Jul 10 2022

How to choose the most appropriate training

Category: CISODISC @ 12:20 pm
How to select the most appropriate ISO training

How to choose the most appropriate training

When implementing and maintaining a management system, it becomes vitally important to ensure that you have acquired adequate knowledge of the standard to ensure success. It does not matter if you are considering ISO 27001:2013 for information security, ISO 9001:2015 for quality management, or ISO 14001:2015 for environmental management, gaining the necessary knowledge about the standard requirements is an important first step to implementing. However, it can be difficult to pick the right course.

Below is a table explaining the different training courses available, including duration and suggested participants:

How to select the most appropriate ISO training

Which course should you choose?

So, with all of the training course options available, how do you pick the right course? This is very much dependent on which role you will play in the implementation and maintenance of the management system.

Here is a bit about the different types of courses to help you decide:

  • Foundations course – Do you just need to understand the basics of the ISO standard? Then the foundations course might be what you want. This course becomes invaluable if you will have expert assistance for your implementation, but need to have a good overall understanding of the requirements. For instance, if you will have a consultant, but want to know what to do when they are done, then an overall understanding of the ISO standard could be enough knowledge.
  • Data protection officer course – With the EU General Data Protection Regulation (GDPR) governing how personal information needs to be protected, you will want to have a main person in charge of meeting this regulation: the data protection officer. If this will be you, then the EU GDPR data protection officer course is what you need to understand the ins and outs of this regulation and what it means for your business.
  • Internal auditor course – All management systems include a process for your organization to perform an audit of your processes internally to your organization to confirm for yourself that your processes are happening as you planned them to. If you will be one of the internal auditors who will perform these process audits, then this course will help you to understand not only the requirements of the standard, but also the requirements of how to perform a process audit to confirm conformity and find opportunities for improvement in your organization.
  • Lead implementer course – The main person in charge of implementing the management system needs more than just a passing understanding of the standard requirements. If this will be you, then the lead implementer course will give you a more in-depth knowledge of what the standard requires, as well as knowledge of how to implement the requirements at your organization with practical tools to help. If you are going to be a consultant for others, this course is also an invaluable tool, with certification an option to demonstrate your competence.
  • Lead auditor course – With the ISO management system standard, many companies will choose to apply for certification as an independent method to demonstrate their compliance with the standard. This process is done by auditors from a third-party, independent certification body who will confirm that the processes you have implemented meet the requirements of the ISO standard. The auditors who will perform these audits need to pass the examination for lead auditor certification. If you are performing internal audits for a company, this training can also be beneficial, as it allows you to understand the training taken by the certification auditors.

Find the training that is right for you

Remember, when picking the training, you should first think about how you will apply the knowledge to ensure you choose the most suitable training for your current or future role. You don’t want to finish training only to find that how you are intended to apply your newfound skills is incompatible with the knowledge gained, as you may then need to re-take additional training for the new role. Choose the right training from the start, and you can be better assured that your utilization of the knowledge will be better applied, and your management system implementation will be easier.

Tags: ISO 27001 Auditing, ISO27001 training, ISO27k courses, ISO27k training

Aug 03 2021

ISO 27001 vs. ISO 27002: What’s the difference?

Category: Information Security,ISO 27kDISC @ 11:09 am

Anyone with an interest in information security will have encountered ISO 27001, the international standard that describes best practice for an ISMS (information security management system).

However, you might not be as familiar with ISO 27002. It’s a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001.

Although ISO 27001 is the more well-known standard – and the one that organisations certify to – neither can be considered in isolation. This blog explains why that’s the case, helping you understand how each standard works and the differences between them.

What is ISO 27001?

ISO 27001 is the central framework of the ISO 27000 series, which is a series of documents relating to various parts of information security management.

The Standard contains the implementation requirements for an ISMS. These are essentially an overview of everything you must do achieve compliance.

This is particularly useful at the start of your project, or if you’re looking for general advice but can’t commit to a full-scale implementation project.

To meet these requirements, organisations must:

What is ISO 27002?

ISO 27002 is a supplementary standard that focuses on the information security controls that organisations might choose to implement.

These controls are listed in Annex A of ISO 27001, which is what you’ll often see information security experts refer to when discussing information security controls. However, whereas Annex A simply outlines each control in one or two sentences, ISO 27002 dedicates an average of one page per control.

This is because the Standard explains how each control works, what its objective is, and how you can implement it.

The differences between ISO 27001 and ISO 27002

There are three main differences between ISO 27001 and ISO 27001:

  • Detail

If ISO 27001 went into as much detail as ISO 27002, it would be unnecessarily long and complicated.

Instead, it provides an outline of each aspect of an ISMS, with specific advice being found in additional standards. ISO 27002 is only one of these. For example, ISO 27003 covers ISMS implementation guidance and ISO 27004 covers the monitoring, measurement, analysis and evaluation of the ISMS.

  • Certification

You can certify to ISO 27001 but not to ISO 27002. That’s because ISO 27001 is a management standard that provides a full list of compliance requirements, whereas supplementary standards such as ISO 27002 address one specific aspect of an ISMS.

  • Applicability

A key thing to consider when implementing an ISMS is that not all information security controls will apply to your organisation.

ISO 27001 makes that clear, specifying that organisations conduct a risk assessment to identify and prioritise information security threats. ISO 27002 doesn’t mention this, so if you were to pick up the Standard by itself, it would be practically impossible to figure out which controls you should adopt.

When you should use each standard

ISO 27001 and ISO 27002 have different objectives and will be helpful in different circumstances.

If you’re starting out with the Standard or are planning your ISMS implementation framework, then ISO 27001 is ideal. You should refer to ISO 27002 once you’ve identified the controls that you’ll be implementing to learn more about how each one works.

Learn the basics of information security

You can find out more about how to implement a best-practice ISMS by enrolling on our ISO27001 Certified ISMS Foundation Training Course.

This one-day course provides a comprehensive introduction to the key elements required to comply with ISO 27001. You’ll learn from expert information security consultants and have the chance to review case studies and participate in group discussions and practical exercises.

Developed by the team that led the world’s first successful ISO 27001 implementation project, this one-day course provides a comprehensive introduction to Standard.

You’ll learn from expert information security consultants, as they explain:

  • ISO 27001 management system documentation;.
  • How to plan, scope and communicate throughout your ISO 27001 project; and
  • The key steps involved in an ISO 27001 risk assessment.

Source: ISO 27001 vs. ISO 27002

Previous blog posts on ISO27k

Pentests are required for ISO 27001 or SOC2 audits

ISO 27002 major revision

With ISO27001 how you should choose the controls needed to manage the risks

The importance of the Statement of Applicability in ISO 27001 – with template

Steps to implement ISMS (ISO 27001)

How FAIR & ISO 27001 Work Together

ISO 27001 Handbook: Implementing and auditing an Information Security Management System in small and medium-sized businesses

Tags: ISO 27001 2013, ISO 27001 2013 Gap Assessment, ISO 27001 2013 Toolkit, ISO 27001 Auditing, iso 27001 certification, ISO 27001 Handbook, ISO 27001 implementation, ISO 27001 Lead Implementer, iso 27002, Statement of Applicability in ISO 27001