ISO 27005 Risk manager Course Student Handbook

e Portfolio

Certified ISO 27005 Risk Manager release 1.0.0 PARTICIPANT HANDBOOK

Sample

Mate

rial -

Not for

Rep

rint

Copyright Certified ISO 27005 Risk Manager, Classroom course, release 1.0.0

Copyright and Trademark Information for Partners/Stakeholders.

ITpreneurs Nederland B.V. is affiliated to Veridion.

Copyright © 2013 ITpreneurs. All rights reserved.

Please note that the information contained in this material is subject to change without notice. Furthermore, this material contains proprietary information that is protected by copyright. No part of this material may be photocopied, reproduced, or translated to another language without the prior consent of ITpreneurs Nederland B.V.

The language used in this course is US English. Our sources of reference for grammar, syntax, and mechanics are from The Chicago Manual of Style, The American Heritage Dictionary, and the Microsoft Manual of Style for Technical Publications.

Sample

Mate

rial -

Not for

Rep

rint

Certified ISO 27005 | Risk Manager | Participant Handbook

Copyright © 2013, ITpreneurs Nederland B.V. All rights reserved. 1

Follow Us

Before you start the course, please take a moment to:

“Like us” on Facebook

http://www.facebook.com/ITpreneurs

“Follow us” on Twitter

http://twitter.com/ITpreneurs

"Add us in your circle" on Google Plus

http://gplus.to/ITpreneurs

"Link with us" on Linkedin

http://www.linkedin.com/company/ITpreneurs

"Watch us" on YouTube

http://www.youtube.com/user/ITpreneurs

Sam

ple M

ateria

l - Not

for R

eprin

t

This

page

has b

een l

eft bl

ank i

ntenti

onall

y

Sample

Mate

rial -

Not for

Rep

rint



Contents

Certified ISO 27005 Risk Manager Day 1 ------------------------------------------------------------ 5

Day 2 ------------------------------------------------------------ 59 Exam Preparation Guide -------------------------------------- 133 Appendix A: Case Study ------------------------------------- 143 Appendix B: Exercises List ---------------------------------- 151 Appendix C: Correction Key for Exercises --------------- 167 Appendix D: Release Notes --------------------------------- 179 Participant Feedback Form ---------------------------------- 181

Sample

Mate

rial -

Not for

Rep

rint

This

page

has b

een l

eft bl

ank i

ntenti

onall

y

Sample

Mate

rial -

Not for

Rep

rint



Day 1

Certified ISO 27005 Risk Manager

Sample

Mate

rial -

Not for

Rep

rint



DAY 1

Certified ISO 27005Risk Manager

2


Section 1

a. Meet and greet

b. General information

c. Training objectives

d. Educational approach

e. Examination and certification

f. PECB

g. Schedule of the training

Course objectives and structure

Sample

Mate

rial -

Not for

Rep

rint



3

Activity

Meet and greet

4

General Information

Smoking area

MealsTimetable and breaks

Use of mobile phones and recording devices

Absences

Use of a computer and access to the Internet

Sample

Mate

rial -

Not for

Rep

rint



5

Understand the basic concepts of risk management related to information security

Explain the goal, content and correlation between ISO 27005, ISO 31000 and ISO 27001 as well as with other standards and regulatory frameworks

Explain the functioning of a risk management system according to ISO 27005 and ISO 31000 to its key processes

1

2

3

Training Objectives

Acquiring Knowledge

6

Training Objectives

Development of competencies

Acquire the knowledge necessary for the implementation, management and maintenance of an ongoing risk management programme

Interpret the requirements of ISO 27001 on risk management

Acquire the skills necessary to effectively advise organizations on the best practices in Risk Management

Strengthen the personal qualities necessary to act with due professional care when implementing a risk management programmeprpr

1

2

3

4

Sample

Mate

rial -

Not for

Rep

rint



7

Course Structure

Student oriented

8

Examination

Competency domains

1 Fundamental principles and concepts in information security risk management

2 Information security risk management program

3 Information security risk assessment

4 Information security risk treatment

5 Information security risk communication, monitoring and improvement

3

2

4

5

1

Sample

Mate

rial -

Not for

Rep

rint



9


Prerequisites for Certification

Pass the exam

Adhere to the PECB Code of Ethics

2 years professional experience

1 years risk management experience

200 hours risk management activity

123456

Professional references


10

Certificate

Candidates who met all the prerequisites forcertification will receive a certificate:ication willlllllllllllllllll rrrrrrrrrrrrrrrrrrrrrrrrrrreeeeeeeeeeeeeeeeeeeeeeeeceive a certificate:

Sample

Mate

rial -

Not for

Rep

rint



11

What is PECB?

