Training Catalogue

(1)

(2)

2

Table of Content

Page Company Profile……… Training Overview……….. Training Catalogue………...

GRC Fundamentals, Strategy & Implementation Workshop……… Anti Bribery Management System Implementation……… ISO 19600 Compliance Management Implementation……… Corporate Compliance Workshop – Optimizing Your Program……….. Certified ISO 31000 Risk Manager – PECB/ANSI……… Mastering Risk Management Workshop – Toward Risk Convergence……….. Certified ISO 38500 Governance of IT Manager – PECB……… Certifies ISO 27005 Risk Manager of IT – PECB/ANSI……… Certified ISO 22301 Lead Implementer – PECB/ANSI……….. Certified ISO 22301 Lead Auditor – PECB/ANSI………. Certified ISO 24762 Disaster Recovery Manager – PECB………... Certified ISO 27001 Lead Implementer – PECB/ANSI……….. Certified ISO 27001 Lead Auditor – PECB/ANSI………. Certified ISO 27002 Lead Manager – PECB………... Certified ISO/IEC 27034 Application Lead Security Implementer – PECB………. Certified ISO 20000 Lead Implementer – PECB/ANSI……….. Certified ISO 20000 Lead Auditor – PECB/ANSI………. Certified Outsourcing Manager – PECB………. Certified Lead Privacy Implementer – PECB………. Certified Lead Forensic Examiner – PECB/ANSI……… Certified Lead Security Incident Professional – PECB………. Certified Lead SCADA Security Professional – PECB/ANSI……… Certified Lead Penetration Tester – PECB……….. Certified ISO 21500 Lead Implementer – PECB………. Certified ISO 21500 Lead Auditor – PECB………... Certified ISO 28000 Lead Implementer – PECB/ANSI……….. Certified ISO 13053 Lead Implementer – PECB……….

3 4 5 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 37 39 41 43 45 47 49 51 53 55 57 59

(3)

3

For more info call us – Tel: +2711462 7138 or Email: owen@grctech.co.za URL: www.grctech.co.za

Company Profile

What We Do

GRC Tech is a training and consultancy firm that assists organisations to understand, implement and comply with Governance, Risk and Compliance (GRC) related best practice standards and frameworks that lead to sustained process and business improvement.

We meet the training, awareness and consulting needs of organisations in the following categories:

 Corporate Governance, Risk and Compliance

 Strategy and Performance Management

 IT Governance and IT Service Management

 Business Continuity and Information Security Management

International Experience

Since our inception in 2010, GRC Tech has successfully provided training, and has delivered GRC related consultancy projects to leading African and international organisations. We have delivered services in among other, South Africa, Botswana, Tanzania, Namibia, Mauritius, Uganda, Swaziland, Oman, Egypt, Kenya and Nigeria.

(4)

4

Training Overview

Our training courses are underpinned by internationally accepted Governance, Risk and Compliance (GRC) best practices based on a range of GRC related frameworks and standards including OCEG Red Book 2.1 & 3.0, ISO 19600, BS 10500, COBIT, ISO 38500, ISO 27005, ISO 27001, ISO 22301 and ISO 20000…….

Approach to GRC Management Training

Our approach to training provides delegates with valuable practical experience of how to overcome the typical challenges they are likely to experience when undertaking GRC related projects within their own organisations. Delegates enjoy the following benefits:

 A choice of brief management overview, foundation or intensive practitioner-level courses

 Course development and presentation by subject-matter experts with in-depth knowledge and experience in their field of expertise

 Practical course content, hand-outs and interactive group discussions

 International certification exams for selected courses

In-house Training – On Demand

In-house training provides a cost-effective and timesaving training opportunity, especially where an organisation has more than six staff members to train and / or requires training in remote locations.

In-house courses can be facilitated at your organisation's own premises or conducted as a private course at a training venue of your choice

Self-Study

When you choose to study through GRC Tech training you have the option to select your course(s) from our range of certification programs. We offer you an unrivalled selection of quality distance education courses accredited by PECB the most respected awarding bodies Internationally.

All of our students have access to an experienced professional in their field of study. He/she is totally committed to helping you succeed and is always on hand to answer any query you may have, no matter how big or small.

Training Courses Available

 Governance, Risk Management & Compliance (GRC)

 Anti-Bribery

 Compliance

 Risk Management

 IT Governance, Risk Management & Compliance (IT GRC)

 IT Security Management

 Business Continuity & Disaster Recovery Management

 Professional Courses: CMO, CLPI, CLFE, CLSI, CL-SCADASP, CLPT

 Project Management

 Supply Chain Security Management

(5)

5

(6)

6

Governance, Risk Management & Compliance

(GRC)

GRC Fundamentals, Strategy and Implementation – 3 Days

Who Should Attend!

CEO’s, COO’s, Chief Risk Officer, Chief Compliance Officer, Chief Information Officer, Chief Audit Executives and other Senior Managers.

The objective is to give you an insight and practical strategies for your Governance, Risk and Compliance integration by:



Defining progressive governance, risk, and compliance roles and responsibilities to move forward from silo management



Fulfilling regulatory requirements while achieving a real ROI



Increasing productivity and capital by putting an end to silo management



Leveraging your current IT systems to integrate GRC



Gaining an in-depth view into key risk metrics and policy compliance to improve your risk control and self-assessments

About the Workshop

The workshop provides an introductory overview of this new global groundswell of GRC, including discussion of the challenges organizations will face and business case that will drive this new movement.

Topics covered include:



An introduction to GRC: the new corporate “must have”



Explanation of an integrated GRC system



How is GRC different from current governance, risk, and compliance assurance methods?



Building your business case



What current laws require: a global perspective on “bare minimum” compliance, how the corporate governance bar continues to move upwards



Integrated GRC: what parts must be assembled, bought, wired up, or rented to build one? What cultural changes are required to make it work?



