, 7.4 1st line of

para 1 excluding a) – e)

02 10 The appropriate internal and external communications requirements including:

1. The subject for communication (7.4 a)

2. The timing of the communication (7.4 b)

3. The audience (7.4 c)

4. The communicator (7.4 d)

5. The communication process (7.4 e)

ISO/IEC 27001,

7.4 a) - e)

02 11 The requirements for appropriate boundaries and scope for an ISMS with consideration of:

1. External and internal issues

2. The requirements of interested parties

3. The interfaces and dependencies of activities

ISO/IEC 27001, 4.3



Syllabus Area Code

LE


Fo

un

datio

n

Pra

ctitio

ner

Prim

ary

Refe

ren

ces

02 12 Appropriate information requirements for inclusion in an ISMS policy including:

1. The purpose of the organization (5.2 a)

2. Information security objectives or a framework for setting objectives (5.2 b)

3. A commitment to satisfy applicable requirements (5.2 c)

4. A commitment to continual improvement (5.2 d)

5. Communication and availability requirements (5.2 e-g)

ISO/IEC 27001, 5.2 a) - g)

Apply the ISMS Leadership and Support management systems requirements from ISO/IEC 27003, to enable the achievement of conformity to ISO/IEC 27001 for a given scenario

Specifically to apply:



03 02 The roles and their specific requirements and responsibilities required for information security management and operation, for a given scenario


03 03 The concepts, responsibilities and requirements about the context, leadership and support for an ISMS according to Clauses 4, 5 and 7 of ISO/IEC 27001

ISO/IEC 27001, 4, 5 & 7

Analyze and distinguish between appropriate and inappropriate use of ISMS Leadership and Support management systems’ requirements, as given in ISO/IEC 27003, to maintain conformity to ISO/IEC 27001 for a given scenario

Specifically to analyze:



04 02 The roles and their specific requirements and responsibilities required for information security management and operation, for a given scenario


04 03 The concepts, responsibilities and requirements about the context, leadership and support for an ISMS according to Clauses 4, 5 and 7 of ISO/IEC 27001

ISO/IEC 27001, 4, 5 & 7



Syllabus Area Code

PL

Syllabus Area : Planning and operation of the ISMS

Fo

un

datio

n

Pra

ctitio

ner

Prim

ary

R

efe

ren

ces

Level Topic

Know facts, terms and concepts relating to the planning and operation of an ISMS within clauses 6, 8, 9 and 10 of ISO/IEC 27001


01 01 Contents of the Statement of Applicability

ISO/IEC 27001, 6.1.3 d)

01 02 Monitoring, measurement, analysis and evaluation:

1. evaluating performance and the effectiveness of the ISMS

2. selecting methods to produce comparable and reproducible results

3. documenting the results

ISO/IEC 27001, 9.1 para 1, last para and NOTE

01 03 The requirements for continual improvement of the ISMS

ISO/IEC 27001, 10.2, 5.1g

Understand the concepts, responsibilities, requirements and processes relating to the planning and operation of an ISMS within clauses 6, 8, 9 and 10 of ISO/IEC 27001


02 01 Actions to address risks and opportunities:

1. Determine the risks and opportunities that need to be addressed

2. Plan actions to address these risks and opportunities

3. Plan how to fit the actions into the ISMS and evaluate their effectiveness

ISO/IEC 27001 6.1.1

02 02 Defining and applying the risk assessment process:

1. information security risk criteria

2. consistent, comparable and valid results for repeated assessments

3. performing assessments at planned intervals

4. retain documented information for the process and the results of assessments

ISO/IEC 27001, 6.1.2 a), b), last para and 8.2

02 03 The general considerations, basic criteria, scope and boundaries and organization for establishing the context of the risk management process, specifically the:

1. Risk evaluation criteria

2. Impact criteria

3. Risk acceptance criteria

ISO/IEC 27005, 7

02 04

Identifying the information security risks

ISO/IEC 27001, 6.1.2 c)

02 05 The steps in risk identification, specifically:

1. Assets

2. Threats

3. Existing controls

4. Vulnerabilities

5. Consequences

ISO/IEC 27005, 8.2 and Annex B1 1

st

para.



