Author Archives: admin

ISO 27001 Lead Auditor Training Class scheduled for online learning

Mastering the audit of an Information Security Management System (ISMS) based on ISO/IEC 27001

4 1/2 days from August 17th through August 20th, 2020

Summary | Go to Enrollment Form

This five-day intensive course enables participants to develop the necessary expertise to audit an Information Security Management System (ISMS) and to manage a team of auditors by applying widely recognized audit principles, procedures and techniques.

  • During this training, the participant will acquire the necessary knowledge and skills to proficiently plan and perform internal and external audits in compliance with ISO 19011 the certification process according to ISO 17011.
  • Based on practical exercises, the participant will develop the skills (mastering audit techniques) and competencies (managing audit teams and audit program, communicating with customers, conflict resolution, etc.) necessary to efficiently conduct an audit.

Certified Course

Who should attend?

  • Internal auditors
  • Auditors wanting to perform and lead Information Security Management System (ISMS) certification audits
  • Project managers or consultants wanting to master the Information Security Management System audit process
  • CxO and Senior Managers responsible for the IT governance of an enterprise and the management of its risks
  • Members of an information security team
  • Expert advisors in information technology
  • Technical experts wanting to prepare for an Information security audit function

Learning objectives

  • To acquire the expertise to perform an ISO/IEC 27001 internal audit following ISO 19011 guidelines
  • To acquire the expertise to perform an ISO/IEC 27001 certification audit following ISO 19011 guidelines and the specifications of ISO 17021 and ISO 27006
  • To acquire the necessary expertise  to manage an ISMS audit team
  • To understand the operation of an ISO/IEC 27001 conformant information security management system
  • To understand the relationship between an Information Security Management System, including risk management, controls and compliance with the requirements of different stakeholders of the organization
  • To improve the ability to analyze the internal and external environment of an organization, its risk assessment and audit decision-making

Course Agenda Go to Enrollment Form

Day 1: Introduction to Information Security Management System (ISMS) concepts as required by ISO/IEC 27001

  • Normative, regulatory and legal framework related to information security
  • Fundamental principles of information security
  • ISO/IEC 27001 certification process
  • Information Security Management System (ISMS)
  • Detailed presentation of the clauses 4 to 8 of ISO/IEC 27001

Day 2: Planning and Initiating an ISO/IEC 27001 audit

  • Fundamental audit concepts and principles
  • Audit approach based on evidence and on risk
  • Preparation of an ISO/IEC 27001 certification audit
  • ISMS documentation audit
  • Conducting an opening meeting

Day 3: Conducting an ISO/IEC 27001 audit

  • Communication during the audit
  • Audit procedures: observation, document review, interview, sampling techniques, technical verification, corroboration and evaluation
  • Audit test plans
  • Formulation of audit findings
  • Documenting nonconformities

Day 4: Concluding and ensuring the follow-up of an ISO/IEC 27001 audit

  • Audit documentation
  • Quality review
  • Conducting a closing meeting and conclusion of an ISO/IEC 27001 audit
  • Evaluation of corrective action plans
  • ISO/IEC 27001 Surveillance audit
  • Internal audit management program

Day 5: Certification Exam (Flexible schedule)

  • 8 am to 11:30 am (online)

Prerequisites

PECB Certified ISO/IEC 27001 Foundation Certification or basic knowledge of  ISO/IEC 27001 is recommended.

Educational approach

  • This training is based on both theory and practice:
    • Sessions of lectures illustrated with examples based on real cases
    • Practical exercises based on a full case study including role playings and oral presentations
    • Review exercises to assist the exam preparation
    • Practice test similar to the certification exam

Examination and Certification

  • The “PECB Certified ISO/IEC 27001 Lead Auditor” exam fully meets the requirements of the PECB Examination and Certification Programme (ECP). The exam covers the following competence domains:
    • Domain 1: Fundamental principles and concepts of information security
    • Domain 2: Information Security Management System (ISMS)
    • Domain 3: Fundamental audit concepts and principles
    • Domain 4: Preparation of an ISO/IEC 27001 audit
    • Domain 5: Conducting an 27001 audit
    • Domain 6: Closing an ISO/IEC 27001 audit
    • Domain 7: Managing an ISO/IEC 27001 audit program
  • The “PECB Certified ISO/IEC 27001 Lead Auditor” exam is available in different languages (the complete list of languages can be found in the examination application form)
  • Duration: 3 hours
  • For more information about the exam, refer to the section on PECB Certified ISO/IEC 27001 Lead Auditor Exam
  • After successfully completing the exam, participants can apply for the credentials of PECB Certified ISO/IEC 27001 Provisional Auditor, PECB Certified ISO/IEC 27001 Auditor or PECB Certified ISO/IEC 27001 Lead Auditor depending on their level of experience.  Those credentials are available for internal and external auditors
  • A certificate will be issued to participants who successfully pass the exam and comply with all the other requirements related to the selected credential
  • For more information about PECB Certified ISO/IEC 27001 certifications and the PECB certification process, refer to the section on ISO/IEC 27001 certifications

