information security management qualification using iso ... · of iso/iec 27001, 27002 and the 2014...
TRANSCRIPT
Version 2.0 (Status: Live) Page 1 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Information Security Management
Qualification using
ISO/IEC 27001
Foundation & Practitioner Syllabus
10 April 2014
Document history Version
Date Updates made Issued by
1.0 28 Nov 2012 1st issue Andrew
Marlow 2.0 10 April 2014 1. Updated for the 2013 edition
of ISO/IEC 27001, 27002 and the 2014 edition of ISO/IEC 27000
2. Updated to fit with the newly launched ISO/IEC 27001 Practitioner qualification
Andrew Marlow
Version 2.0 (Status: Live) Page 2 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Introduction
Note: in the following text, ‘ISMS’ is used to refer to an Information Security Management System meeting the requirements of ISO/IEC 27001. ‘IS’ is used to refer to Information Security as, for example, in IS processes.
This syllabus describes the APMG ISO/IEC 27001 Foundation and Practitioner certificate qualifications.
The primary purpose of the syllabus is to provide a basis for accreditation of people involved with ISO/IEC 27001 and information security management at Foundation and Practitioner levels. It documents the learning outcomes related to the use of ISO/IEC 27001 at these levels and describes the requirements a candidate is expected to meet to demonstrate that these learning outcomes have been achieved at each qualification level.
The target audience for this document is:
Exam Board
Exam Panel
APMG Assessment Team
Accredited Training Organizations.
This syllabus informs the design of the exams and provides accredited training organizations with a more detailed breakdown of what the exams will assess. Details on the exam structure and content are documented in the ISO/IEC 27001 Foundation and Practitioner Designs.
1 Foundation Qualification
1.1 Purpose of the Foundation Qualification
The purpose of the Foundation qualification is to confirm that a candidate has sufficient knowledge of the contents and high level requirements of the ISO/IEC 27001 standard, and understands at a foundation level how the standard operates in a typical organization.
The Foundation qualification is designed to provide the basic knowledge of ISO/IEC 27001 required as a pre-requisite for the Practitioner qualification.
1.2 Target Audience
This qualification is aimed at those who are:
Supporting the implementation, operation or maintenance of an ISMS within an organization
Required to audit an ISMS and to have a basic understanding of the standard
Working within an organization with an ISMS, whether the organization is already certified or is considering certification to ISO/IEC 27001
Preparing for the ISO/IEC 27001 Practitioner qualification.
There is no pre-requisite for the Foundation qualification but an interest and/or background in information security or service management would be an advantage.
1.3 High Level Performance Definition of a Successful Information Security Management Foundation Candidate
The candidate should understand the scope, objectives, key terminology and high level requirements of the ISO/IEC 27001 standard, how it is used in an organization for information security, together with the main elements of the certification process.
Specifically, the candidate should understand:
The scope and purpose of ISO/IEC 27001 and how it can be used
The key terms and definitions used in the ISO/IEC 27000 series
Version 2.0 (Status: Live) Page 3 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
The fundamental requirements for an ISMS in ISO/IEC 27001 and the need for continual improvement
The processes, their objectives and high level requirements
Applicability and scope definition requirements
Use of controls to mitigate IS risks
The purpose of internal audits and external certification audits, their operation and the associated terminology
The relationship with best practices and with other related International Standards: ISO 9001 and ISO/IEC 20000.
2 Practitioner Qualification
2.1 Purpose of the Practitioner Qualification
The purpose of the practitioner qualification is to confirm whether the candidate has achieved sufficient understanding of ISO/IEC 27001 and its application in a given situation. A successful Practitioner candidate should, with suitable direction be able to start applying the International Standard to enable the management of information security but may not be sufficiently skilled to do this appropriately for all situations. Their individual information security expertise, complexity of the information security management system and the support given for the use of ISO/IEC 27001 in their work environment will all be factors that impact what the Practitioner can achieve.
2.2 Target Audience
This qualification is aimed at those who are:
Internal managers and personnel working to implement, maintain and operate an ISMS within an organization
External consultants supporting an organization’s implementation, maintenance and operation of an ISMS.
Internal auditors who are required to have an applied knowledge of the standard The pre-requisite for this qualification is the APMG ISO/IEC 27001 Foundation qualification.
2.3 High Level Performance Definition of a Successful Practitioner Candidate
Candidates must exhibit the competences required for the foundation qualification and show that they can apply ISMS concepts to achieve the objectives and requirements of ISO/IEC 27001 and supporting standards within an organizational context.
Specifically, successful candidates should be able to:
Apply the principles of ISMS policy and its information security scope, objectives, and processes within an organizational context.
Apply the principles of risk management including risk identification, analysis and evaluation and propose appropriate treatments and controls to reduce information security risk, support business objectives and improve information security.
Analyze and evaluate deployed risk treatments and controls to assess their effectiveness and opportunities for continual improvement.
Analyze and evaluate the effectiveness of the ISMS through the use of internal audit and management review to continually improve the suitability, adequacy and effectiveness of the ISMS.
Understand, create, apply and evaluate the suitability, adequacy and effectiveness of documented information and records required by ISO/IEC 27001.
Identify and apply appropriate corrective actions to maintain ISMS conformity with ISO/IEC 27001.
