ISO 27005 Risk Management Professional Certification («HSR»)

Certification professionnelle

This course is designed to help the participant conducting a risk assessment and implement a risk management program based on the ISO 27005 standard.  The course also presents the participant with a detailed view of the AS/NZ:4360 and the Common Criteria (ISO 15408 Standard) so you acquire the necessary knowledge to adress both the business and technical side of risk management. 
Coupled with EBIOS, a freely available Risk Assessment Software, ISO 27005, AS/NZ:4360 and the Common Criteria offer a structured approach to examine the way in which security is taken into account for the design, development, implementation and operation of the organization information system.
Taking place over five days, including the official certification exam, the course objectives are to train the audience to conduct a risk assement using EBIOS and to build a Risk Management System (RMS) and process based on ISO:27005 & AS/NZ:4360. The lectures and exercises also included guidelines for technical security assessment based on ISO 15408.

1. Day 1 - Review of the standards
   • History and introduction to the standards (ISO 27005, AS/NZ:4360, ISO 15408-1/2/3) 
   • Detailed review of the ISO 27005 Standard
   • Detailed review of AS/NZ:4360 Standard
   • Overview of the ISO 15408 Part 1, 2 & 3 standard
2. Day 2 - The Risk Assessment & Management Process
   • Overview of the Risk Management System (RMS) & Process
   • Asset discovery, classification & valuation
   • Risk analysis & assessment
   • Controls: types & selection
   • Reporting, recommandation & residual risks
   • Organizational risk management process & maintenance of RMS
3. Day 3 - Information Assets VS. Risk & Controls
   • Building an asset registry
   • Conducting the risk analysis
   • Selecting the controls (Based on ISO 27001 & 27002)
   • Knowing & tracking residual risk
4. Day 4 - Risk Analysis & Assessment using EBIOS (Case Study & Hands-on)
   • Using EBIOS to conduct an analysis or evaluation of the security of a product
   • Using EBIOS to establish a Protection Profile for a typical software application
   • Using EBIOS to establish a Protection Profile for an information system
   • Using EBIOS to conduct the analysis of an organisation
   • Producing a Statement of Applicability based on risk and management decision
5. Day 5 - Examination
   • 3-hours examination leading to certification as an ISO 27005 Risk Management Professionnal. EBIOS has been created by the French Army.  The Common Criteria standard is endorsed by the many army corpse around the world including the ones from France, Canada, USA, Germany, Australia...