Setting up and staffing an integrated GRC system



Overcoming barriers and avoiding pitfalls



Maintaining and sustaining your GRC and measuring its benefits

Agenda:

GRC Overview: Where Are We Going and How Do We Get There? GRC: What’s the Business Case for Change?

Achieving GRC Buy-in at the Top and Establishing Clear Roles & Responsibilities Practical Strategies for Implementing GRC

(7)

7

Governance, Risk Management & Compliance

(GRC)

Business Objectives & Drivers



Risk & Opportunities



Plan & Design

Integrated Approach Programs: The three core principles



Oversight Personnel



Leaders and Champions



Strategic & Operating Personnel

Plan & Organize the GRC Implementation The GRC Technology Roadmap

(8)

8

Anti Bribery

Anti Bribery Management System Implementation – 2 Days

Successful implementation of BS 10500 ‘Specification for an anti-bribery management system (ABMS)’ shows an organisation commitment to ethical behaviour and a vital part of Corporate Governance in a well-managed organisation which can help protect your corporate reputation and avoiding potentially corrupt transactions.

Led by an experienced tutor, this two-day course will guide you through an implementation of an effective ABMS, using a combination of practical exercises, group activities and class discussions.

Learning Objectives

On completion of the course, delegates will be able to know:

 How to determine the threat of bribery within an organization

 How to recognize the key management system concepts of BS 10500

 What are the benefits specific to my organization in relation to implementing an effective ABMS

 How to identify a typical framework for implementing BS 10500 following the Plan-Do-Check-Act (PDCA) cycle

 How to interpret the requirements of BS 10500 from an implementation perspective in the context of your organization

 How to conduct a base line review of your organizations current position with regard to BS 10500

Who Should Attend?

Those responsible for anti-bribery management, ethical behaviour, corporate governance, risk and compliance, management systems, anti-bribery measures, human resources, procurement and those managing/selecting business associates especially if operating in high-risk bribery environments.

Recommended job roles include:

 Human resource professionals and managers

 Company secretaries

 Internal legal teams

 Governance, risk and compliance managers

 Internal affairs and investigation teams

 Internal and external management systems auditors who are new to ABMS

 Procurement managers

 Private data and records administration teams

Agenda

Introduction to Anti-Bribery Management System (ABMS) concepts as required by BS 10500



Introduction to management systems and the process approach



Fundamental principles in anti-bribery management



General requirements

Planning the Anti-Bribery Management System (ABMS)



Allocating responsibility

(9)

9



Writing the anti-bribery policy



Reviewing the requirements of the ABMS



Designing or modifying the necessary policies, procedures and controls for the ABMS



Preparing an implementation plan for the ABMS

Monitoring and reviewing the ABMS Continual improvement of the ABMS

Pre-Requisites

There are no formal prerequisites to attend, however it is recommended that you have some knowledge of ABMS, in particular the BS 10500 standard, as well as an understanding of how your organization operates and the likely risks it faces.

(10)

10

Compliance

ISO 19600 Compliance Management Implementation – 3 Days

ISO 19600 defines requirements to continually improve a compliance management system’s effectiveness. It requires an organisation to establish, develop, document, implement, evaluate, maintain and improve an effective and responsive Compliance Management System (CMS). The policy, objectives and processes needed for compliance management must be determined, including the sequence and interaction, and be applied throughout.

Learning Objectives

This 3-day course provides delegates with an understanding of the International Organisation for Standardisation’s (ISO) standard for compliance management systems – ISO 19600.

Upon successful completion of this course, participants should be able to:

 Identify compliance requirements and an appropriate system for recording them

 Plan, document and establish a compliance management system

 Review a compliance system & its processes

 Determine the purpose and the scope of compliance research that needs to be undertaken to meet legal and client obligations

 Define a compliance research plan and gather the required data

 Analyse the collected data in a manner that is meaningful to the organisation

 Document and communicate the compliance research outcomes

 Understand the components of a Continual improvement framework

 Use a Continual improvement Framework to ensure new ideas and improvements are managed in a consistent and systematic manner

Who Should Attend?

 Compliance managers and officers

 Internal legal teams

 Governance, risk and compliance managers

 IT GRC officers

 Internal and external management systems auditors who are new to CMS

Agenda

Introduction to Compliance Management concepts as required by ISO 19600



Introduction to management systems and the process approach



Fundamental principles in compliance management



General requirements: presentation of the clauses of ISO 19600



Planning the Compliance Management System (CMS)



Allocating responsibility



Writing the compliance management policy and framework

Reviewing the requirements of the CMS

(11)

11

Preparing an implementation plan for the CMS Monitoring and reviewing the CMS

Continual improvement of the CMS

Pre-Requisites

(12)

12

Compliance

Corporate Compliance Workshop (Optimizing Your Program) – 2 Days

To create a program that reflects, incorporates and is integrated with your organization's culture, ethos and corporate compliance objectives, design a program that is tailored and fine-tuned with specific regard to the size, form, complexity and history of your organization, document specific steps taken in the implementation and operation of a compliance program and measure the program with metrics.

Learning Objectives

 To recognize the importance of the mission, meeting compliance goal

 To set standards to be followed

 To empower employees to make decisions following prescribed guidelines, to ensure that progress was continuing to achieve agreed-upon goals

 To establish a decision-support mechanism

 To document specific steps taken in the implementation and operation of a compliance program

 To measure the program with metrics

Who Should Attend?

This workshop is designed for senior managers recognizing the importance of the mission - meeting compliance goals, specifically in terms of what is expected by stakeholders, the regulators, with no exceptions.  Governance Officer  Compliance Officer  Legal Counsel  Risk Manager  Internal Auditor  IT Manager

 Senior Managers in Planning, Finance, Marketing, Project, HR, etc.