Version 2.0 (Status: Live) Page 4 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
3 Learning Outcomes Assessment Model
A classification widely used when designing assessments for certification and education is the Bloom’s Taxonomy of Educational Objectives. This classifies learning objectives into six ascending learning levels, each defining a higher degree of competencies and skills. (Bloom et al, 1956, Taxonomy of Educational Objectives). APMG have incorporated this into a Learning Outcomes Assessment Model which is used to provide a simple and systematic means for assessing and classifying the learning outcomes for APMG qualifications. This structured approach helps to ensure:
A clear delineation in learning level content between different qualification levels
Learning outcomes are documented consistently across different areas of the guidance
Exam questions and papers are consistent and are created to a similar level of difficulty. The Foundation qualification examines learning outcomes at levels 1 (knowledge) and 2 (comprehension). The Practitioner qualification tests learning outcomes at levels 2 (comprehension), 3 (application) and 4 (analysis).
ISO/IEC 27001 Learning Outcomes Assessment Model
1.
Knowledge
2.
Comprehension
3.
Application
4.
Analysis
Generic Definition from APMG Learning Outcomes Assessment Model
Know key facts, terms and concepts from the standard
Understand key concepts from the standard
Be able to apply key concepts relating to the syllabus area for a given scenario
Be able to analyse and distinguish between appropriate and inappropriate use of the standard for a given scenario situation
Information Security Management Foundation Qualification Learning Outcome Assessment Model
Know facts, including terms and definitions, concepts, principles, controls, roles and responsibilities from the standard.
Understand the concepts, responsibilities, controls and the requirements, processes and documents needed to conform to the standard
Be able to apply key ISMS concepts relating to achievement of the requirements of ISO/IEC 27001 for a given scenario.
Be able to identify, analyze and distinguish between appropriate and inappropriate use of ISMS methods and controls for achieving the requirements of ISO/IEC 27001 through assessment of situations outlined in typical scenarios
Version 2.0 (Status: Live) Page 5 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
4 Syllabus Areas
The syllabus is presented by syllabus areas. This is the unit of learning which may relate to a chapter from the standard or several concepts commonly grouped together in a training course module. The following syllabus areas are identified.
Syllabus Area Code
Syllabus Area Title
OV Overview of ISO/IEC 27001 and related best practices, standards and schemes
LE Leadership and support of the ISMS
PL Planning and operation of the ISMS
CO Information security control objectives and controls
AC Achieving ISO/IEC 27001 certification
5 Syllabus Presentation
For each syllabus area learning outcomes for each learning level are identified. Each learning outcome is then supported by a description of the requirements that a candidate is expected to meet to demonstrate that the learning outcome has been achieved at the qualification level indicated. These are shown as syllabus topics. Each of the syllabus areas is presented in a similar format as follows:
Syllabus Area Code
OV [2]
Syllabus Area : The ISO/IEC 27001 foundation qualification syllabus Area(XX) Theme[1]
Fo
un
datio
n
Pra
ctitio
ner
Prim
ary
Refe
ren
ces
Level Topic
Know fact, terms and concepts relating to the syllabus area. [3]
Specifically to recall:
01
[4] 01 [5]
[6] [7] [8]
01 02
Version 2.0 (Status: Live) Page 6 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Key to the Syllabus Area table
1 Syllabus Area Unit of learning, e.g. chapter of the reference guide or course module.
2 Syllabus Area Code A unique 2 character code identifying the syllabus area.
3 Learning Outcome
(topic header shown in bold)
A statement of what a candidate will be expected to know, understand or do.
4 Level Classification of the learning outcome against the APMG OTE Learning Outcomes Assessment Model.
5 Topic Reference Number of the topic within the learning level.
6 Topic Description Description of what is required of the candidate to demonstrate that a learning outcome has been achieved at the qualification level indicated
7 Foundation/Practitioner Shows at which qualification level the topic is assessed. N.B. A topic is only assessed at one qualification level.
8 Primary Reference The main reference supporting the topic.
6 Important Points
The following points about the use of the syllabus should be noted. It is important to note the correct editions of the reference material.
6.1 ISO/IEC 27001 Foundation Guide References
The primary references for the Foundation qualification are the International Standards:
ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management systems – Requirements
ISO/IEC 27000:2014 Information technology -- Security techniques -- Information security management systems - Overview and vocabulary.
Other references are made to:
Supplementary reference paper for ISO/IEC 27001 Qualification.
The Foundation level requires knowledge of the requirements in ISO/IEC 27001:2013 and the terms, definition and concepts in ISO/IEC 27000:2014 as well as information in the supplementary reference paper as stated in the syllabus topic. It is essential that all delegates have access to a personal copy of ISO/IEC 27001:2013 and the Supplementary Reference Paper during any training course. Delegates should have access to a personal copy of ISO/IEC 27000:2014 or to the information referenced from it in this syllabus. Please note that the examination is closed book. The references provided should be considered to be indicative rather than comprehensive, i.e. there may be other valid references within the guidance.
Version 2.0 (Status: Live) Page 7 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
For the primary reference, the relevant part of the standard is used as the major part of the reference and this is followed by the section number used e.g. ISO/IEC 27001, 4.2 relates to ISO/IEC 27001:2013 Clause 4.2. The syllabus requires awareness of but does not require a detailed knowledge of other referenced standards:
ISO 9001:2008, Quality management systems — Requirements
ISO/IEC 20000-1:2011, Information technology – Service management - Service management system requirements
ISO/IEC 27002:2013, Information technology -- Security techniques -- Code of practice for information security management
ISO/IEC 27003:2010, Information technology -- Security techniques -- Information security management system implementation guidance
ISO/IEC 27004:2009, Information technology -- Security techniques -- Information security management – Measurement
ISO/IEC 27005:2011, Information technology -- Security techniques -- Information security risk management
ISO/IEC 27006:2011, Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems
ISO/IEC 27013:2012, Information technology -- Security techniques – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1.
