ISO/IEC 27001

ISO/IEC 27001 (ISO 27001) is an international standard for Information Security management. It provides a model to establish, implement, maintain and continually improve a risk-managed Information Security Management System (ISMS).

The standard forms the basis for effective management of sensitive, confidential information and for the application of information security controls.

An organization that conforms to the ISO/IEC 27001 standard possesses clear, objective proof of its commitment to continued improvement of control over its sensitive and confidential information.

ISO/IEC 27001 therefore provides reassurance to sponsors, shareholders and customers that the organization has expert control over its risk management and data security.

Due to the diversity of different organizations’ information assets – the ISO/IEC 27001 standard is adaptable according to an organization’s requirements.

The design and implementation of the ISMS is tailored to the organization’s objectives, information assets, operational processes, governing legal requirements and regulatory security requirements.

ISO/IEC 27001 Foundation

Gain foundation level knowledge of how the standard operates in a typical organization.

This certification is aimed at those who are:

Supporting the implementation, operation or maintenance of an ISMS within an organization.
Required to audit an ISMS and to have a basic understanding of the standard.
Working within an organization with an ISMS, whether the organization is already certified or is considering certification to ISO/IEC 27001.
Preparing for the ISO/IEC 27001 Practitioner – Information Security Officer qualification.

The scope and purpose of ISO/IEC 27001 and how it can be used.
The key terms and definitions used in the ISO/IEC 27000 series.
The fundamental requirements for an ISMS in ISO/IEC 27001 and the need for continual improvement.
The processes, their objectives and high level requirements.
Applicability and scope definition requirements.
Use of controls to mitigate IS risks.
The purpose of internal audits and external certification audits, their operation and the associated terminology.
The relationship with best practices and with other related International Standards: ISO 9001 and ISO/IEC 20000.

Multiple choice format
50 questions per paper
25 marks or more required to pass (out of 50 available) – 50%
40 minute duration
Closed book

ISO/IEC 27001 Practitioner – Information Security Officer

Learn to apply the standard to enable the management of information security.

APMG ISO/IEC 27001 Foundation certificate.
TÜV SÜD ISO27001 Foundation certificate.
ICO-CERT ISMS 27001 Foundation certificate.

This qualification is aimed at those who are:

Internal managers and personnel working to implement, maintain and operate an ISMS within an organization.
External consultants supporting an organization’s implementation, maintenance and operation of an ISMS.
Internal auditors who are required to have an applied knowledge of the standard.

Applying the principles of ISMS policy and its information security scope, objectives, and processes within an organizational context.
Applying the principles of risk management including risk identification, analysis and evaluation and propose appropriate treatments and controls to reduce information security risk, support business objectives and improve information security.
How to analyze and evaluate deployed risk treatments and controls to assess their effectiveness and opportunities for continual improvement.
How to analyze and evaluate the effectiveness of the ISMS through the use of internal audit and management review to continually improve the suitability, adequacy and effectiveness of the ISMS.
How to create, apply and evaluate the suitability, adequacy and effectiveness of documented information and records required by ISO/IEC 27001.
How to identify and apply appropriate corrective actions to maintain ISMS conformity with ISO/IEC 27001.

Objective Testing
4 questions per paper with 20 marks available per question
40 marks or more required to pass (out of 80 available) – 50%
2 ½ hour duration
Open book

ISO/IEC 27001 Auditor

Certify your expertise in performing audits against the ISO 27001 standard.

Third-party auditors working for Certification Bodies, responsible for conducting audits which certify organizations against ISO 27001 and ISO 19011.
Internal auditors seeking to understand the specific requirements of auditing Information Security Management Systems needed to confirm that an organization conforms to the ISO 27001 or ISO 19011 standard.

How to audit organizations to identify conformity with ISO 27001.
How to evaluate the principles of risk management – including risk identification, analysis and evaluation.
How to propose appropriate treatments and controls to reduce information security risk, support business objectives and improve information security.
Leading organizations through an audit program.
Directing audit teams.
Evaluating the effectiveness of applied corrective actions to maintain ISMS conformity with ISO 27001.