Syllabus Area Code

PL


Fo

un

datio

n

Pra

ctitio

ner

Prim

ary

R

efe

ren

ces

02 06

Analyzing and evaluating the risks

ISO/IEC 27001, 6.1.2 d) e)

02 07 The methodologies for risk analysis and the approach to risk evaluation, specifically the assessment of:

1. Consequences

2. Incident likelihood

3. Risk determination

ISO/IEC 27005, 8.3 and 8.4

02 08

Selection of the risk treatment options taking account of the risk assessment results

ISO/IEC 27001, 6.1.3 a), ISO/IEC 27000, 2.79

02 09 The approaches to risk treatment, specifically:

1. Modification

2. Retention

3. Avoidance

4. Sharing

ISO/IEC 27005, 9

02 10

Selection of controls for the treatment of risks:

1. determine necessary controls

2. compare controls with Annex A and justify any exclusions

ISO/IEC 27001, 6.1.3 b) c) d)

02 11

Formulating a risk treatment plan:

1. formulate an information security risk treatment plan

2. obtain approval from risk owner for the plan and residual risks

3. implement the risk treatment plan

4. retain documented information for the process and results of the risk treatment

ISO/IEC 27001, 6.1.3 e) f), last para and 8.3

02 12 The approach to risk acceptance, communication and consultation

ISO/IEC 27005, 10 and 11

02 13 The approach to risk monitoring and review, specifically:

1. Risk factors

2. Risk management monitoring, review and improvement

ISO/IEC 27005, 12.1 and 12.3

02 14

Information security objectives:

1. establishing and documenting the objectives

2. the need for the objectives to be consistent with the policy and measurable

3. the need to plan to achieve the objectives and implement the plan

ISO/IEC 27001, 6.2 para 1, a), b), para 3, 1

st line of para 4

excluding f - j and 8.1 para 1 2

nd

sentence

02 15 The requirements, planning and deployment of information security objectives, specifically including:

1. The applicable information security requirements & the results of the risk assessment and risk treatment (6.2 c)

2. Communication and updating (6.2 d-e)

3. Planning covering the subject, the resources, responsibilities, completion timing and the evaluation method for the results (6.2 f-j)

ISO/IEC 27001, 6.2 c) - j)



Syllabus Area Code

PL


Fo

un

datio

n

Pra

ctitio

ner

Prim

ary

R

efe

ren

ces

02 16

Operational planning and control:

1. planning, implementing and controlling the processes to meet information security requirements

2. implementing the actions to address risks and opportunities

3. determining and controlling outsourced processes

4. control of planned changes

5. keeping documented information as evidence

ISO/IEC 27001, 8.1

02 17 Appropriate development steps for performance evaluation including:

1. What needs to be monitored and measured (9.1 a)

2. When and who will monitor and measure (9.1 c-d)

3. The appropriate methodologies for monitoring, measurement, analysis and evaluation (9.1 b)

4. When and who will analyze and evaluate the results (9.1 e-f)

ISO/IEC 27001, 9.1 Para 2, a) - f), excluding NOTE and last para

02 18

Internal audit of an ISMS:

1. the need to conduct internal audits at planned intervals

2. using internal audits to check conformance to the ISMS and the standard, and effectiveness of the ISMS

3. the selection of auditors to ensure objectivity

4. planning the audit programme

ISO/IEC 27001, 9.2 para 1, a) b) c) e)

02 19 The organization’s requirements for the conduct of an audit (9.2 d, f, g)

ISO/IEC 27001, 9.2 d) f) g)

02 20

Management review of the ISMS:

1. the need for top management to review the ISMS at planned intervals for suitability, adequacy and effectiveness

2. consideration of feedback on performance

3. the outputs from the review

ISO/IEC 27001, 9.3 para 1, c) 1-4, para 3

02 21 The applicable principles for the review and outputs for a management review including:

1. The status of actions (9.3 a)

2. Changes in external and internal issues (9.3 b)

3. Feedback from interested parties (9.3 d)

4. The results of risk assessment (9.3 e)

5. The status of the risk assessment and risk treatment plan (9.3 e)

6. Opportunities for improvement (9.3 f)

ISO/IEC 27001, 9.3 para a), b), d) – f), last para

02 22

Nonconformity and corrective actions:

1. The actions to be taken when a non-conformity occurs

2. The need for corrective actions to be appropriate to the effects of the nonconformities

3. Documented information about nonconformities and corrective actions

ISO/IEC 27001, 10.1



Syllabus Area Code

PL


Fo

un

datio

n

Pra

ctitio

ner

Prim

ary

R

efe

ren

ces

Apply the risk management requirements to enable the achievement of conformity to ISO/IEC 27001

Specifically to use:

03 01 The risk evaluation, impact and risk acceptance criteria for establishing the context of the risk management process

ISO/IEC 27005, 7

03 02 The steps in risk identification, as defined in 0205


st

para.