6.2 ISO/IEC 27001 Practitioner Guide References
All Foundation level requirements are assumed to have been met for Practitioner level and are not directly assessed again, although Foundation level knowledge and understanding will be used when demonstrating Practitioner application and analysis learning outcomes. The primary references for the Practitioner course are the International Standards:
ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management systems – Requirements
ISO/IEC 27000:2014 Information technology -- Security techniques -- Information security management systems - Overview and vocabulary
ISO/IEC 27002:2013, Information technology -- Security techniques -- Code of practice for information security management
ISO/IEC 27005:2011, Information technology -- Security techniques -- Information security risk management
Reference is made to ISO/IEC 27003:2010, Information technology -- Security techniques -- Information security management system implementation guidance, Clause 5.3.2 and Table B.1 only. However, candidates do not need their own copy of this standard as the relevant clause and table are available in the Supplementary reference paper for ISO/IEC 27001 Qualification, Sections 5 and 6. Syllabus topics at levels 3 and 4 provide the primary references but may also include any other topic from the syllabus area. It is essential that all delegates have access to a personal copy of ISO/IEC 27001:2013 and the Supplementary Reference Paper during any training course. Delegates should have access to a personal copy of ISO/IEC 27002:2013 and ISO/IEC 27005:2011. Please note that the examination is open book.
7 Syllabus Exclusions
The syllabus does not require specific knowledge of ISMS implementation and best management practice guidelines
Version 2.0 (Status: Live) Page 8 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Syllabus Area Code
OV
Syllabus Area : Overview of ISO/IEC 27001 and Related Best Practices, Standards and Schemes
Fo
un
datio
n
Prim
ary
Refe
ren
ces
Level Topic
Know facts, terms and concepts at overview level about ISO/IEC 27001 and related best practices, standards and schemes
Specifically to recall:
01 01 The key standards with their purpose that comprise the ISO/IEC 27000 series:
1. ISO/IEC 27000
2. ISO/IEC 27001
3. ISO/IEC 27002
4. ISO/IEC 27003
5. ISO/IEC 27004
6. ISO/IEC 27005
ISO/IEC 27000, 4.2, 4.3, 4.4 title and purpose sections only
01 02 Compatibility of ISMS with other management system standards, specifically ISO 9001 for quality management
Supplementary paper, 2.1
01 03 1. Compatibility of ISMS with other management system standards, specifically ISO/IEC 20000-1 for service management.
2. The use of ISO/IEC 27013 for guidance on integrated implementation.
Supplementary paper, 2.2
01 04 Definitions of the following terms:
1. Asset
2. Availability
3. Confidentiality
4. Integrity
5. Information security
6. Information security event
7. Information security incident
8. Information security management system
Supplementary paper, 2.3
ISO/IEC 27000, 2
01 05 Definitions of the following terms:
1. Residual risk
2. Risk acceptance
3. Risk analysis
4. Risk assessment
5. Risk criteria
6. Risk evaluation
7. Risk identification
8. Risk management
9. Risk owner
10. Risk treatment
ISO/IEC 27000, 2
Version 2.0 (Status: Live) Page 9 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Syllabus Area Code
OV
Syllabus Area : Overview of ISO/IEC 27001 and Related Best Practices, Standards and Schemes
Fo
un
datio
n
Prim
ary
Refe
ren
ces
01 06 Definitions of the following terms:
1. Consequence
2. Risk
3. Threat
4. Vulnerability
ISO/IEC 27000, 2
01 07 The names of the clauses and sub-clauses covered within requirements of ISO/IEC 27001:
4 Context of the organization
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the information security management system
4.4 Information security management system
5 Leadership
5.1 Leadership and commitment
5.2 Policy
5.3 Organizational roles, responsibilities and authorities
6 Planning
6.1 Actions to address risks and opportunities
6.2 Information security objectives and planning to achieve them
7 Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
8 Operation
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
10 Improvement
10.1 Nonconformity and corrective action
10.2 Continual improvement
Annex A (normative) Reference control objectives and controls
ISO/IEC 27001,
Contents
01 08 Information about ISO/IEC 27001 qualification and certification:
1. The APMG qualification scheme
2. The principles of ISO/IEC 27001 certification offered by certification bodies
Supplementary paper, 2.4
Version 2.0 (Status: Live) Page 10 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Syllabus Area Code
OV
Syllabus Area : Overview of ISO/IEC 27001 and Related Best Practices, Standards and Schemes
Fo
un
datio
n
Prim
ary
Refe
ren
ces
Understand how ISO/IEC 27001 and associated best practices, standards and schemes can be used to achieve conformity to ISO/IEC 27001
Specifically to identify:
02 01 The relationships and differences between ISO/IEC 27001 and the following standards within the ISO/IEC 27000 series:
1. ISO/IEC 27000
2. ISO/IEC 27002
3. ISO/IEC 27003