General Information

  • Certification fees are included in the exam price
  • A student manual containing over 450 pages of information and practical examples will be distributed to participants
  • A participation certificate of 31 CPD (Continuing Professional Development) credits will be issued to participants
  • In case of failure of the exam, participants are allowed to retake the exam for free under certain conditions

Location:

Online via Join.me

Fee: $1,750.00

Go to Enrollment Form

QMSCAPA Update to v2.6.12

Important enhancements were made in a new release of QMSCAPA™ (version 2.6.12) and is available for download from ABCI-Software.​​​​​​​

  • Added a new Nonconformance Report template to report NCRs by “Type” and date range.
  • Enhanced the Monitoring and Measuring Device module.
  • Enhanced the module for evaluating and surveying customer satisfaction.
  • Fixed a problem with correctly storing the User Defined Menu options in the QMSCAPA.INI file.
  • Updated the Document Control Index Viewer [DCIViewer.exe]
  • Updated the File and Table Manager.
  • Updated all Report Templates to include the template file name in the Report footer.
  • Updated the Supplier/Vendor Survey Questionnaire sets. (See options to access example data files and tables.)

Download the QMSCAPA ‘Update‘ and the free Viewer for Documented Information

QMSCAPA Viewer for Documented Informationhttp://qmscapa.abci-software.com/index.html?download_demo__upgrade.htm
  • 1) Document Icon – The Document Control Index (DCI) browse table hyperlinks to the file path of the stored document or image. The native file viewer opens the linked document.
  • 2) Person/Clipboard Icon – The Records Control Index (RCI) browse table hyperlinks to the file path of records and record approvals.
  • 3) information Icon – The Referenced Document table may be used to link to electronic documents for important equipment/instrument user guides, referenced standards, guidance document and other forms of Organization Knowledge.

Additional information about this release has been posted to What’s New in QMSCAPA.

NIST Releases Two Cybersecurity Guidance Publications

The National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE) released two draft practice guides today:

  1. Special Publication (SP) 1800-25: Identifying and Protecting Assets Against Ransomware and Other Destructive Events
  2. Special Publication (SP) 1800-26: Detecting and Responding to Ransomware and Other Destructive Events

Ransomware, malware, insider threats, and even honest user mistakes present ongoing threats to organizations. All types of data, such as database records, system files, configurations, user files, applications, and customer data, are potential targets of data corruption, modification, and destruction.

Formulating a defense against these threats requires thorough knowledge of the assets within the enterprise and protection of these assets against data corruption and destruction.

Furthermore, quick, accurate, and thorough detection and response to a loss of data integrity can save an organization time, money, and headaches. While human knowledge and expertise are essential components of a defense, the right tools and preparation are essential to minimizing downtime and losses due to data integrity events.

As detailed in these two practice guides, the NCCoE, in collaboration with members of the business community and vendors of cybersecurity solutions, has built example solutions to address these data integrity challenges.

CMMC FAQ’s

Background

The Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC), version 0.7 in December 2019 to support the public’s continued review of the draft model in preparation for the release of the CMMC Version 1.0 at the end of January 2020. The sharing of Federal Contract Information (FCI) and CUI with Defense Industrial Base (DIB) sector contractors expands the Department’s attack surface because sensitive data is distributed beyond the DoD’s information security boundary. Cybersecurity must become a foundation of DoD acquisition.

Towards that end, Office of the Under Secretary of Defense for Acquisition and Sustainment [OUSD(A&S)] is working with DoD stakeholders, University-Affiliated Research Centers, Federally Funded Research and Development Centers, and industry to develop the Cybersecurity Maturity Model Certification (CMMC).