 Consultants & Business Advisors

Agenda

Introduction

Compliance Key Functions

The four aspects of compliance operation:



Demonstrating Compliance with relevant regulations



Embedding Compliance within your organization



Managing the cost of Compliance; and



Identifying, addressing and resolving regulatory failures

Purism v/s Pragmatism Looking at the “Big Picture”

(13)

13

What are the Compliance Issues!



Governance Issues



Compliance Issues



Risk Issues



IT Compliance Issues

Why focus on compliance programs!

Introduction to effective compliance program:



Culture



Scope & Strategy



Structure & Resources



Policies



Communication & training



Issue Management



Evaluation

The Framework

Establishing an Enterprise Compliance Program:



The Principles



The Roadmap to Effective Compliance Policies, Procedures, and Controls

The Measuring Criteria

How do we measure! – The Metrics



The Compliance Maturity Model



Awareness (external & internal)



Structure & Accountability



Culture & Consistency



Processes/ Controls Automation & Integration



Measurement



Technology

Reporting on measurement

Integration of Compliance into the GRC Framework Case Study – XYZ Ltd.

(14)

14

Risk Management

Certified ISO 31000 Risk Manager (PECB/ANSI) – 3 Days

MASTERING RISK ASSESSMENT AND OPTIMAL RISK MANAGEMENT BASED ON

ISO 31000 AND IEC/ISO 31010

In this three-day intensive course participants develop the competence to master a model for implementing risk management processes throughout their organization using the ISO 31000:2009 standard as a reference framework. Based on practical exercises, participants acquire the necessary knowledge and skills to perform an optimal risk assessment and manage risks in time by being familiar with their life cycle. During this training, we will present the ISO 31000 general risk management standard, the process model it recommends, and how companies may use the standard. This training is also fully compatible with IEC/ISO 31010; which supports ISO 31000 by providing guidance for risk assessment.

Learning Objectives

 To understand the concepts, approaches, methods and techniques allowing an effective Risk Management according to ISO 31000

 To understand the relationship between the Risk Management and the compliance with the requirements of different stakeholders of an organization

 To acquire the competence to implement, maintain and manage an ongoing Risk Management program according to ISO 31000 compliance with all the other requirements

 To acquire the competence to effectively advise organizations on the best practices in Risk Management

Who Should Attend?  Governance Officer

 Compliance Officer

 Risk Manager

 Internal Auditor

 IT Manager

 Senior Managers in Planning, Finance, Marketing, Project, HR, etc.



Consultants & Business Advisors

Agenda

Introduction, Risk Management framework according to ISO 31000



Concepts and definitions related to risk management



Risk management standards, frameworks and methodologies



Implementation of a risk management framework



Understanding an organization and its context

Risk identification and assessment, risk evaluation, treatment, acceptance, communication and surveillance according to ISO 31000



Risk identification



Risk analysis and risk evaluation

(15)

15



Risk acceptance and residual risk management



Risk communication and consultation



Risk monitoring and review

Risk assessment methodologies according to IEC/ISO 31010 and Exam



Presentation of risk assessment methodologies

PECB/ANSI Certification Exam - 2 hours

Pre-Requisites

None

General Information

After successfully completing the exam, participants can apply for the credentials of Certified ISO 31000 Risk Manager

 Certification fees are included in the exam price

 Participant manual contain over 350 pages of information and practical examples

 A participation certificate of 21 CPD (Continuing Professional Development) credits will be issued to participants

(16)

16

Risk Management

Mastering Risk Management Workshop (Toward Risk Convergence) –

2 Days

In today's fast-moving, complex operating environment, risk executives need to cultivate an understanding across all areas of risk and business.

Business problems are multifaceted, interrelated and increasingly global - executives must possess enhanced skills to identify and address a wide range of risks with an integrated approach and enterprise-wide perspective.

This intensive two-day programme exposes participants to a rigorous, yet inspiring blend of theory, practice and cutting-edge research.

Learning Objectives

 Gain a valuable perspective on risk management in terms of corporate governance, as well as its relationship to cultural and stakeholder concerns

 Expand your network by linking up with a variety of individuals in risk-related fields and various business lines who think and make decisions about risk in the context of the entire enterprise

 Broaden your knowledge of leading-edge theory and practice, to increase your ability to create and sustain a high level of performance and steer projects to completion through an increased understanding of the issues impacting your organization

 Take part in focused learning and interact with your peers to improve your decision-making, leading to advanced proficiency and strategic advantages.

Who Should Attend?

 Senior risk practitioners

 Executives with influence over their organization’s risk strategy

 Business-line executives

 Non-Executive Directors

 Consultants & Business Advisors

Agenda

Introduction to GRC & E – Defining the terms What is “GRC’” convergence?



A View At The “Current State”



An Overview Of Standards

Traditional vs Modern Risk Management Challenges with Risk Assessment GRC Risk Convergence - Key issues



GRC Risk Convergence – The Challenges



GRC Risk Convergence – Benefits

(17)

17

Assessing Risks



Developing A Common Shared Context



Case Study



Control vs Risk Focus



Risk Taxonomy: Focus on Risk Types



Understanding The Anatomy Of Risk



The DNA Of Risk Management



The Key Indicator Trio



Risk Assessment Methodology



Risk Assurance

The GRC Framework Building A Business Case GRC Desired State Risk Maturity Level

(18)

18

IT Governance, Risk Management & Compliance

Certified ISO 38500 Governance of IT Manager (PECB) – 2 Days

MASTERING THE FUNDAMENTAL PRINCIPLES AND CONCEPTS OF CORPORATE

GOVERNANCE OF INFORMATION TECHNOLOGY BASED ON ISO 38500

This two day intensive course enables the participants to develop the necessary expertise to support an organization in implementing corporate governance of Information Technology as specified in ISO/IEC 38500. Participants will also gain a thorough understanding of best practices used to implement guidance for Corporate Governance of IT from all areas of ISO 38500. ISO/IEC 38500 applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization. These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization.