4. ISO/IEC 27004
5. ISO/IEC 27005
ISO/IEC 27000 4.2, 4.3, 4.4 title and purpose sections only
02 02 The roles of the organizations and entities involved in ISO/IEC 27001 Qualification and Certification Schemes
1. APMG-International
2. Certification Bodies (CBs)
3. National Accreditation Bodies (NABs)
4. Accredited Training Organizations (ATOs)
5. Practitioners
6. Consultants
7. Internal Auditors
8. External Auditors
Supplementary paper, 2.5
02 03 The benefits of implementing an ISMS ISO/IEC 27000, 3.7
There are no syllabus items at level 3 for this area
There are no syllabus items at level 4 for this area
Version 2.0 (Status: Live) Page 11 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Syllabus Area Code
LE
Syllabus Area : Leadership and support of the ISMS
Fo
un
datio
n
Pra
ctitio
ner
Prim
ary
Refe
ren
ces
Level Topic
Know facts and concepts relating to leadership and support of the Information Security Management System within Clauses 4, 5 and 7 of ISO/IEC 27001
Specifically to recall:
01 01 The general requirements to manage an ISMS
ISO/IEC 27001,
4.4
01 02 The integration of the ISMS with the organization’s processes and management structure
ISO/IEC 27001,
0.1 para 3, 5.1 b)
01 03 The decisions and influencing factors for the adoption and implementation of an ISMS
ISO/IEC 27001,
0.1, para 1
01 04 The requirement to understand the organization and its context ISO/IEC 27001, 4.1
01 05 The requirement to understand the needs and expectations of interested parties
ISO/IEC 27001, 4.2
01 06 The characteristics used to define the scope and boundaries of the ISMS
ISO/IEC 27001,
1, 4.3
01 07 The contents of the ISMS policy
ISO/IEC 27001, 5.2 b) c) d)
Understand the concepts, responsibilities, requirements and processes about the context, leadership and support for an ISMS according to Clauses 4, 5 and 7 of ISO/IEC 27001 and ISO/IEC 27003
Specifically to identify:
02 01 The basic principles of top management demonstrating leadership and commitment for the ISMS by: 1. establishing an information security policy and objectives 2. communicating the importance of effective information security
management and of conforming to the ISMS requirements 3. ensuring the ISMS achieves its intended outcomes
ISO/IEC 27001, 5.1 a) d) e)
02 02 Further principles of top management demonstrating leadership and commitment to ISMS processes, specifically:
1. Ensuring integration of ISMS requirements with the organization’s processes (5.1 b)
2. Promoting continual improvement (5.1 g)
3. Supporting other management roles to demonstrate leadership (5.1 h)
ISO/IEC 27001, 5.1 b) g) h)
02 03
The requirements of top management for organizational roles, responsibilities and authorities
ISO/IEC 27001, 5.3, 5.1 f)
02 04 The activities and considerations to be made when defining roles and responsibilities
ISO/IEC 27003 5.3.2/ (Supplementary paper, 6)
Version 2.0 (Status: Live) Page 12 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Syllabus Area Code
LE
Syllabus Area : Leadership and support of the ISMS
Fo
un
datio
n
Pra
ctitio
ner
Prim
ary
Refe
ren
ces
02 05 The roles and their specific requirements and responsibilities required for information security management and operation, along with their interaction within the organization
ISO/IEC 27003 Table B.1/ (Supplementary paper, 5)
02 06
The basic principles of the requirements related to documented information within an ISMS: 1. The documents required within an ISMS. 2. The control of documented information to ensure availability,
suitability and protection
ISO/IEC 27001, 7.5.1 a) b), 7.5.3 a) b)
02 07 The requirements for the processes and content for the appropriate management of documents for the operation of an ISMS specifically:
1. The creation and updating of documents (7.5.1 NOTE)/ 7.5.2)
2. The control of documented information (7.5.3 c-f, end para & NOTE)
ISO/IEC 27001, 7.5.1 NOTE a-c), 7.5.2, 7.5.3 c-f) end para & NOTE
02 08
The basic principles of the provision of resources and competence within an ISMS:
1. Determining and providing resources needed for the operation of the ISMS
2. Determining and ensuring competence based on education, training or experience
3. Taking necessary actions and retaining documentation as evidence of competence
ISO/IEC 27001,
7.1, 7.2, 5.1c
02 09
The basic principles for awareness and communication for personnel working within an ISMS:
1. Awareness of the information security policy, contribution to the effectiveness of the ISMS, benefits of the ISMS and implications of not complying to the ISMS
2. Determining the need for internal and external communication about the ISMS
ISO/IEC 27001,
7.3, 7.4 1st line of
para 1 excluding a) – e)
02 10 The appropriate internal and external communications requirements including:
1. The subject for communication (7.4 a)
2. The timing of the communication (7.4 b)
3. The audience (7.4 c)
4. The communicator (7.4 d)
5. The communication process (7.4 e)
ISO/IEC 27001,
7.4 a) - e)
02 11 The requirements for appropriate boundaries and scope for an ISMS with consideration of:
1. External and internal issues
2. The requirements of interested parties
3. The interfaces and dependencies of activities
ISO/IEC 27001, 4.3