40 questions
Multiple choice format
120 minute duration
20 marks or more required to pass (out of 40 available) – 50%
Open book: ISO/IEC 27001:2013, ISO/IEC 27002:2013, ISO 19011:2018, APMG ISO/IEC 27001 Suppmenentary Paper

FIND A TRAINING PROVIDER

SFIA Framework

SFIA is a globally recognised framework that “identifies skills needed for the Information age”. This APMG certification has been mapped against the SFIA Framework to help you see which certifications are most relevant to your professional development.

Generic attribute Knowledge up to level 3, Audit level 3, Information Security level 3, Threat Intelligence level 2

Generic attribute Knowledge up to level 4, Generic attribute Business Skills up to level 4, Audit up to level 4, Information Security up to level 4

Generic attribute Knowledge up to level 4, Generic attribute Business Skills up to level 4, Audit up to level 5

NIST Specialisms

Adapting a principled approach to enterprise risk management framework to better support cybersecurity decisions.

Cloud Computing

Smooth ascension into the cloud

CIISEC – Information and Cyber Security Foundation (ICSF)

A brand new, entry level exam for Cyber Security from the Chartered Institute of Information Security (CIISec)

EXPAND YOUR KNOWLEDGE

The NCSC’s Certified Cyber Professional (CCP) Security Architecture specialism launches today

Your competence in Security Architecture can now be recognised by the National Cyber Security Centre

The Cyber-Resilience DVMS-CPD Overlay Model

Live Stream to YouTube and LinkedIn

Leveraging the NIST Cybersecurity Framework – a Q & A with the DVMS Institute

Rick Lemieux, co-founder of the DVMS Institute, explains how the DVMS Institute helps businesses use the NIST Cybersecurity Framework.

CONTACT US

What is ISO/IEC 27001?

ISO/IEC 27001 is an international standard for Information Security management. It provides a model to establish, implement, maintain and continually improve a risk-managed Information Security Management System (ISMS). It forms the basis for effective management of sensitive, confidential information and for the application of information security controls.

Do I have to receive training to sit the exam?

No, however this is recommended. In addition to receiving accredited training, individuals also have the option of self-study to prepare for the examinations. APMG-International administer public exam sessions around the world to accommodate those who self-study.

How can I train for the ISO/IEC 27001 examinations?

Training for ISO/IEC 27001 is available from the network of Accredited Training Organizations (ATOs) who are assessed and certified by APMG-International. The full list of ISO/IEC 27001 ATOs can be found at https://www.apmg-international.com . Only these organizations and registered partners/affiliates are authorized to deliver ISO/IEC 27001 training.

How do I sit the exam(s)?

Accredited Training Organizations (ATOs) usually include the examination as part of their training course – please check with your ATO before booking.

For those who self-study, the exam can be taken anywhere in the world, from the comfort of your home or workplace, with online proctoring. A proctor will access your exam as you take it to monitor the exam environment through your computer’s desktop, webcam and microphone.

Once you have booked an exam, you will be given a registration email to schedule an appointment with your live proctor via our Candidate Portal. Our online proctoring system allows you to take your exam anytime as sessions are available 24 hours a day, 7 days a week. For more information, please click here: https://apmg-international.com/exams

APMG also administers a limited number of public exam sessions at some of our regional offices. Click here for further information and to book an exam: https://publicexambookings.apmg-international.com/

How much does it cost to sit the ISO/IEC 27001 examination?

If you are sitting the examination through an accredited training organization, the cost of the exam is generally included in the course fee but please check with your training provider at the time of booking.

APMG-International use a global pricing structure, so if you are studying at home, the cost is dependent on where the country in which the exam is being sat. To find out the cost in your region, please

Are there any pre-requisites for the ISO/IEC 27001 examinations?

Foundation: there are no pre-requisites for this level
Practitioner Information Security Officer: The Foundation qualification is a pre-requisite for this level. APMG will also accept TÜV SÜD ISO/IEC 27000 Foundation or ICO-CERT ISMS 27001 Foundation.
Auditor: It is recommended (not mandated) that candidates hold the APMG ISO/IEC 27001 Foundation level (or equivalent qualification) before attending this course. The Auditor level assumes candidates have knowledge of the ISO/IEC 27001 and ISO 19011 standards, and their application in a given situation.