Learning Objectives

 To understand the implementation of guidance for the corporate governance of IT in accordance with ISO 38500, 38501 & 38502

 To gain a comprehensive understanding of the concepts, approaches, standards, methods and techniques required for the effective management of an corporate governance of IT

 To understand the relationship between the components of a corporate governance of IT, including responsibility, strategy, acquisition, performance, conformance, human behavior

 To acquire necessary expertise to manage a team implementing ISO 38500

Who Should Attend?

 Project managers or consultants wanting to prepare and to support an organization in the implementation of corporate governance of Information Technology

 ISO 38500 auditors who wish to fully understand the corporate governance of IT implementation process

 Senior Managers responsible for the IT governance of an enterprise and the management of its risks

 Members of groups monitoring the resources within the organization

 External business or technical specialists, such as legal or accounting specialists, retail associations, or professional bodies;

 Vendors of hardware, software, communications and other IT products

 Internal and external service providers (including consultants)

Agenda

Introduction to corporate governance of IT



Fundamental principles of corporate governance of IT



Initiation process of corporate governance of IT



Definition of the scope



Corporate governance application



Objectives of ISO 38500



Benefits of using this standard



Referenced documents – ISO 38501 & 38502

(19)

19

Framework and guidance for good governance of IT



Principles



Model



Responsibility of directors for corporate governance of IT



Strategy of IT development



Acquisition



Performance of corporate governance of IT



Conformance



Human Behavior

PECB Certification Exam - 2 hours

General Information

After successfully completing the “ISO 38500 Corporate Governance of IT Manager” exam, participants can apply for the credentials of Certified ISO 38500 Corporate Governance of IT Provisional Manager or Certified ISO 38500 Corporate Governance of IT Manager, depending on their level of experience.

 Participant manual contains over 200 pages of information and practical examples

 A participation certificate of 14 CPD (Continuing Professional Development) credits will be issued to the participants

 In case of failure of the exam, participants are allowed to retake it for free under certain conditions

(20)

20

IT Governance, Risk Management & Compliance

Certified ISO 27005 IT Risk Manager (PECB/ANSI) – 3 Days

MASTERING RISK ASSESSMENT AND OPTIMAL RISK MANAGEMENT IN

INFORMATION SECURITY BASED ON ISO 27005

In this three-day intensive course participants develop the competence to master the basic risk management elements related to all assets of relevance for information security using the ISO/IEC 27005:2011 standard as a reference framework. Based on practical exercises and case studies, participants acquire the necessary knowledge and skills to perform an optimal information security risk assessment and manage risks in time by being familiar with their life cycle. During this training, we will also present other risk assessment methods such as OCTAVE, EBIOS, MEHARI and Harmonized TRA. This training fits perfectly with the implementation process of the ISMS framework in ISO/IEC 27001:2013 standard.

Learning Objectives

 To understand the concepts, approaches, methods and techniques allowing an effective risk management according to ISO 27005

 To interpret the requirements of ISO 27001 on information security risk management

 To understand the relationship between the information security risk management, the security controls and the compliance with the requirements of different stakeholders of an organization

 To acquire the competence to implement, maintain and manage an ongoing information security risk management program according to ISO 27005

 To acquire the competence to effectively advise organizations on the best practices in information security risk management

Who Should Attend?

 Risk managers

 Member of the information security team

 Persons responsible for information security or conformity within an organization

 Staff implementing or seeking to comply with ISO 27001 or involved in a risk management program

 IT consultants

Agenda

Introduction, risk management program according to ISO 27005



Concepts and definitions related to risk management



Risk management standards, frameworks and methodologies



Implementation of an information security risk management program



Understanding an organization and its context

Risk identification and assessment, risk evaluation, treatment, acceptance, communication and surveillance according to ISO 27005



Risk identification



Risk analysis and risk evaluation



Risk assessment with a quantitative method

(21)

21



Risk acceptance and residual risk management



Information Security Risk Communication and Consultation



Risk monitoring and review

Overview of other information security risk assessment methods and exam



Presentation of OCTAVE method



Presentation of MEHARI method



Presentation of EBIOS method



Presentation of Harmonized TRA method

PECB/ANSI Certification Exam (2 hours)

General Information

After successfully completing the “Certified ISO 27005 Risk Manager” exam, participants can apply for the credentials of Certified ISO 27005 Risk Manager or Certified ISO 27005 Risk Manager, depending on their level of experience.

(22)

22

Business Continuity

Certified ISO 22301 Lead Implementer (PECB/ANSI) – 5 Days

MASTERING THE IMPLEMENTATION AND MANAGEMENT OF A BUSINESS

CONTINUITYMANAGEMENT SYSTEM (BCMS) BASED ON ISO 22301

This five-day intensive course enables the participants to develop the necessary expertise to support an organization in implementing and managing a Business Continuity Management System (BCMS) based on ISO 22301. The participants will also gain a thorough understanding of best practices used to implement Business Continuity processes from the ISO 22399. This training is consistent with the project management practices established in ISO 10006 (Quality Management Systems - Guidelines for Quality Management in Projects). This training is fully compatible with BS 25999 (Business Continuity Management Specification) and ISO 27031 (Guidelines for information and communication technology readiness for Business Continuity)

Learning Objectives

 To understand the implementation of a BCMS in accordance with ISO 22301, ISO 27031 or BS 25999

 To gain a comprehensive understanding of the concepts, approaches, standards, methods and techniques required for the effective management of a BCMS

 To understand the relationship between the components of a BCMS and the compliance with the other requirements

 To acquire the necessary expertise to support an organization in implementing, managing and maintaining a BCMS as specified in ISO 22301 or BS 25999

 To acquire the necessary expertise to manage a team implementing ISO 22301 or BS 25999

Who Should Attend?