Version 2.0 (Status: Live) Page 13 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Syllabus Area Code
LE
Syllabus Area : Leadership and support of the ISMS
Fo
un
datio
n
Pra
ctitio
ner
Prim
ary
Refe
ren
ces
02 12 Appropriate information requirements for inclusion in an ISMS policy including:
1. The purpose of the organization (5.2 a)
2. Information security objectives or a framework for setting objectives (5.2 b)
3. A commitment to satisfy applicable requirements (5.2 c)
4. A commitment to continual improvement (5.2 d)
5. Communication and availability requirements (5.2 e-g)
ISO/IEC 27001, 5.2 a) - g)
Apply the ISMS Leadership and Support management systems requirements from ISO/IEC 27003, to enable the achievement of conformity to ISO/IEC 27001 for a given scenario
Specifically to apply:
03 01 The activities and considerations to be made when defining roles and responsibilities
ISO/IEC 27003 5.3.2/ (Supplementary paper, 6)
03 02 The roles and their specific requirements and responsibilities required for information security management and operation, for a given scenario
ISO/IEC 27003 Table B.1/ (Supplementary paper, 5)
03 03 The concepts, responsibilities and requirements about the context, leadership and support for an ISMS according to Clauses 4, 5 and 7 of ISO/IEC 27001
ISO/IEC 27001, 4, 5 & 7
Analyze and distinguish between appropriate and inappropriate use of ISMS Leadership and Support management systems’ requirements, as given in ISO/IEC 27003, to maintain conformity to ISO/IEC 27001 for a given scenario
Specifically to analyze:
04 01 The activities and considerations to be made when defining roles and responsibilities
ISO/IEC 27003 5.3.2/ (Supplementary paper, 6)
04 02 The roles and their specific requirements and responsibilities required for information security management and operation, for a given scenario
ISO/IEC 27003 Table B.1/ (Supplementary paper, 5)
04 03 The concepts, responsibilities and requirements about the context, leadership and support for an ISMS according to Clauses 4, 5 and 7 of ISO/IEC 27001
ISO/IEC 27001, 4, 5 & 7
Version 2.0 (Status: Live) Page 14 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Syllabus Area Code
PL
Syllabus Area : Planning and operation of the ISMS
Fo
un
datio
n
Pra
ctitio
ner
Prim
ary
R
efe
ren
ces
Level Topic
Know facts, terms and concepts relating to the planning and operation of an ISMS within clauses 6, 8, 9 and 10 of ISO/IEC 27001
Specifically to recall:
01 01 Contents of the Statement of Applicability
ISO/IEC 27001, 6.1.3 d)
01 02 Monitoring, measurement, analysis and evaluation:
1. evaluating performance and the effectiveness of the ISMS
2. selecting methods to produce comparable and reproducible results
3. documenting the results
ISO/IEC 27001, 9.1 para 1, last para and NOTE
01 03 The requirements for continual improvement of the ISMS
ISO/IEC 27001, 10.2, 5.1g
Understand the concepts, responsibilities, requirements and processes relating to the planning and operation of an ISMS within clauses 6, 8, 9 and 10 of ISO/IEC 27001
Specifically to identify:
02 01 Actions to address risks and opportunities:
1. Determine the risks and opportunities that need to be addressed
2. Plan actions to address these risks and opportunities
3. Plan how to fit the actions into the ISMS and evaluate their effectiveness
ISO/IEC 27001 6.1.1
02 02 Defining and applying the risk assessment process:
1. information security risk criteria
2. consistent, comparable and valid results for repeated assessments
3. performing assessments at planned intervals
4. retain documented information for the process and the results of assessments
ISO/IEC 27001, 6.1.2 a), b), last para and 8.2
02 03 The general considerations, basic criteria, scope and boundaries and organization for establishing the context of the risk management process, specifically the:
1. Risk evaluation criteria
2. Impact criteria
3. Risk acceptance criteria
ISO/IEC 27005, 7
02 04
Identifying the information security risks
ISO/IEC 27001, 6.1.2 c)
02 05 The steps in risk identification, specifically:
1. Assets
2. Threats
3. Existing controls
4. Vulnerabilities
5. Consequences
ISO/IEC 27005, 8.2 and Annex B1 1
st
para.
Version 2.0 (Status: Live) Page 15 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Syllabus Area Code
PL
Syllabus Area : Planning and operation of the ISMS
Fo
un
datio
n
Pra
ctitio
ner
Prim
ary
R
efe
ren
ces
02 06
Analyzing and evaluating the risks
ISO/IEC 27001, 6.1.2 d) e)
02 07 The methodologies for risk analysis and the approach to risk evaluation, specifically the assessment of:
1. Consequences
2. Incident likelihood
3. Risk determination
ISO/IEC 27005, 8.3 and 8.4
02 08
Selection of the risk treatment options taking account of the risk assessment results
ISO/IEC 27001, 6.1.3 a), ISO/IEC 27000, 2.79
02 09 The approaches to risk treatment, specifically:
1. Modification
2. Retention
3. Avoidance
4. Sharing
ISO/IEC 27005, 9
02 10
Selection of controls for the treatment of risks:
1. determine necessary controls
2. compare controls with Annex A and justify any exclusions
ISO/IEC 27001, 6.1.3 b) c) d)
02 11
Formulating a risk treatment plan:
1. formulate an information security risk treatment plan