03 03 The approaches to Risk analysis and risk evaluation, as defined in 0207 ISO/IEC 27005, 8.3 and 8.4

03 04 The approaches to Risk treatment, as defined in 0209 ISO/IEC 27005, 9

03 05 The approach to risk acceptance, communication and consultation ISO/IEC 27005, 10 and 11

03 06 The approach to risk monitoring and review, as defined in 0213

ISO/IEC 27005, 12.1 and 12.3

03 07 The concepts, responsibilities, requirements and processes relating to the planning and operation of an ISMS within clauses 6, 8, 9 and 10 of ISO/IEC 27001

ISO/IEC 27001, 6, 8,9 & 10

Analyze and distinguish between appropriate and inappropriate use of ISMS risk management requirements throughout the lifecycle of the ISMS to maintain conformity to ISO/IEC 27001 for a given scenario

Specifically to analyze:

04 01 The risk evaluation, impact and risk acceptance criteria for establishing the context of the risk management process

ISO/IEC 27005, 7

04 02 The steps in risk identification, as defined in 0205


st

para.

04 03 The approaches to Risk analysis and risk evaluation, as defined in 0207 ISO/IEC 27005, 8.3 and 8.4

04 04 The approaches to Risk treatment, as defined in 0209 ISO/IEC 27005, 9

04 05 The approach to risk acceptance, communication and consultation

ISO/IEC 27005, 10 and 11

04 06 The approach to risk monitoring and review, as defined in 0213 ISO/IEC 27005, 12.1 and 12.3

04 07 The concepts, responsibilities, requirements and processes relating to the planning and operation of an ISMS within clauses 6, 8, 9 and 10 of ISO/IEC 27001

ISO/IEC 27001, 6, 8,9 & 10



Syllabus Area Code

CO

Syllabus Area : Information security control objectives and controls

Fo

un

datio

n

Pra

ctitio

ner

Prim

ary

Refe

ren

ces

Level Topic

Know the topic areas for information security controls within ISO/IEC 27001


01 01 1. The structure and contents of the controls and control objectives listed in Annex A of ISO/IEC 27001

2. The definition of: a. Control b. Control objective


ISO/IEC 27000,2.16, 2.17

01 02 The names of the security control clauses for information security controls (numbers refer to references in Annex A of ISO/IEC 27001): 5. Information security policies

6. Organization of information security

7. Human resource security

8. Asset management

9. Access control

10. Cryptography

11. Physical and environmental security

ISO/IEC 27001, Annex A

01 03 The names of the security control clauses for information security controls (numbers refer to references in Annex A of ISO/IEC 27001): 12. Operations security

13. Communications security

14. System acquisition, development and maintenance

15. Supplier relationships

16. Information security incident management

17. Information security aspects of business continuity management

18. Compliance

ISO/IEC 27001, Annex A

01 04 The name of the security category and the control objective for the

security control clause ‘information security policies’

ISO/IEC 27001, Annex A, 5.1 category and objective only

Understand the subjects covered for specific information security control clauses within ISO/IEC 27001, with implementation parameters defined by ISO/IEC 27002


02 01-04

Not used. (See 19 onwards for Foundation 02 topics)

02 05 Information security policies; scope and implementation parameters

ISO/IEC 27001, Annex A, A.5, ISO/IEC 27002, 5

02 06 Organization of information security; scope and implementation parameters


02 07 Human resources security; scope and implementation parameters




Syllabus Area Code

CO


Fo

un

datio

n

Pra

ctitio

ner

Prim

ary

Refe

ren

ces

02 08 Asset management; scope and implementation parameters


02 09 Access control; scope and implementation parameters


02 10 Cryptography; scope and implementation parameters


02 11 Physical and environmental security; scope and implementation parameters


02 12 Operations security; scope and implementation parameters


02 13 Communications security; scope and implementation parameters


02 14 System acquisition, development and maintenance; scope and implementation parameters


