Upon completion of this course, participants will be able to:

• Explain the purpose of an ISMS and the principles of ISO 27001:2022.
• Interpret the specific requirements of the standard, including the Statement of Applicability (SoA).
• Apply the principles and techniques of auditing as defined by ISO 19011.
• Plan, lead, and manage an ISMS audit team and program.
• Conduct effective audits of the information security risk assessment and treatment process.
• Assess the implementation and effectiveness of controls from Annex A of ISO 27001.
• Prepare comprehensive and factual audit reports that identify security nonconformities.
• Evaluate the effectiveness of the ISMS monitoring, review, and incident management processes.

• Information Security Managers and Directors.
• IT and Data Protection Officers.
• Internal Auditors seeking to specialize in ISO 27001.
• Risk, Compliance, and Governance Professionals.
• Consultants involved in ISO 27001 implementation.
• Personnel responsible for third-party supplier security assurance.

• Case Studies focused on security breaches and incident response failures.
• Practical Exercises in Auditing a Statement of Applicability (SoA).
• Group Simulation: Assessing a set of Annex A controls for effectiveness.
• Role-Playing: Interviewing the CISO or IT Manager on security risk.
• Discussions on the impact of regulatory compliance (e.g., GDPR) on the ISMS audit.

Unit 1: Fundamentals of Information Security and ISO 27001

• The importance of information security and the CIA triad (Confidentiality, Integrity, Availability).
• Overview of ISO 27001:2022 and its high-level structure.
• Auditing the Context of the Organization and stakeholder information security needs.
• Auditing the Information Security Policy and objectives.

• In-depth auditing of the Information Security Risk Assessment and Treatment process.
• Understanding and auditing the Statement of Applicability (SoA).
• Introduction to the structure and selection of security controls (Annex A).
• Auditing the competence, awareness, and documentation requirements of the ISMS.

Unit 2: Audit Principles and Program Leadership (ISO 19011)

• Review of the principles of auditing and their specific application to information security.
• Defining the roles, responsibilities, and necessary competence of an ISMS Lead Auditor.
• Establishing a risk-based audit program focused on high-risk security domains.
• Techniques for leading and managing a specialist audit team.

Unit 3: Planning the ISMS Audit and Control Assessment

• Defining the scope, objectives, and criteria for the ISMS audit.
• Risk-based audit planning focusing on critical information assets and threats.
• Conducting a thorough documentation review, including the SoA and risk treatment plan.
• Developing process-based audit checklists for technical and procedural controls.

Unit 4: Conducting the ISMS Audit and Annex A Controls

• Effective interviewing techniques for IT, C-level, and operational staff.
• Auditing the implementation and effectiveness of key Annex A controls (e.g., Access Control, Cryptography).
• Auditing operational processes: Backup, logging, monitoring, and change management.
• Verifying the Information Security Incident Management process.

• Determining conformity, nonconformity, and opportunities for improvement.
• Writing clear, specific, and evidence-supported nonconformity statements related to security gaps.
• Managing the closing meeting and communication of sensitive security findings.

Unit 5: Reporting, Closure, and Continuous Improvement

• Structuring and compiling the final ISO 27001 audit report.
• Auditing the Corrective Action process for information security incidents and nonconformities.
• Evaluating the effectiveness of corrective actions and residual risk.

• Integrating audit results, threat intelligence, and performance data into the management review.
• Maintaining Lead Auditor competence in a rapidly evolving threat landscape.
• Formal audit closure and documentation.