2. obtain approval from risk owner for the plan and residual risks
3. implement the risk treatment plan
4. retain documented information for the process and results of the risk treatment
ISO/IEC 27001, 6.1.3 e) f), last para and 8.3
02 12 The approach to risk acceptance, communication and consultation
ISO/IEC 27005, 10 and 11
02 13 The approach to risk monitoring and review, specifically:
1. Risk factors
2. Risk management monitoring, review and improvement
ISO/IEC 27005, 12.1 and 12.3
02 14
Information security objectives:
1. establishing and documenting the objectives
2. the need for the objectives to be consistent with the policy and measurable
3. the need to plan to achieve the objectives and implement the plan
ISO/IEC 27001, 6.2 para 1, a), b), para 3, 1
st line of para 4
excluding f - j and 8.1 para 1 2
nd
sentence
02 15 The requirements, planning and deployment of information security objectives, specifically including:
1. The applicable information security requirements & the results of the risk assessment and risk treatment (6.2 c)
2. Communication and updating (6.2 d-e)
3. Planning covering the subject, the resources, responsibilities, completion timing and the evaluation method for the results (6.2 f-j)
ISO/IEC 27001, 6.2 c) - j)
Version 2.0 (Status: Live) Page 16 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Syllabus Area Code
PL
Syllabus Area : Planning and operation of the ISMS
Fo
un
datio
n
Pra
ctitio
ner
Prim
ary
R
efe
ren
ces
02 16
Operational planning and control:
1. planning, implementing and controlling the processes to meet information security requirements
2. implementing the actions to address risks and opportunities
3. determining and controlling outsourced processes
4. control of planned changes
5. keeping documented information as evidence
ISO/IEC 27001, 8.1
02 17 Appropriate development steps for performance evaluation including:
1. What needs to be monitored and measured (9.1 a)
2. When and who will monitor and measure (9.1 c-d)
3. The appropriate methodologies for monitoring, measurement, analysis and evaluation (9.1 b)
4. When and who will analyze and evaluate the results (9.1 e-f)
ISO/IEC 27001, 9.1 Para 2, a) - f), excluding NOTE and last para
02 18
Internal audit of an ISMS:
1. the need to conduct internal audits at planned intervals
2. using internal audits to check conformance to the ISMS and the standard, and effectiveness of the ISMS
3. the selection of auditors to ensure objectivity
4. planning the audit programme
ISO/IEC 27001, 9.2 para 1, a) b) c) e)
02 19 The organization’s requirements for the conduct of an audit (9.2 d, f, g)
ISO/IEC 27001, 9.2 d) f) g)
02 20
Management review of the ISMS:
1. the need for top management to review the ISMS at planned intervals for suitability, adequacy and effectiveness
2. consideration of feedback on performance
3. the outputs from the review
ISO/IEC 27001, 9.3 para 1, c) 1-4, para 3
02 21 The applicable principles for the review and outputs for a management review including:
1. The status of actions (9.3 a)
2. Changes in external and internal issues (9.3 b)
3. Feedback from interested parties (9.3 d)
4. The results of risk assessment (9.3 e)
5. The status of the risk assessment and risk treatment plan (9.3 e)
6. Opportunities for improvement (9.3 f)
ISO/IEC 27001, 9.3 para a), b), d) – f), last para
02 22
Nonconformity and corrective actions:
1. The actions to be taken when a non-conformity occurs
2. The need for corrective actions to be appropriate to the effects of the nonconformities
3. Documented information about nonconformities and corrective actions
ISO/IEC 27001, 10.1
Version 2.0 (Status: Live) Page 17 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Syllabus Area Code
PL
Syllabus Area : Planning and operation of the ISMS
Fo
un
datio
n
Pra
ctitio
ner
Prim
ary
R
efe
ren
ces
Apply the risk management requirements to enable the achievement of conformity to ISO/IEC 27001
Specifically to use:
03 01 The risk evaluation, impact and risk acceptance criteria for establishing the context of the risk management process
ISO/IEC 27005, 7
03 02 The steps in risk identification, as defined in 0205
ISO/IEC 27005, 8.2 and Annex B1 1
st
para.
03 03 The approaches to Risk analysis and risk evaluation, as defined in 0207 ISO/IEC 27005, 8.3 and 8.4
03 04 The approaches to Risk treatment, as defined in 0209 ISO/IEC 27005, 9
03 05 The approach to risk acceptance, communication and consultation ISO/IEC 27005, 10 and 11
03 06 The approach to risk monitoring and review, as defined in 0213
ISO/IEC 27005, 12.1 and 12.3
03 07 The concepts, responsibilities, requirements and processes relating to the planning and operation of an ISMS within clauses 6, 8, 9 and 10 of ISO/IEC 27001
ISO/IEC 27001, 6, 8,9 & 10
Analyze and distinguish between appropriate and inappropriate use of ISMS risk management requirements throughout the lifecycle of the ISMS to maintain conformity to ISO/IEC 27001 for a given scenario
Specifically to analyze:
04 01 The risk evaluation, impact and risk acceptance criteria for establishing the context of the risk management process
ISO/IEC 27005, 7
04 02 The steps in risk identification, as defined in 0205
ISO/IEC 27005, 8.2 and Annex B1 1
st
para.