Main services: 1. Certification of personnel

(Auditor and Implementer)2. Certification of training organizations 3. Certification of trainers

Professional Evaluation and Certification Board

12

Customer Service

Comments, questions and complaints

TrainingProviderTrainingParticipant

2. Answer in writing

Answer

1. Submit a complaint

Submit a

3. Appeal 4. Finalarbitration

PECB

Sample

Mate

rial -

Not for

Rep

rint



Day 2


Sample

Mate

rial -

Not for

Rep

rint



DAY 2

Certified ISO 27005Risk Manager

2


Section 6

a. Techniques for gathering information

b. Identification of assets

c. Identification of threats

d. Identification of existing controls

e. Identification of vulnerabilities

f. Identification of consequences

Risk identification

Sample

Mate

rial -

Not for

Rep

rint



3

3.1 Identification of assets

3.2 Identification of threats

3.3. Identification of existing controls

3.4. Identification of vulnerabilities

3.5. Identification of consequences

4.1. Assessmentof

consequences

4.2 Assessment of incident likelihood

4.3 Level of risk determination

6.1 Risk treatment options

6.2 Risk treatment plan

6.3 Evaluation ofresidual risk

3. Risk Identification

6. Risk Treatment

7. Risk Acceptance

2. C

onte

xt E

stab

lishm

ent 3. Risk

Identification4. Risk

Analysis5. Risk

Evaluation

7.1 Risk treatment plan acceptance

7.2 Residual risk acceptance

1. Risk Management ProgrammeRisk Assessment

9. Risk Monitoring and Review9 Risk Monitoring and Re ie

8. Risk Communication and Consultation

5.1 Evaluation of levels of riskbased on risk

evaluation criteria

4

Information Gathering Techniques

Sending questionnaires to a sample of people who represent the stakeholders

Interviews

Documentation review

Scanning tools

Interviews with key persons at different hierarchical levels within the organization

Reading and analysis of relevant documentation: internal policies, procedures, previous audit reports, legal opinions, contracts, etc.

Use technical tools to detect technical vulnerabilities, establish a list of assets present on a network, perform a code review, etc.

Questionnaire surveys

Sample

Mate

rial -

Not for

Rep

rint



5

Individual and Group Interview

Interview

Individual interviews usually providemore accurate information and allowto have a more correct riskassessment

Group interviews are more effectiveto establish basic criteria to reach aconsensus on risk assessment,discuss treatment options, etc

Individual Group

6

Use open-ended questions and avoid close-ended or guided questions

Conducting an Interview

Ensure you cover all the subjects while controlingthe time

Take notes during the interview

Ask questions to clarify a response or situationSample

Mate

rial -

Not for

Rep

rint



7

3.1. Identification of Assets

ISO 27005, clause 8.2.2

Input

Scope and boundariesList of assets with their ownersbusiness processes Premises, etc.

Activities

Identification of assets included in the scope

Output

List of assets to be risk-managedList of business processes related to assets and their relevance

8

Asset

ISO 27000, clause 2.3 and ISO 27005, annex B

Asset category

Supporting Asset

PrimaryAsset

Business Process

Information Asset

Hardware

Software

Network

Personnel

Site

Organization'sstructure

DefinitionAnything that has value to the

organization

Sample

Mate

rial -

Not for

Rep

rint



9

Creating an Inventory of Assets

ISO 27002, clause 7.1.1

Asset type

Its format

Its location

Its owner

Its user license

Backup Information

Its value

Inventory of assets

Continuousupdating

and verification

10

Identification of Business Processes

Business processes to be considered

Supporting the organization's mission and are vital to its achievement

Involves the handling of confidential information

Related to a legal and/or contractual obligations

Sample

Mate

rial -

Not for

Rep

rint



11

Main Business Processes

Example based upon the value chain of Porter

Finance & accounting

Management of infrastructureHuman Resources management

Research &Development

DesignMarketing

Sales

DistributionProduction Customer service

DesignMarketingR&D

Supply

Transformation

Manu-facturing

Quality control

Packaging

Export After sale services

12

Identification of Information Assets

Information assets to be considered

Vital to the organization so that it can achieve its mission

Containing information that has economic, administrative or legal value for the organization

Subject to costs for collection, acquisition or storage

Customer data

Patents

Financial Statements

R&D

Sample

Mate

rial -

Not for

Rep

rint



13

Identification of Supporting Assets

Categories

Category Definition Examples

Hardware All the physical elements supporting processes. Server, laptop, printer, disk drive, CD-ROM, etc.

Software All the programmes contributing to the data processing.

Operating system, word processing software, accounting software, etc.

Networks All telecommunications devices used to interconnect several physically remote computers or elements of an information system.

Router, firewall, network cable, switch, bridge, etc.

Personnel All people involved in the information system. Owner, user, developer, trustee, client, decision maker, etc.

Sites Physical places where the operation take place. Desktop, server room, staff residence, secure area, air conditioning system, etc.

Organization's structure

Organizational framework, assigned to realisation of the activities

Headquarters, division, department, project teams, subcontractors, suppliers, etc.

14

Primary and Supporting Assets

Examples of links

R&D

Process

Sales

Design

Production

Accounting

Patents

Information

Customer data

Marketing Research

Report

Financial Statements

Source Code

Server

Hardware

Laptop

External Drive

Network

Printer

CRM

Software

Word processing

Excel

Production Simulation

Accounting

Marketing Specialist

Personnel

Network Administrator

Database Manager

Finance Director

Sales RepresentativeSam

ple M

ateria

l - Not

for R

eprin

t



15

Identification of the Asset Owners

ISO 27001, clause A.7.1.2

An owner must be identified for each asset, to takeresponsibility and traceability of assets

The asset owner does not necessarily has propertyrights over the asset but he has the responsibility for itsproduction, development, maintenance, operation and itssecurity

The owner is often the person best suited to determinethe value of the asset for the organization

Sample

Mate

rial -

Not for

Rep

rint

Documents

ISO 27005 Risk manager Course Student Handbook