How mature and well-developed are your organization's systems for governing enterprise risk management, information security management, and business continuity management? How are your internal audits ensuring your organization is meeting stakeholder expections to best practices as specified in ISO 27001 and BS 25999?

Organizations are striving to use risk assessments to ensure that risks to critical operations and assets are managed appropriately. Controls used to mitigate the risk of related information security concerns or other business disruptions should be selected, deployed, and manged as a result of risk assessment. Unfortunately, many organizations perform these risk assessments without first auditing the organization's own approach, competence, and methodology for managing risk to begin with. After all, how can an organization rely upon results of a risk assessment, if the enterprise risk management system driving the risk assessment is poorly defined, loosely managed, and inherently flawed? You need to improve your organization's ability to perform risk assessment before you can use risk assessment results to improve operations and information security. Only after validating the organization's risk management system can the auditor attempt to measure the maturity and effectiveness of the business system used to govern related information security controls and management.

How we can help.

Certified Information Security has the knowledge, experience, and alliances to train your people. Allen Keele, the firm's founder, is certified as an ISO 27005 Certified Internal Controls Risk Analyst, a Certified Information Systems Security Professional, Certified Information Systems Auditor, Certified Information Security Manager, and Certified Fraud Examiner. He has delivered custom-developed information security training sessions to organizations throughout the world, including the United States, Caribbean, Africa, Europe, and Asia for over 12 years.

Based upon the newly released ISO 27007:2011 and 19011:2011 Standards, this one-day course will provide an intensive overview of how to manage an internal audit of an organization's risk management program in along with its corresponding information security management system. This course will also provide valuable guidance on conducting the internal audits, and on establishing and validating the competence of ISMS auditors.

This course  is applicable to those needing to understand or conduct internal or external audits of an risk management system supporting an ISMS, or how to manage an ISMS audit program.

Based upon the newly released ISO 27007:2011 and 19011:2011 Standards, this one-day course will provide an intensive overview of how to manage an audit of an organization's risk management program in along with its corresponding information security management system. This course will also provide valuable guidance on conducting the audits, and on establishing and validating the competence of ISMS auditors.

Covered topics include:

• Managing a Risk Management System (RMS) and Information Security Management System (ISMS) audit program

  • Establishing the audit program objectives
    • Role and responsibilities of the person managing the audit program
    • Competence of the person managing the audit program
    • Determining the extent of the audit program
    • Identifying and evaluating audit program risks
    • Establishing procedures for the audit program
    • Identifying audit program resources
  • Implementing the audit program
    • Defining the objectives, scope and criteria for an individual audit
    • Selecting the audit methods
    • Selecting the audit team members
    • Assigning responsibility for an individual audit to the audit team leader
    • Managing the audit program outcome
    • Managing and maintaining audit program records
  • Monitoring the audit program
  • Reviewing and improving the audit program

• Performing an Internal audit

  • Initiating the audit
    • Establishing initial contact with the auditee
    • Determining the feasibility of the audit
  • Preparing audit activities
    • Performing document review in preparation for the audit
    • Preparing the audit plan
      • Auditing the RMS scope and corresponding ISMS scope, policy and risk assessment approach
      • Auditing risk identification, analysis and evaluation, and risk treatment option identification and evaluation
      • Auditing the selection of control objectives and controls, approval of the proposed residual risks, management authorization, and Statement of Applicability
      • Auditing the implementation and operation of the ISMS
      • Auditing ISMS monitoring and review processes
      • Auditing ISMS maintenance and improvement
      • Auditing ISMS documentation
      • Auditing RMS and ISMS management responsibility
      • Auditing Internal RMS/ISMS audits and RMS/ISMS management review (This topic provides guidance to external auditing or self check or peer assessment guidance to internal auditing)
    • Assigning work to the audit team
    • Preparing work documents
  • Conducting the audit activities
    • Conducting the opening meeting
    • Performing document review while conducting the audit
    • Communicating during the audit
    • Assigning roles and responsibilities of guides and observers
    • Collecting and verifying information
    • Generating audit findings
    • Preparing audit conclusions
    • Conducting the closing meeting
  • Preparing and distributing the audit report
  • Completing the audit
  • Conducting audit follow-up

• Competence and evaluation of auditors

  • Determining auditor competence to fulfil the needs of the audit program
    • Knowledge and skills
    • Generic knowledge and skills of management system auditors
    • Discipline and sector specific knowledge and skills of management system auditors
    • Generic knowledge and skills of an audit team leader
    • Knowledge and skills for auditing management systems addressing multiple disciplines
    • Achieving auditor competence
    • Audit team leader
  • Establishing the auditor evaluation criteria
  • Conducting auditor evaluation
  • Maintaining and improving auditor competence

This course  is applicable to auditiors, risk managers, and information security managers needing to understand or conduct internal or external audits of an risk management system supporting an ISMS, or how to manage an ISMS audit program.