04 03 The approaches to Risk analysis and risk evaluation, as defined in 0207 ISO/IEC 27005, 8.3 and 8.4
04 04 The approaches to Risk treatment, as defined in 0209 ISO/IEC 27005, 9
04 05 The approach to risk acceptance, communication and consultation
ISO/IEC 27005, 10 and 11
04 06 The approach to risk monitoring and review, as defined in 0213 ISO/IEC 27005, 12.1 and 12.3
04 07 The concepts, responsibilities, requirements and processes relating to the planning and operation of an ISMS within clauses 6, 8, 9 and 10 of ISO/IEC 27001
ISO/IEC 27001, 6, 8,9 & 10
Version 2.0 (Status: Live) Page 18 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Syllabus Area Code
CO
Syllabus Area : Information security control objectives and controls
Fo
un
datio
n
Pra
ctitio
ner
Prim
ary
Refe
ren
ces
Level Topic
Know the topic areas for information security controls within ISO/IEC 27001
Specifically to recall:
01 01 1. The structure and contents of the controls and control objectives listed in Annex A of ISO/IEC 27001
2. The definition of: a. Control b. Control objective
Supplementary paper, 3.1
ISO/IEC 27000,2.16, 2.17
01 02 The names of the security control clauses for information security controls (numbers refer to references in Annex A of ISO/IEC 27001): 5. Information security policies
6. Organization of information security
7. Human resource security
8. Asset management
9. Access control
10. Cryptography
11. Physical and environmental security
ISO/IEC 27001, Annex A
01 03 The names of the security control clauses for information security controls (numbers refer to references in Annex A of ISO/IEC 27001): 12. Operations security
13. Communications security
14. System acquisition, development and maintenance
15. Supplier relationships
16. Information security incident management
17. Information security aspects of business continuity management
18. Compliance
ISO/IEC 27001, Annex A
01 04 The name of the security category and the control objective for the
security control clause ‘information security policies’
ISO/IEC 27001, Annex A, 5.1 category and objective only
Understand the subjects covered for specific information security control clauses within ISO/IEC 27001, with implementation parameters defined by ISO/IEC 27002
Specifically to identify:
02 01-04
Not used. (See 19 onwards for Foundation 02 topics)
02 05 Information security policies; scope and implementation parameters
ISO/IEC 27001, Annex A, A.5, ISO/IEC 27002, 5
02 06 Organization of information security; scope and implementation parameters
ISO/IEC 27001, Annex A, A.6, ISO/IEC 27002, 6
02 07 Human resources security; scope and implementation parameters
ISO/IEC 27001, Annex A, A.7, ISO/IEC 27002, 7
Version 2.0 (Status: Live) Page 19 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Syllabus Area Code
CO
Syllabus Area : Information security control objectives and controls
Fo
un
datio
n
Pra
ctitio
ner
Prim
ary
Refe
ren
ces
02 08 Asset management; scope and implementation parameters
ISO/IEC 27001, Annex A, A.8, ISO/IEC 27002, 8
02 09 Access control; scope and implementation parameters
ISO/IEC 27001, Annex A, A.9, ISO/IEC 27002, 9
02 10 Cryptography; scope and implementation parameters
ISO/IEC 27001, Annex A, A.10, ISO/IEC 27002, 10
02 11 Physical and environmental security; scope and implementation parameters
ISO/IEC 27001, Annex A, A.11, ISO/IEC 27002, 11
02 12 Operations security; scope and implementation parameters
ISO/IEC 27001, Annex A, A.12, ISO/IEC 27002, 12
02 13 Communications security; scope and implementation parameters
ISO/IEC 27001, Annex A, A.13, ISO/IEC 27002, 13
02 14 System acquisition, development and maintenance; scope and implementation parameters
ISO/IEC 27001, Annex A, A.14, ISO/IEC 27002, 14
02 15 Supplier relationships; scope and implementation parameters
ISO/IEC 27001, Annex A, A.15, ISO/IEC 27002, 15
02 16 Information security incident management; scope and implementation parameters
ISO/IEC 27001, Annex A, A.16, ISO/IEC 27002, 16
02 17 Information security aspects of business continuity management; scope and implementation parameters
ISO/IEC 27001, Annex A, A.17, ISO/IEC 27002, 17
02 18 Compliance; scope and implementation parameters
ISO/IEC 27001, Annex A, A.18, ISO/IEC 27002, 18
02 19
The control description for the control ‘policies for information security’
ISO/IEC 27001, Annex A, A.5.1.1
02 20
The control description for the control ‘review of the policies for information security’
ISO/IEC 27001, Annex A, A.5.1.2
02 21
The control objective for the security category ‘during employment’
ISO/IEC 27001, Annex A, A.7.2, category and objective only
02 22
The control objectives for the security categories in asset management covering:
1. Responsibility for assets
2. Information classification
3. Media handling
ISO/IEC 27001, Annex A, A.8.1, A.8.2 and A.8.3, categories and objectives only
Version 2.0 (Status: Live) Page 20 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Syllabus Area Code
CO
Syllabus Area : Information security control objectives and controls
Fo
un
datio
n
Pra
ctitio
ner
Prim
ary
Refe
ren
ces
02 23
The control objectives for the security categories in access control covering:
1. Business requirements of access control
2. User access management
ISO/IEC 27001, Annex A, A.9.1 and A.9.2, categories and objectives only
02 24
The control objective for the security category ‘management of information security incidents and improvements’