 Project managers or consultants wanting to prepare and support an organization in the implementation of a Business Continuity Management System (BCMS)

 Business Continuity auditors who wish to fully understand the implementation of a Business Continuity Management System

 Individuals responsible for the Business Continuity or conformity in an organization

 Members of a Business Continuity team

 Expert advisors in Business Continuity

 Members of organizations that want to prepare for a business continuity function or for a BCMS project management function

Agenda

Introduction to Business Continuity Management System (BCMS) concepts as required by ISO 22301: Initiating a BCMS



Introduction to the management systems and the process approach



Presentation of the standards ISO 22301, ISO/PAS 22399, ISO 27031, BS 25999 and regulatory framework

(23)

23



Preliminary analysis and determining the level of maturity of the existing BCMS based upon ISO 21827

Writing a business case and a project plan for the implementation of a BCMS



Planning a BCMS based on ISO 22301



Definition of the scope of a BCMS



Development of a BCMS and Business Continuity Policies



Business Impact Analysis (BIA) and Risk Assessment

Implementing a BCMS based on ISO 22301



Implementation of a document management framework



Design and implementation of Business Continuity processes and writing procedures



Development of a training & awareness program and communicating about the BCMS



Incident management and emergency management



Operations management of a BCMS

Controlling, monitoring and measuring e a BCMS and the certification audit of a BCMS in accordance with ISO 22301



Monitoring BCMS processes



Development of metrics, performance indicators and dashboards



Internal audit and management review of a BCMS



Implementation of a continual improvement program



Preparing for an ISO 22301 certification audit

PECB/ANSI Certification Exam - 3 Hours

General Information

After successfully completing the exam, participants can apply for the credentials of Certified ISO 22301 Provisional Implementer, Certified ISO 22301 Implementer or Certified ISO 22301 Lead Implementer, depending on their level of experience.

 A participation certificate of 31 CPD (Continuing Professional Development) credits will be issued to the participants In case of failure of the exam, participants are allowed to retake it for free under certain conditions

(24)

24

Business Continuity

Certified ISO 22301 Lead Auditor (PECB/ANSI) – 4 Days

MASTERING THE AUDIT OF A BUSINESS CONTINUITY MANAGEMENT SYSTEM

(BCMS) BASED ON ISO 22301, IN COMPLIANCE WITH THE REQUIREMENTS OF

ISO 19011 AND ISO 17021

This four-day intensive course enables the participants to develop the needed expertise to audit a Business Continuity Management System (BCMS), and manage a team of auditors by applying widely recognized audit principles, procedures and techniques. During this training, the participants will acquire the needed knowledge and skills to proficiently plan and perform internal and external audits in compliance with ISO 19011 and certification audits according to ISO 17021. Based on practical exercises, the participants will develop the skills (mastering audit techniques) and competencies (managing audit teams and audit program, communicating with customers, conflict resolution) necessary for efficient conduct of an audit. This training is compatible with BS 25999 audit (Business continuity management specification) and ISO 27031 (Guidelines for information and communication technology readiness for business continuity).

Learning Objectives

 To acquire the expertise of performing an ISO 22301 or BS 25999 internal audit, following the ISO 19011 guidelines To acquire the expertise of performing an ISO 22301 or BS 25999 certification audit, following the ISO 19011 guidelines and the specifications of ISO 17021

 To acquire the expertise necessary for managing a BCMS audit team

 To understand the operation of the BCMS in accordance with ISO 22301, ISO 27031 or BS 25999

 To understand the relationship between a Business Continuity Management System, including risk management, controls, the relationship & the compliance with the other requirements

Who Should Attend?

 Internal auditors and auditors wanting to perform and lead BCMS certification audits

 Project managers or consultants wanting to master the BCMS audit process

 Individuals responsible for Business Continuity or conformity in an organization

 Members of a Business Continuity team

 Expert advisors in information technology

 Technical experts wanting to prepare for a Business Continuity audit function

Agenda

Introduction to Business Continuity Management System (BCMS) concepts as required by ISO 22301



Presentation of the standards ISO 22301, ISO 27031, ISO/PAS 22399, BS 25999 and regulatory framework



Fundamental principles of Business Continuity

(25)

25



Business Continuity Management System (BCMS)



Detailed presentation of the clauses of ISO22301

Planning and initiating an ISO 22301 audit



Fundamental audit concepts and principles



Audit the approach based on evidence and risk



Preparation of an ISO 22301 certification audit



BCMS documentation audit



Conducting an opening meeting

Conducting an ISO 22301 audit



Communication during the audit



Audit procedures: observation, document review, interview, sampling techniques, technical verification, corroboration and evaluation



Audit test plans



Formulation of audit findings and documenting of nonconformities

Concluding and ensuring the follow-up of an ISO 22301 audit



Audit documentation



Conducting a closing meeting and conclusion of an ISO 22301 audit



Evaluation of corrective action plans



ISO 22301 surveillance audit



ISO 22301 internal audit management program and second party audits

PECB/ANSI Certification Exam - 3 Hours

General Information

After successfully completing the exam, participants can apply for the credentials of Certified ISO 22301 Provisional Auditor, Certified ISO 22301 Auditor or Certified ISO 22301 Auditor, depending on their level of experience.

(26)

26

Business Continuity

Certified ISO 24762 Disaster Recovery Manager (PECB) – 3 Days

MASTERING THE IMPLEMENTATION AND MANAGEMENT OF ICT DISASTER

RECOVERY SERVICES ACCORDING TO ISO 24762

This three day intensive course enables participants to develop the necessary expertise to support an organization in implementing; maintaining and managing an ongoing Information and Communications Technology Disaster Recovery plan according to ISO 24762. Participants will also gain a thorough understanding of best practices described by this International Standard.