CMMC is a DoD certification process that measures a DIB sector company’s ability to protect FCI and CUI. CMMC combines various cybersecurity standards and maps these best practices and processes to maturity levels, ranging from basic cyber hygiene to highly advanced practices. CMMC also adds a certification element to verify implementation of cybersecurity requirements.

CMMC is designed to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for information flow down to subcontractors in a multi-tier supply chain. With respect to implementation, a DIB contractor may meet a specific CMMC level for its entire enterprise network or particular segment(s) or enclave(s).

1 – What is CUI?

CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at: https://www.archives.gov/cui and includes the following organizational index groupings:

  • Critical Infrastructure
  • Defense
  • Export Control
  • Financial
  • Immigration
  • Intelligence
  • International Agreements
  • Law Enforcement
  • Legal
  • Natural and Cultural Resources
  • NATO
  • Nuclear
  • Privacy
  • Procurement and Acquisition
  • Proprietary Business Information
  • Provisional
  • Statistical
  • Tax

2 – CUI versus FOUO?

CUI, established by Executive Order 13556, is an umbrella term for all unclassified information that requires safeguarding. FOUO, which stands for ‘For Official Use Only’, is a document designation used by the DoD.

3 – What are the concerns regarding cybersecurity in the Defense Industrial Base (DIB)?

The aggregate loss of controlled unclassified information (CUI) from the DIB sector increases risk to national economic security and in turn, national security. In order to reduce this risk, the DIB sector must enhance its protection of CUI in its networks.

The Council of Economic Advisers, an agency within the Executive Office of the President, estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 Billion in 2016 [Ref: “The Cost of Malicious Cyber Activity to the U.S. Economy, CEA” in February 2018].

The Center for Strategic and International Studies (CSIS), in partnership with McAfee, reports that as much as $600 Billion, nearly 1% of global GDP, may be lost to cybercrime each year. The estimate is up from a 2014 study that put global losses at about $445 Billion. [Ref: “Economic Impact of Cybercrime – No Slowing Down” in February 2018].

4 – What is CMMC?

CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision.”

5 – Why is the CMMC being created?

DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

6 – When will the final CMMC framework be released to the public?

Version 1.0 of the CMMC framework will be available in January 2020 to support training requirements. In June 2020, industry should begin to see the CMMC requirements as part of Requests for Information.

7 – Will other Federal (non DoD) contracts use CMMC?

The initial implementation of the CMMC will only be within the DoD.

8 – What is the relationship between NIST SP 800-171 rev.1 and CMMC?

The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.

9 – How will CMMC be different from NIST SP 800-171?

Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity. In addition to assessing the maturity of a company’s implementation of cybersecurity controls, the CMMC will also assess the company’s maturity/institutionalization of cybersecurity practices and processes.

10 – How will my organization become certified?

Your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.

11 – How much will CMMC certification cost?

Will the cost be based on the level we requested or the size of the organization?

The certification cost has not yet been determined. The cost, and associated assessment, will likely scale with the level requested.

12 – Will there be a self-certification?

Self-certification shall not be recognized by the DoD.

13 – How do I request a certification assessment?

We expect that there will be a number of companies providing 3rd party CMMC assessment and certification.

14 – Who will perform the assessments?

An independent 3rd party assessment organization will normally perform the assessment. Some of the higher level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).

15 – Are the results of my assessment public?

Does the DoD see my results?

Your certification level will be made public, however details regarding specific findings will not be publicly accessible. The DoD will see your certification level.

16 – How often does my organization need to be reassessed?

The duration of a certification is still under consideration.

17 – If my organization is certified CMMC and I am compromised, do I lose my certification?

You will not lose your certification. However, depending on the circumstances of the compromise and the direction of the government program manager, you may be required to be recertified.

18 – If my organization is certified CMMC and I am compromised will my organization require re-certification?

A compromise will not automatically require a re-certification. However, depending on the circumstances of the compromise and the direction of your government program manager, you may be required to be re-certified.

19 – What if my organization cannot afford to be certified?

Does that mean my organization can no longer work on DOD contracts?

The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.

20 – My organization does not handle Controlled Unclassified Information (CUI). Do I have to be certified anyway?

Yes. All companies conducting business with the DoD must be certified. The level of certification required will depend upon the amount of CUI a company handles or processes.

21 – I am a subcontractor on a DoD contract. Does my organization need to be certified?

Yes, all companies doing business with the Department of Defense will need to obtain CMMC.

22 – How will I know what CMMC level is required for a contract?