What are the main publications for ISO/IEC 27001 and where can I purchase them?

Foundation

The primary references for the Foundation qualification are the International Standards:

ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems – Requirements
ISO/IEC 27000:2018 Information technology — Security techniques — Information security management systems – Overview and vocabulary.

Other references are made to:

Supplementary reference paper for ISO/IEC 27001 Qualification.

The Foundation level requires knowledge of the requirements in ISO/IEC 27001:2013 and the terms, definition and concepts in ISO/IEC 27000:2018 as well as information in the supplementary reference paper as stated in the syllabus topic. It is essential that all delegates have access to a personal copy of ISO/IEC 27001:2013 and the Supplementary Reference Paper during any training course. Delegates should have access to a personal copy of ISO/IEC 27000:2018 or to the information referenced from it in this syllabus. Please note that the examination is closed book. The references provided should be considered to be indicative rather than comprehensive, i.e. there may be other valid references within the guidance.

For the primary reference, the relevant part of the standard is used as the major part of the reference and this is followed by the section number used e.g. ISO/IEC 27001, 4.2 relates to ISO/IEC 27001:2013 Clause 4.2.

The syllabus requires awareness of but does not require a detailed knowledge of other referenced standards:

ISO 9001:2015, Quality management systems — Requirements
ISO/IEC 20000-1:2018, Information technology – Service management – Part 1: Service management system requirements
ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information security management
ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems guidance
ISO/IEC 27004:2016 Information technology — Security techniques — Information security management – Monitoring, Measurement, Analysis and Evaluation
ISO/IEC 27005:2018, Information technology — Security techniques — Information security risk management
ISO/IEC 27006:2015, Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems
ISO/IEC 27013:2015, Information technology — Security techniques – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1.

Practitioner Information Security Officer

The primary references for the Practitioner – Information Security Officer course are the International Standards:

ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems – Requirements
ISO/IEC 27000:2018 Information technology — Security techniques — Information security management systems – Overview and vocabulary
ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information security controls
ISO/IEC 27005:2018, Information technology — Security techniques — Information security risk management

Reference is made to ISO/IEC 27003:2017, Information technology — Security techniques Information security management system implementation guidance. Candidates do not need their own copy of this standard as the relevant information is available in the Supplementary reference paper for ISO/IEC 27001 Qualification, Sections 5 and 6.

Syllabus topics at levels 3 and 4 provide the primary references but may also include any other topic from the syllabus area. It is essential that all delegates have access to a personal copy of ISO/IEC 27001:2013 and the Supplementary Reference Paper during any training course. Delegates should have access to a personal copy of ISO/IEC 27002:2013 and ISO/IEC 27005:2018. Please note that the examination is open book.

Auditor

The primary references for the ISO/IEC 27001 Auditor course are the International Standards:

ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems – Requirements
ISO/IEC 27000:2018 Information technology — Security techniques — Information security management systems – Overview and vocabulary
ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information security management
ISO 19011:2018 Guidelines for auditing management systems
APMG ISO/IEC 27001 Supplementary Paper

Other references are made to the Supplementary reference paper for ISO/IEC 27001 Qualification.

It is mandatory that all delegates have access to a personal copy of these documents during their training and at the Examination.

Please note that Auditor examinations are open book. No content related individual notes in the used standards are permitted.

Syllabus topics at levels 3 and 4 provide the primary references but may also include any other topic from the syllabus area.

The references provided should be considered to be indicative rather than comprehensive, i.e. there may be other valid references within the guidance.

How long will it take to learn the ISO/IEC 27001 material?

For individuals self-studying it is almost impossible to say. As all candidates have different experience and amount of time available for study, it varies from person to person. We suggest you buy the manual and have a look through for yourself before deciding how long you need to spend learning.

For those studying with an accredited training organization, Foundation courses are generally delivered over 3 days, while combined Foundation and Practitioner courses are generally delivered over 5 days. It is well worth investigating with individual providers, as some will offer tailored, online or blended learning solutions.

What is the structure of the ISO/IEC 27001 examinations?

Summaries of the structure of the ISO/IEC 27001 Foundation, Practitioner Information Security Officer and Auditor examinations are below: