Introduction 

The successful completion of this course is pre-requisite and essential to becoming an ISMS (ISO/IEC 27001, Information Security Management Systems) Internal Auditor.  

To participate in this training course, the following prior knowledge was expected: 

1. Knowledge of Management System Compliance (ISO 19600)
   • Process approach (Plan-Do-Check-Act)
   • Business overall compliance risk management (ISO 31000), includes legal, legislation, contractual obligations, standards, policies, and procedures.
   • Top management leadership, other roles and responsibilities to support management system
   • Consideration of planning a management system - identify the organizational and technical measures to manage the identified risk
   • Supporting required by the management system 
   • Management system operation consideration - monitoring, reporting and communicating 
   • Performance evaluation of a management - objectives evaluation, Internal Audits, and Management Review 
   • Continually improve the effectiveness of a management system
2. Knowledge of Information security management principles and concepts includes but not limited to:
   • awareness of the need for information security;
   • the assignment of responsibility for information security;
   • incorporating management commitment and the interests of stakeholders;
   • enhancing societal values;
   • using the results of risk assessments to determine appropriate controls to reach acceptable levels of risk;
   • incorporating security as an essential element of information networks and systems;
   • the active prevention and detection of information security incidents;
   • ensuring a comprehensive approach to information security management;
   • continual reassessment of information security and make of modifications as appropriate.
3. Management system audit (ISO 19011)
   • Audit programme management 
   • Initial the audit
   • Document review
   • Preparing for the on-site audit
   • Audit skills
   • Conducting on-site audit 
   • Preparation of Audit evidence and findings
   • Audit report
   • Audit follow-up 
4. ISO/IEC 27001: Knowledge of the requirements of ISO/IEC 27001 (with ISO/IEC 27002) and the commonly used information security management terms and definitions, as given in ISO/IEC 27000.

Note. You are advised that course examination questions can relate to any requirement of ISO/IEC 27001 and the expected prior knowledge. For delegates who do not have these, we recommend attending our foundation training course. 

Who should attend?

This is intended for those who will be involved in leading audits of an ISMS that conforms to ISO/IEC 27001:2013 in any organization. Suggested job functions and their teams include:

• Information security managers
• IT and corporate security managers
• Corporate governance managers
• Risk and compliance managers
• Information security consultants

Learning objectives

• Learn Plan-Do-Check-Act (PDCA) cycle model in ISMS, the role of internal auditor in the maintenance and improvement of ISMS. 
• Learn how to explain the role of an auditor to plan, conduct, report, and follow-up an internal ISMS audit in accordance with ISO 19011 where appropriate
• Learn how to plan, conduct, report and follow-up an internal audit of part of an ISMS based on ISO 27001, or acceptable equivalent, and in accordance with ISO 19011 

Course benefits

• Your organization will have an internal resource and process to be able to conduct its own audit of its ISMS to assess and improve conformance with ISO/IEC 27001:2013
• You will gain a professional qualification that certifies that you have the knowledge and skills to conduct an internal audit of an ISMS in any organization
• Successful auditing will improve the protection of an organization’s data (i.e. business confidential information, the privacy of personal data) to meet market assurance and corporate governance needs
• Understand how to identify gaps in an ISMS system
• Accurately audit will be able to provide continuous improvement to a management system 

Course outline

Day 1, management systems knowledge (ISO 27001)

• Overview to management system structure (MSS) and process approach (PDCA) - ISO 27001
• Understand the organization's compliance risk
• Management systems and PDCA
• Management system internal audit requirements and process
• Auditor responsibilities
• Planning the audit (i.e. audit plan, checklist, and notes)

Day 2, Guidelines for auditing management systems (ISO 19011)

• Conducting the audit (includes opening meeting, audit skills, collect audit evidence, and audit findings)
• Report and close the audit (includes audit conclusion, audit report and closing meeting)
• Follow up the audit
• Course summary / Q&A / Course examination 

What's included?

• Course material
• Course examination 
• Course certificate

Organizational information

• Delegates should note that there are evening works during the course
• The minimal numbers of delegates for this course are 4 and the maximum is 20. If the students are less than 4, the course will be postponed.
• This course is facilitated by www.TKSG.Global online learning management system (LMS). The participants should have the capability to use their own PC, laptop notebook or suitable mobile devices to access the LMS.
• This course is run in collaboration with CQI/IRCA Approved Training Partner - Hermes infotech Inc.