02 15 Supplier relationships; scope and implementation parameters


02 16 Information security incident management; scope and implementation parameters


02 17 Information security aspects of business continuity management; scope and implementation parameters


02 18 Compliance; scope and implementation parameters


02 19

The control description for the control ‘policies for information security’

ISO/IEC 27001, Annex A, A.5.1.1

02 20

The control description for the control ‘review of the policies for information security’

ISO/IEC 27001, Annex A, A.5.1.2

02 21

The control objective for the security category ‘during employment’

ISO/IEC 27001, Annex A, A.7.2, category and objective only

02 22

The control objectives for the security categories in asset management covering:

1. Responsibility for assets

2. Information classification

3. Media handling

ISO/IEC 27001, Annex A, A.8.1, A.8.2 and A.8.3, categories and objectives only



Syllabus Area Code

CO


Fo

un

datio

n

Pra

ctitio

ner

Prim

ary

Refe

ren

ces

02 23

The control objectives for the security categories in access control covering:

1. Business requirements of access control

2. User access management

ISO/IEC 27001, Annex A, A.9.1 and A.9.2, categories and objectives only

02 24

The control objective for the security category ‘management of information security incidents and improvements’


02 25

The control objective for the security category ‘compliance with legal and contractual requirements’


Be able to identify, apply and tailor the appropriate aspects of ISO/IEC 27001 Annex A controls to a scenario, as defined in ISO/IEC 27002 Specifically to identify how and when each of the controls should be implemented including:

03 01-04

Not used

03 05 Information security policies

ISO/IEC 27001, Annex A, A.5, ISO/IEC 27002 5

03 06 Organization of information security


03 07 Human resources security


03 08 Asset management


03 09 Access control


03 10 Cryptography


03 11 Physical and environmental security


03 12 Operations security


03 13 Communications security




Syllabus Area Code

CO


Fo

un

datio

n

Pra

ctitio

ner

Prim

ary

Refe

ren

ces

03 14 System acquisition, development and maintenance


03 15 Supplier relationships


03 16 Information security incident management


03 17 Information security aspects of business continuity management


03 18 Compliance


Be able to identify, analyze and distinguish between the appropriate and inappropriate ISO/IEC 27001 Annex A controls throughout the life-cycle of a given scenario, as defined in ISO/IEC 27002

Specifically to analyze with reasons whether the implementation of the ISO/IEC 27001 Annex A controls is appropriate for achieving the requirements of ISO/IEC 27001 including:

04 01-04

Not used

04 05 Information security policies


04 06 Organization of information security


04 07 Human resources security


04 08 Asset management


04 09 Access control


04 10 Cryptography


04 11 Physical and environmental security


04 12 Operations security




Syllabus Area Code

CO


Fo

un

datio

n

Pra

ctitio

ner

Prim

ary

Refe

ren

ces

04 13 Communications security


04 14 System acquisition, development and maintenance


04 15 Supplier relationships


04 16 Information security incident management


04 17 Information security aspects of business continuity management


04 18 Compliance




Syllabus Area Code

AC

Syllabus Area : Achieving ISO/IEC 27001 Certification

Fo

un

datio

n

Prim

ary

Refe

ren

ces

Level Topic

Know facts, terms and concepts about auditing an ISMS for ISO/IEC 27001 certification


01 01 The types of audits – initial, re-certification, surveillance, internal, 1st/2nd/3rd party


01 02 The outcomes of an audit:

1. Conformity

2. Major nonconformity

3. Minor nonconformity

4. Observation (opportunity for improvement)

5. Outside of the audit scope


Understand the concepts, responsibilities and requirements for auditing and preparing to achieve certification for ISO/IEC 27001


02 01 The requirements for the conduct of audits

1. Certification audits (initial and re-certification)

2. Surveillance audits


02 02 Key differences between internal, initial, re-certification and surveillance audits


02 03 1. The evidence used to demonstrate conformity to ISO/IEC 27001

2. The need to provide evidence for the requirements of ISO/IEC 27001 and the certification bodies use of ISO/IEC 27006


02 04 The organization’s preparation for and participation in a certification audit


02 05 The process used by a certification body to conduct certification audits for an ISMS




information security management qualification using iso ... · of iso/iec 27001, 27002 and the 2014...

Documents