Learning Objectives

 To understand the concepts, approaches, methods and techniques for the implementation and effective management of Disaster Recovery services

 To understand the relationship between ICT Disaster Recovery and the compliance with the requirements of different stakeholders on an organization

 To acquire the competence to implement, maintain and manage a Disaster Recovery plan in accordance with ISO 24762

 To acquire the competence to effectively advise organizations on the best practices in ICT Disaster Recovery

Who Should Attend?

 Disaster Recovery of IT

 Persons responsible for disaster recovery of conformity within an organization

 Member of a disaster recovery team

 IT disaster recovery consultants

 Staff implementing or seeking to comply with ISO 24762 or involved in a disaster recovery plan

Agenda

Introduction, risk assessment and mitigation according to ISO 24762



Differences between business continuity and disaster recovery



Asset management



Risk assessment and mitigation



Document management



Information security



Business continuity

Recovery facilities and sites, outsourced services and activation of DR plan according to ISO 24762



Recovery facilities



Outsourced services



Recovery sites



Activation of disaster recovery plan

(27)

27



Performance measurement



Self-assessment



Testing



Continual improvement

PECB Certification Exam – 2 Hours

General Information

The “Certified ISO 24762 Disaster Recovery Manager” exam fully meets the requirements of the PECB Examination and Certification Program (ECP).

(28)

28

Information Security Management System

Certified ISO 27001 Lead Implementer (PECB/ANSI) – 5 Days

MASTERING THE IMPLEMENTATION AND MANAGEMENT OF AN INFORMATION

SECURITY MANAGEMENT SYSTEM (ISMS) BASED ON ISO 27001

This five-day intensive course enables the participants to develop the expertise necessary to support an organization in implementing and managing an Information Security Management System (ISMS) based on ISO/IEC 27001. The participants will also be given a thorough grounding in best practices used to implement Information Security controls from all areas of ISO 27002. This training is consistent with the project management practices established in ISO 10006 (Quality Management Systems - Guidelines for Quality Management in Projects). This training is also fully compatible with ISO 27003 (Guidelines for the Implementation of an ISMS), ISO 27004 (Measurement of Information Security) and ISO 27005 (Risk Management in Information Security).

Learning Objectives

 To understand the implementation of an ISMS

 To gain a comprehensive understanding of the concepts, approaches, standards, methods and techniques related to an ISMS

 To acquire the necessary expertise to support an organization in implementing, managing and maintaining an ISMS

 To acquire the necessary expertise to manage a team implementing ISO 27001

Who Should Attend?

 Compliance project managers

 Information Security consultants

 Internal and external ISO 27001 auditors

 Members of an Information Security team

Agenda

Introduction to Information Security Management System (ISMS) concepts as required by ISO 27001; initiating an ISMS



Introduction to the management systems and the process approach



Presentation of the ISO 27000 family standards and regulatory framework



Fundamental principles of Information Security



Preliminary analysis and determining the level of maturity based on ISO 21827



Writing a business case and a project plan for the implementation of an ISMS

Planning the implementation of an ISMS based on ISO 27001



Defining the scope of an ISMS



Drafting an ISMS and Information Security policies



Selection of the approach and methodology for risk assessment



Risk management: identification, analysis and treatment of risk (based on ISO 27005)

(29)

29

Implementing an ISMS based on ISO 27001



Implementation of a document management framework



Design of and implementation of controls



Information Security training, awareness and communication program



Incident management (drawing on guidance from ISO 27035)



Operations management of an ISMS

Control, monitor and measure an ISMS and the certification audit of the ISMS in accordance with ISO 27001



Monitoring the ISMS controls



Development of metrics, performance indicators and dashboards in accordance with ISO 27004



ISO 27001 internal audit



Management review of an ISMS



PECB/ANSI Certification Exam (3 Hours)

General Information

After successfully completing the exam, participants can apply for the credentials of Certified ISO 27001 Provision Implementer, Certified ISO 27001 Implementer or Certified ISO 27001 Lead

Implementer, depending on their level of experience.

(30)

30

Information Security Management System

Certified ISO 27001 Lead Auditor (PECB/ANSI) – 4 Days

MASTERING THE AUDIT OF AN INFORMATION SECURITY MANAGEMENT

SYSTEM (ISMS) BASED ON ISO 27001, IN COMPLIANCE WITH THE

REQUIREMENTS OF ISO 19011 AND ISO 17021

This four-day intensive course enables the participants to develop the expertise needed to audit an Information Security Management System (ISMS), and manage a team of auditors by applying widely recognized audit principles, procedures and techniques. During this training, the participants will acquire the knowledge and skills needed to proficiently plan and perform internal and external audits in compliance with certification process of the ISO/IEC 27001 standard. Based on practical exercises, the participants will develop the skills (mastering audit techniques) and competencies (managing audit teams and audit program, communicating with customers, conflict resolution, etc.) necessary to conduct an audit efficiently.

Objectives



To acquire expertise of performing an ISO 27001 internal audit, following the ISO 19011 guidelines



To acquire expertise of performing an ISO 27001 certification audit, following the ISO 19011 guidelines and the specifications of ISO 17021 and ISO 27006



To acquire necessary expertise for managing an ISMS audit team



To understand the operation of an ISO 27001

Who Should Attend?