ISO/IEC 27001, Annex A, A.16.1, category and objective only
02 25
The control objective for the security category ‘compliance with legal and contractual requirements’
ISO/IEC 27001, Annex A, A.18.1, category and objective only
Be able to identify, apply and tailor the appropriate aspects of ISO/IEC 27001 Annex A controls to a scenario, as defined in ISO/IEC 27002 Specifically to identify how and when each of the controls should be implemented including:
03 01-04
Not used
03 05 Information security policies
ISO/IEC 27001, Annex A, A.5, ISO/IEC 27002 5
03 06 Organization of information security
ISO/IEC 27001, Annex A, A.6, ISO/IEC 27002 6
03 07 Human resources security
ISO/IEC 27001, Annex A, A.7, ISO/IEC 27002 7
03 08 Asset management
ISO/IEC 27001, Annex A, A.8, ISO/IEC 27002 8
03 09 Access control
ISO/IEC 27001, Annex A, A.9, ISO/IEC 27002 9
03 10 Cryptography
ISO/IEC 27001, Annex A, A.10, ISO/IEC 27002 10
03 11 Physical and environmental security
ISO/IEC 27001, Annex A, A.11, ISO/IEC 27002 11
03 12 Operations security
ISO/IEC 27001, Annex A, A.12, ISO/IEC 27002 12
03 13 Communications security
ISO/IEC 27001, Annex A, A.13, ISO/IEC 27002 13
Version 2.0 (Status: Live) Page 21 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Syllabus Area Code
CO
Syllabus Area : Information security control objectives and controls
Fo
un
datio
n
Pra
ctitio
ner
Prim
ary
Refe
ren
ces
03 14 System acquisition, development and maintenance
ISO/IEC 27001, Annex A, A.14, ISO/IEC 27002 14
03 15 Supplier relationships
ISO/IEC 27001, Annex A, A.15, ISO/IEC 27002 15
03 16 Information security incident management
ISO/IEC 27001, Annex A, A.16, ISO/IEC 27002 16
03 17 Information security aspects of business continuity management
ISO/IEC 27001, Annex A, A.17, ISO/IEC 27002 17
03 18 Compliance
ISO/IEC 27001, Annex A, A.18, ISO/IEC 27002 18
Be able to identify, analyze and distinguish between the appropriate and inappropriate ISO/IEC 27001 Annex A controls throughout the life-cycle of a given scenario, as defined in ISO/IEC 27002
Specifically to analyze with reasons whether the implementation of the ISO/IEC 27001 Annex A controls is appropriate for achieving the requirements of ISO/IEC 27001 including:
04 01-04
Not used
04 05 Information security policies
ISO/IEC 27001, Annex A, A.5, ISO/IEC 27002 5
04 06 Organization of information security
ISO/IEC 27001, Annex A, A.6, ISO/IEC 27002 6
04 07 Human resources security
ISO/IEC 27001, Annex A, A.7, ISO/IEC 27002 7
04 08 Asset management
ISO/IEC 27001, Annex A, A.8, ISO/IEC 27002 8
04 09 Access control
ISO/IEC 27001, Annex A, A.9, ISO/IEC 27002 9
04 10 Cryptography
ISO/IEC 27001, Annex A, A.10, ISO/IEC 27002 10
04 11 Physical and environmental security
ISO/IEC 27001, Annex A, A.11, ISO/IEC 27002 11
04 12 Operations security
ISO/IEC 27001, Annex A, A.12, ISO/IEC 27002 12
Version 2.0 (Status: Live) Page 22 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Syllabus Area Code
CO
Syllabus Area : Information security control objectives and controls
Fo
un
datio
n
Pra
ctitio
ner
Prim
ary
Refe
ren
ces
04 13 Communications security
ISO/IEC 27001, Annex A, A.13, ISO/IEC 27002 13
04 14 System acquisition, development and maintenance
ISO/IEC 27001, Annex A, A.14, ISO/IEC 27002 14
04 15 Supplier relationships
ISO/IEC 27001, Annex A, A.15, ISO/IEC 27002 15
04 16 Information security incident management
ISO/IEC 27001, Annex A, A.16, ISO/IEC 27002 16
04 17 Information security aspects of business continuity management
ISO/IEC 27001, Annex A, A.17, ISO/IEC 27002 17
04 18 Compliance
ISO/IEC 27001, Annex A, A.18, ISO/IEC 27002 18
Version 2.0 (Status: Live) Page 23 of 23 Owner: Chief Examiner ©The APM Group Limited 2014
This document is not to be reproduced or re-sold without the express permission from The APM Group Ltd The APMG-International ISO/IEC 27001 and Swirl Device logo is a Trade Mark of The APM Group Limited
Syllabus Area Code
AC
Syllabus Area : Achieving ISO/IEC 27001 Certification
Fo
un
datio
n
Prim
ary
Refe
ren
ces
Level Topic
Know facts, terms and concepts about auditing an ISMS for ISO/IEC 27001 certification
Specifically to recall:
01 01 The types of audits – initial, re-certification, surveillance, internal, 1st/2nd/3rd party
Supplementary paper, 4.1
01 02 The outcomes of an audit:
1. Conformity
2. Major nonconformity
3. Minor nonconformity
4. Observation (opportunity for improvement)
5. Outside of the audit scope
Supplementary paper, 4.2
Understand the concepts, responsibilities and requirements for auditing and preparing to achieve certification for ISO/IEC 27001
Specifically to identify:
02 01 The requirements for the conduct of audits
1. Certification audits (initial and re-certification)
2. Surveillance audits
Supplementary paper, 4.1
02 02 Key differences between internal, initial, re-certification and surveillance audits
Supplementary paper, 4.1
02 03 1. The evidence used to demonstrate conformity to ISO/IEC 27001
2. The need to provide evidence for the requirements of ISO/IEC 27001 and the certification bodies use of ISO/IEC 27006
Supplementary paper, 4.3
02 04 The organization’s preparation for and participation in a certification audit
Supplementary paper, 4.4
02 05 The process used by a certification body to conduct certification audits for an ISMS
Supplementary paper, 4.5
There are no syllabus items at level 3 for this area
There are no syllabus items at level 4 for this area