The government will determine the appropriate tier (i.e. not everything requires the highest level) for the contracts they administer. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.

23 – Will CMMC certifications and the associated third party assessments apply to a classified systems and / or classified environments within the Defense Industrial Base?

The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ unclassified networks.

CMMC audits by third party assessment organizations will not be applied to classified systems or environments. The Defense Counterintelligence and Security Agency (DCSA) will include CMMC assessments as part of their holistic security rating score.

Download Sample File
Download CMMC v0.7 PDF

ABCI Consultants provide cyber security guidance, implementation and personnel training services, which focus on Information Security Management Systems (ISO 27001) and regulatory compliance (NIST 800-171).

DFARs 252.204-7012 & NIST 800-171 Foundations Course

This image has an empty alt attribute; its file name is nist-800-171-capitol-building-600x248.png This ABCI online self-study foundations course for NIST Special Publication 800-171 and the Defense Federal Acquisition Regulation supplement (DFARs) Clause 252.204-7012 for safeguarding and reporting Covered Defense Information (CDI). Controlled Unclassified Information (CUI) is any information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls.
  • CUI supports federal missions and business functions that affect the economic and national security interests of the United States.
Non-federal organizations:
  • colleges, universities,
  • state, local and tribal governments,
  • federal contractors and subcontractors often process, store, or transmit CUI.
NIST Special Publication 800-171 defines the security requirements for protecting CUI in non-federal information systems and organizations.
  • Requirements are organized into fourteen families.
  • Each family contains the requirements related to the general security topic of the family.
Defense Federal Acquisition Regulation supplement (DFARs) Clause 252.204-7012 is required in all contracts except for contracts solely for the acquisition of COTS items.
  • In addition the Contractor shall include the clause in subcontracts for which performance will involve Covered Defense Information (CDI) or Operationally Critical Support (OCS).
  • CDI is used to describe information that requires protection under DFARs Clause 252.204-7012.
  • It is defined as unclassified Controlled Technical Information (CTI) or other information as described in the CUI Registry.

(http://www.archives.gov/cui/registry/category-list.html)

  • CTI & CUI requires safeguarding/dissemination controls AND IS EITHER marked or otherwise identified in the contract and provided to the contractor by DoD in support of performance of the contract;
  • OR the CDI is collected, developed, received, transmitted, used or stored by the contractor in performance of contract.

Order Online Through PayPal’s Secure Card Services

1st Student Full Name & Email
2nd Student Full Name & Email

ABCI Expands Supply Chain Quality Management Services

Third-party Auditing Services for GMP in Manufacturing Cosmetics, FDA OTD and Plastic Food Packaging

ABCI Consultants offers a comprehensive range of capabilities to assist an organization with assessing, managing, and improving it suppliers, including contract manufacturers.

ABCI can assist with the improvement of your suppliers through a variety of assessment programs that include onsite auditing and evaluation of a supplier’s management systems.  We specialize in Good Manufacturing Practices (cGMP) and Quality Management Systems in manufacturing Cosmetics, FDA OTD and Plastic Food Packaging compared to international standards, which may include:

  • ISO 9001:2015 Standard for Quality Management Systems
  • ISO 22000 Standard for Food Safety & Quality Management Systems
    • FSSC – GMP for Food Safety Systems Certification for Food Packaging (Plastics)
  • ISO 22716 Cosmetics Good Manufacturing Practices (GMP)

One of the primary objectives of an onsite third-party audit is to verify that your contract manufacturer or supplier organization is conforming to the applicable standard, its own document methods/processes, and that their systems are ultimately effective to meet their customer’s requirements.

ABCI compliance audit, internal audit and other third-party auditing services include the following international standards:

Aerospace Quality Management Systems – AS9100

Automotive Quality Management Systems – IATF 16949

Environmental Management – ISO 14001

Laboratory Quality Management Systems – ISO 17025

Medical Device Quality Management Systems – ISO 13485

Quote and Contract Review Requirements in ISO Based Quality Management System

In ISO 9001:2015 there are specific requirements for Operational Planning and Control of processes. These control processes must be implemented with methods that can effectively meet the requirements for the provision of products and services, and to implement the actions that can mitigate risk and improve opportunities.

Effective with QMSCAPA software v1.51.3, a journal was added for recording the review process for verifying customer requirements for products and services.