 Internal auditors

 Auditors wanting to perform and lead an ISMS certification audits

 Members of an Information Security team



Technical experts wanting to prepare for an Information Security audit function

Agenda

Introduction to Information Security Management System (ISMS) concepts as required by ISO 27001



Normative, regulatory and legal framework related to Information Security



Fundamental principles of Information Security



The ISO 27001 certification process



Detailed presentation of the clauses of ISO 27001

Planning and initiating an ISO 27001 audit



Fundamental audit concepts and principles



Audit the approach based on evidence and on risk



Preparation of an ISO 27001 certification audit



Documenting of an ISMS audit

(31)

31



Communication during the audit



Audit procedures: observation, document review, interview, sampling techniques, technical verification, corroboration and evaluation



Drafting test plans



Formulation of audit findings, drafting of nonconformity reports

Concluding and ensuring the follow-up of an ISO 27001 audit



Audit documentation



Conducting a closing meeting and conclusion of an ISO 27001 audit



Evaluation of corrective action plans



ISO 27001 surveillance audit and audit management program

PECB/ANSI Certification Exam

General Information

After successfully completing the exam, participants can apply for the credentials of Certified ISO 27001 Provision Auditor, Certified ISO 27001 Auditor or Certified ISO 27001 Lead Auditor, depending on their level of experience.

(32)

32

Information Security Management System

Certified ISO 27002 Lead Manager (PECB) – 4 Days

MASTERING

THE

FUNDAMENTAL

PRINCIPLES,

CONCEPTS

AND

IMPLEMENTATION OF THE BEST PRACTICES OF INFORMATION SECURITY

CONTROLS WITHIN THE PROCESS OF IMPLEMENTING AN INFORMATION

SECURITY MANAGEMENT SYSTEM (ISMS) BASED ON ISO/IEC 27002.

This four day intensive course enables the participants to develop the expertise needed to support an organization in implementing and managing the information security controls of an Information Security Management System (ISMS) based on ISO 27001. Participants will also be given a thorough grounding in the best practices used to implement information security controls from all the areas of ISO 27002. This training is consistent with the project management practices established in ISO 10006 (Quality Management Systems - Guidelines for Quality Management in Projects). It is also fully compatible with ISO 27003 (Guidelines for the Implementation of an ISMS), ISO 27004 (Measurement of Information Security) and ISO 27005 (Risk Management in Information Security).

Learning Objectives

 To gain a comprehensive understanding of the concepts, approaches, standards,

methods and techniques related to an ISMS and the required information security controls

 To understand the initiation, implementation, maintenance and improvement of the ISMS within an organization

 To acquire the necessary expertise to manage a team implementing ISO 27002

 To develop the knowledge and skills required to advise organizations on best practices in the management of information security controls To improve the capacity for analysis and decision making in the context of information security controls

Who Should Attend?

 Managers or consultants wanting to implement an Information Security Management System (ISMS)

 Project managers or consultants wanting to master the Information Security Management System implementation process

 Persons responsible for the information security or conformity in an organization

 Members of information security teams

 Expert advisors in information technology

 Technical experts wanting to prepare for an Information Security Audit function

 Persons responsible to develop their own information security management guidelines

Agenda

Introduction to Information Security Management System (ISMS) concepts and ISO 27002



Course objective and structure



Standard and regulatory framework



Fundamental Principles of Information Security



Introduction to Information Security Management System



Information security policies

(33)

33

Implementation of information security controls related to Human Resources, Asset Management and Access Control



Human resources security



Asset Management



Access Control

Implementation of information security controls related to Cryptography, Physical and Environment Security, Operations and Network



Cryptography



Physical and Environmental Security



Operations Security



Communications security

Implementation of information security controls for Systems, Supplier Relationships, Incident Management, Continuity and Compliance



System acquisition, development and maintenance



Supplier Relationships



Information security Incident Management



Information security aspects of business continuity management



Compliance



Golden Rules and Conclusion

PECB Certification Exam - 3 Hours

General Information

After successfully completing the “ISO 27002 Lead Manager” exam, participants can apply for the credentials of Certified ISO 27002 Provisional Lead Manager, Certified ISO 27002 Manager or Certified ISO 27002 Lead Manager, depending on their level of experience.

 In case of failure of the exam, the participants are allowed to retake it for free under certain conditions

(34)

34

Information Security Management System

Certified ISO/IEC 27034 Application Lead Security Implementer (PECB)

– 4 Days

MASTERING THE IMPLEMENTATION OF APPLICATION SECURITY (AS)

PROCESSES, ACTIVITIES AND SECURITIES TECHNIQUES ACROSS THE

ORGANISATION BASED ON THE INTERNATIONAL STANDARD ISO/IEC 27034 –

APPLICATION SECURITY

This four-day intensive course enables the participants to understand specific principles and concepts proposed by ISO/ IEC 27034 for AS and understand how they can be implemented, step by step, to help organizations to develop, acquire, implement, use, and maintain trustworthy applications, according to their specific business context, at an acceptable cost. More specifically, the ISO/IEC 27034 framework proposes components and processes to provide verifiable evidences that an application have reached and maintained a targeted level of trust as specified by the organization. The responsibility of a Certified ISO/IEC 27034 Application Security Lead Implementer is to assist organizations to put in place required 27034 framework elements and guide the organization to integrate Application Security Controls (ASC) seamlessly throughout the life cycle of their applications. AS applies not only to the software of an application but also to its other components and contributing factors that impact its security, such as its technological context, its regulatory context, its business context, its specifications, the sensitivity of its data, and the processes and actors supporting its entire life cycle. This framework applies to all sizes and all types of organizations (e.g. not only to commercial enterprises, government agencies and non-profit organizations that are using applications, but also to large, medium and small vendors that develop software, application and business services) exposed to security risks on information associated with their applications.

Learning Objectives

 To understand the implementation of AS in accordance with ISO/IEC 27034

 To gain a comprehensive understanding of the concepts, approaches, standards, methods and techniques required for the effective management of AS

 To understand the relationship between the components of an AS including risk

management, controls and compliance with the requirements of different stakeholders of the organization

 To acquire necessary expertise to support an organization in implementing, managing and maintaining an AS as specified in ISO/IEC 27034

 To acquire necessary expertise to manage a team implementing ISO/IEC 27034

 To develop knowledge and skills required to advise organizations on best practices in the management of AS

 To improve the capacity for analysis and decision making in the context of AS

Who Should Attend?