The diagram below shows the data relationships with

Customer ⇓

⇑ ⇒ Opportunities (quotes, contracts, purchase orders) 

⇑ ⇒ Items (labor, material, outsources services, requirements)

Clause 8.1 state, “the planning should include methods for

  • determining the customer requirements for the products and services;
  • establishing criteria for the the processes and the acceptance of products and services;
  • determining the resources needed to achieve conformity to the product and service requirements;
  • implementing control of the processes in accordance with the criteria;
  • determining, maintaining and retaining documented information to the extent necessary to have confidence that the processes have been carried out as planned;
  • to demonstrate the conformity of products and services to their requirements.”

The requirements stated in Clause 8.2.2 is titled, “Determining the requirements for products and services”

Also, “when determining the requirements for the products and services to be offered to customers, the organization SHALL ensure that:

a) the requirements for the products and services are defined, including:

  1. any applicable statutory and regulatory requirements;
  2. those considered necessary by the organization;

b) the organization can meet the claims for the products and services it offers.”

Clause 8.2.3 describes the review of the requirements for products and services,

“8.2.3.1 The organization SHALL ensure that it has the ability to meet the requirements for products and services to be offered to customers. The organization SHALL conduct a review before committing to supply products and services to a customer, to include:

a) requirements specified by the customer, including the requirements for delivery and post-delivery activities;

b) requirements not stated by the customer, but necessary for the specified or intended use, when known;

c) requirements specified by the organization;

d) statutory and regulatory requirements applicable to the products and services;

e) contract or order requirements differing from those previously expressed.”

QMSCAPA includes data fields for recording

a. Quote date

b. Quote review date

c. Purchase Order date

d. PO verification date

e. Customer due date

f. Scheduled date

g. Completion date

h. Shipping date

QMSCAPA fulfills the requirements noted in Clause 8.2.3.2,  “the organization SHALL retain documented information, as applicable:

a) on the results of the review;

b) on any new requirements for the products and services.”

Report on Lightweight Cryptography

NIST recently announced the release of NISTIR 8114, Report on Lightweight Cryptography.

Link to the NISTIR 8114 document (PDF format) from the NIST Library website:
http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8114.pdf

Link to NISTIR 8114 located on the CSRC NISTIR page:
<http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-8114>

This report provides an overview of lightweight cryptography, summarizes the findings of NIST’s lightweight cryptography project, and outlines NIST’s plans for the standardization of lightweight algorithms.

Announcement by:

NIST Computer Security Division (Attn: Pat O’Reilly)

Awesome AS9100, AS9120 & ISO 9001 Time-saver Implementation Kits

ISO 9001 & AS9100 Time-saver implementation kits

AS9100 Implementation Kit (Support Option)

AS9120 Implementation Kit (Select Support Option)

ISO 9001:2015 Implementation Kit (Select Support Option)

ISO 27001 Lead Implementer Training Seminar scheduled for the Los Angeles area

Training Seminar to learn ‘how to guidance’ for the implementation and management of an Information Security Management System (ISMS) based on ISO/IEC 27001

4 1/2 days from May 29th through June 2nd

NIST 800-171 Foundation Training offered on June 2nd from 1 pm to 4 pm

Summary Go to Enrollment Form

This five-day intensive course enables participants to develop the necessary expertise to support an organization in implementing and managing an Information Security Management System (ISMS) based on ISO/IEC 27001:2013. Participants will also gain a thorough understanding of best practices used to implement information security controls from all areas of ISO/IEC 27002. This training is consistent with the project management practices established in ISO 10006 (Quality Management Systems – Guidelines for Quality Management in Projects). This training is also fully compatible with ISO/IEC 27003 (Guidelines for the Implementation of ISMS), ISO/IEC 27004 (Measurement of Information Security) and ISO/IEC 27005 (Risk Management in Information Security).

Who should attend?

  • Project managers or consultants wanting to prepare and to support an organization in the implementation of an Information Security Management System (ISMS)
  • ISO/IEC 27001 auditors who wish to fully understand the Information Security Management System implementation process
  • CxO and Senior Managers responsible for the IT governance of an enterprise and the management of its risks
  • Members of an information security team
  • Expert advisors in information technology
  • Technical experts wanting to prepare for an information security function or for an ISMS project management function

Learning objectives

  • To understand the implementation of an Information Security Management System in accordance with ISO/IEC 27001
  • To gain a comprehensive understanding of the concepts, approaches, standards, methods and techniques required for the effective management of an Information Security Management System
  • To understand the relationship between the components of an Information Security Management System, including risk management, controls and compliance with the requirements of different stakeholders of the organization
  • To acquire the necessary expertise to support an organization in implementing, managing and maintaining an ISMS as specified in ISO/IEC 27001
  • To acquire the necessary expertise to manage a team implementing ISO/IEC 27001
  • To develop the knowledge and skills required to advise organizations on best practices in the management of information security
  • To improve the capacity for analysis and decision making in the context of information security management

Course Agenda / Go to Enrollment Form

Day 1: Introduction to Information Security Management System (ISMS) concepts as required by ISO/IEC 27001; Initiating an ISMS

  • Introduction to management systems and the process approach
  • Presentation of the standards ISO/IEC 27001, ISO 27002 and ISO 27003 and regulatory framework
  • Fundamental principles of Information Security
  • Preliminary analysis and establishment of the level of the maturity level of an existing information security management system based on ISO 21827
  • Writing a business case and a project plan for the implementation of an ISMS

Day 2: Planning the implementation of ISMS based on ISO/IEC 27001

  • Defining the scope of an ISMS
  • Development of an ISMS and information security policies
  • Selection of the approach and methodology for risk assessment
  • Risk management: identification, analysis and treatment of risk (drawing on guidance from ISO/IEC 27005
  • Drafting the Statement of Applicability

Day 3: Implementing ISMS based on ISO/IEC 27001

  • Implementation of a document management framework
  • Design of controls and writing procedures
  • Implementation of controls
  • Development of a training & awareness program and communicating about the information security
  • Incident management (based on guidance from ISO 27035)
  • Operations management of an ISMS

Day 4: Controlling, monitoring, measuring and improving an ISMS; certification audit of the ISMS

  • Controlling and Monitoring the ISMS
  • Development of metrics, performance indicators and  dashboards in accordance with ISO 27004
  • ISO/IEC 27001 internal Audit
  • Management review of an ISMS
  • Implementation of a continual improvement program
  • Preparing for an ISO/IEC 27001 certification audit

Day 5: Certification Exam

Prerequisites

ISO/IEC 27001 Foundation Certification or a basic knowledge of ISO/IEC 27001 is recommended.

Educational approach Go to Enrollment Form

  • This training is based on both theory and practice:
    • Sessions of lectures illustrated with examples based on real cases
    • Practical exercises based on a full case study including role playings and oral presentations
    • Review exercises to assist the exam preparation
    • Practice test similar to the certification exam

Examination and Certification

  • The “PECB Certified ISO/IEC 27001 Lead Implementer” exam fully meets the requirements of the PECB Examination and Certification Programme (ECP). The exam covers the following competence domains:• Domain 1: Fundamental principles and concepts of information security
    • Domain 2: Information security control best practice based on ISO 27002
    • Domain 3: Planning an ISMS based on ISO/IEC 27001
    • Domain 4: Implementing an ISMS based on ISO/IEC 27001
    • Domain 5: Performance evaluation, monitoring and measurement of an ISMS based on ISO/IEC 27001
    • Domain 6: Continual improvement of an ISMS based on ISO/IEC 27001
    • Domain 7: Preparing for an ISMS certification audit
  • The “PECB Certified ISO/IEC 27001 Lead Implementer” exam is available in different languages (the complete list of languages can be found in the examination application form)
  • Duration: 3 hours
  • For more information, refer to the section on ISO/IEC 27001 Lead Implementer Exam
  • After successfully completing the exam, participants can apply for the credentials of PECB Certified ISO/IEC 27001 Provisional Implementer, PECB Certified ISO/IEC 27001 Implementer or PECB Certified ISO/IEC 27001 Lead Implementer, depending on their level of experience
  • A certificate will be issued to participants who successfully pass the exam and comply with all the other requirements related to the selected credential
  • For more information about PECB Certified ISO/IEC 27001 certifications and the PECB certification process, refer to the section on ISO/IEC 27001 Lead Implementer

General Information

  • Certification fees are included in the exam price
  • A student manual containing over 450 pages of information and practical examples will be distributed to participants
  • A participation certificate of 31 CPD (Continuing Professional Development) credits will be issued to participants
  • In case of failure of the exam, participants are allowed to retake the exam for free under certain conditions

Location:

Holiday Inn Express
14299 Firestone Blvd
La Mirada, CA 90638

Fee: $2,750.00

Note: 50% is due with your enrollment invoice and 50% is due on or before May 26, 2017.

Go to Enrollment Form