 Managers, such as information security managers, project managers, administrators, software development managers, application owners and line managers, who wish to:

(35)

35

represents for the organization;

 Prepare and to support organization in the implementation of an AS project

 Provisioning and operation teams such as architects, analysts, programmers, testers, system administrators, DBA, network administrators, and technical personnel, who wish to:

 minimize the impact of introducing ASC into organizations’ existing processes, such as design, development, test, deployment, operation, archival and destruction

 understand which controls should be applied at each stage of an application's life

cycle and witch one should be implemented inside the application itself

 Acquirers and Suppliers who wish to:

 prepare/comply to requests for proposals that include requirements for ASC and Level of Trust

 Auditors who wish to:

 fully understand the AS processes involves in the ISO/IEC 27034

Agenda

Introduction: AS overview and concepts as proposed by ISO/IEC 27034



Introduction to ISO/IEC 27034 AS and its global vision



Fundamental principles in Information Security



Overview, concepts, principles, definitions, scope, components, processes and actors involved in AS



Embedded implicit concepts



Presentation of the 27034 series:

 ISO/IEC 27034-1: Overview & concepts

 ISO/IEC 27034-2: AS in an organization

 ISO/IEC 27034-3: AS in a project

 ISO/IEC 27034-4: AS validation, verification and certification

 ISO/IEC 27034-5: AS structures requirements

 ISO/IEC 27034-5-1: XML Schemas

 ISO/IEC 27034-6: Examples and cases study

Implementation of AS based on ISO/IEC 27034



Security in application project

 The Application Security Management Process

 Provisioning and operating an application

 Maintaining the Actual Level of Trust on the Targeted Level of Trust

 Development of AS validation

Implementation of AS based on ISO/IEC 27034 (cont.)



AS at the organization level

 Goals of AS for a organization

 The Organization Normative Framework (ONF)

 The ONF committee

 The ONF Management process

 Integration of ISO/IEC 27034 elements into the organization’s existing processes

 Design, validation, implementation, verification, operation and evolution of ASCs

 The ASC libraries

 The AS Traceability matrix

 Drafting the certification process

Security guidance for specific organizations and applications



Case Study

(36)

36

application

 Developing ASCs

 Acquiring ASCs

AS validation and certification



The purpose of internal AS audit

 Minimize the cost of an audit

 Be sure you have all expected evidences ready



Overview of the AS validation and certification process under 27034.

 How to help an organization to be certified

 How to help an application project to be certified

Protocols and ASC data structure based on ISO/IEC 27034



An free formal languages for ASC communication



ISO/27034 proposed XML schemas,

 data structure, descriptions, graphical representation

ISO/IEC 27034 AS final review PECB Certification Exam – 3 Hours

General Information

After successfully completing the exam, participants can apply for the credentials of Certified ISO/IEC 27034 Application Security Provisional Implementer, Certified ISO/IEC 27034 Application Security Implementer or Certified ISO/IEC 27034 Application Security Lead Implementer,

depending on their level of experience.

(37)

37

IT Service Management

Certified ISO 20000 Lead Implementer (PECB/ANSI) – 5 Days

MASTERING THE IMPLEMENTATION AND MANAGEMENT OF A SERVICE

MANAGEMENT SYSTEM (SMS) BASED ON ISO 20000

This five-day intensive course enables the participants to develop the necessary expertise to support an organization in implementing and managing a Service Management System as specified in ISO/IEC 20000-1. Also, the participants will gain a thorough understanding of in best practices for planning and implementing the Service Management processes starting from the fields of ISO 20000 planning and implementing new and changed services, service delivery process, relationship management processes, problem resolution process, control processes and release processes. This training is consistent with the project management practices established in ISO 10006 (Quality Management Systems - Guidelines for Quality Management in Projects). This training is fully compatible with ISO 20000-2 (Guidelines for the Implementation of an SMS) and ITIL.

Learning Objectives

 To understand the implementation of a Service Management System in accordance with ISO 20000

 To gain a comprehensive understanding of the concepts, approaches, standards, methods and techniques allowing an effective management of a Service Management System

 To know the interrelationships between ISO/IEC 20000-1, ISO/IEC 20000-2 and ITIL

 To acquire expertise to support an organization in implementing, managing and maintaining a Service Management System (SMS) as specified in ISO/IEC 20000

 To acquire the necessary expertise to manage a team in implementing the ISO 20000 standard

Who Should Attend?

 Project managers or consultants willing to implement of a Service Management System (SMS)

 ISO 20000 auditors who wish to fully understand the SMS implementation process

 Individuals responsible for the SMS conformity in an organization

 Technical experts wanting to prepare for a SMS function

Agenda

Introduction to Service Management System (SMS) concepts as required by ISO 20000; initiating a SMS



Presentation of the ISO 20000 family of standards and comparison with ITIL V2 and V3



Fundamental principles of Service Management System



Preliminary analysis and establishment of the maturity level of an existing SMS



Writing a business case and a project plan for the implementation of a SMS

Planning a SMS based on ISO 20000



Definition of the scope of a SMS

(38)

38



Budgeting and accounting for IT services

Implementing a SMS based on ISO 20000



Change, configuration, release, capacity and availability management



Service continuity and security management



Incident and problem management



Operations management of a SMS

Controlling, monitoring, measuring and improving a SMS certification audit of a SMS in accordance with ISO 20000



Controlling and monitoring a SMS



Development of metrics, performance indicators and dashboards



ISO 20000 internal audit and management review



PECB/ANSI Certification Exam – 3 Hours

General Information

After successfully completing the exam, participants can apply for the credentials of Certified ISO/IEC 20000 Provisional Implementer, Certified ISO/IEC 20000 Implementer or Certified ISO/IEC 20000 Lead Implementer, depending on their level of experience.