Nina Ugrinoska
August 29, 2016
Updated: August 20, 2023.
In the last four years I’ve been preparing and presenting a lot of trainings for ISO 27001 Lead Auditor. At the end, participants understand that this is just the beginning of the journey to reach the “end of the stairs,” and become a professional in ISMS (Information Security Management System) auditing. This training is not like most of the others, where you complete training, receive your certificate, and it is done – you are the big guy. Lead Auditor training needs more than this: a lot of experience, a lot of mistakes, and a lot of hard work to become a real professional in auditing an ISMS.
First of all, you will start learning and understanding the meaning of management systems. Usually, the participant has a much different approach and ideas on how such systems work. This is the main thing if you want to continue with the development of your career in management systems. It is a simple way of doing business based on certain rules and guidance, documented policies and procedures, responsibilities and authorities.
Further on, you will learn about the HLS (High Level Structure) of the management systems, mandatory requirements, and the risk-based approach. Use this free Checklist of mandatory documentation required by ISO 27001 to see the mandatory documents required by the standard.
It will continue with the Annex A controls.
Finally, at the end, attendees deal with the audit techniques together with the audit requirements to fulfill the audit in a professional manner.
Note that there is also Lead Implementer training, which is similar to the Lead Auditor training. However, there are significant differences between them, and you can learn about them in the article Lead Auditor Course vs. Lead Implementer Course – Which one to go for?
Usually, a classroom-based training takes five days, with the exam on the last day, which is mandatory to get your certificate. Exams can vary from one to another training provider.
Training is roughly organized as follows (and could differ based on training provider):
Day 1 – Introduction of ISO 27001, basic principles, definitions and understanding of the ISMS as a complex environment, considering a risk-based approach (i.e., risk assessment results are input for implementation of certain controls).
Day 2 – Training continues with clarification of ISO 27001 requirements, followed by an explanation of Annex A – Reference control objectives and controls. Annex A consists of 4 sections and 93 controls. In this session participants will understand the SoA (Statement of Applicability) and how to identify exclusions. Read the article Understanding the ISO 27001 controls from Annex A to get familiar with Annex A.
Day 3 – Starts with audit definitions, audit planning and audit preparation, competence and responsibilities of Lead Auditors. It moves on with ethical principles and professional (personal) behavior, knowledge and skills of Lead Auditors.
Day 4 –The following topics will be covered in audit activities: use of checklists, opening meetings and initial document review, collecting and verifying information together with audit techniques, how to choose the audit team and handle audit team meetings, how to identify and evaluate audit findings (like nonconformities), observations and good practice, and the process to communicate them with the Auditee (using objective evidence).
Day 5 – The last day covers judgment and reporting of audit findings, how to perform the closing meeting, how to prepare and distribute the audit report, how to complete the audit and set requirements for follow-up audits, how to prepare a summary with key learning points and objectives, how to document feedback of participants and – the final exam.
Alternatively, you can go for online training, which is not structured in full days like the classroom-based one, but still covers the same topics. If you are highly organized, you can achieve the same benefits with an online course, without needing to leave your daily tasks or your office for five days.
During this training you will usually get (at least) three hands-on work sessions per day, following agenda topics. Be prepared to actively participate in the workshops, since this will be most helpful to understand the real life within the ISMS. Auditors’ workshops will help you on how to behave yourself and ask questions in a professional manner, as well as how to practice active listening.
The most important thing is to give a chance to the Information Security Management System principles and believe that it brings benefits and value to any organization. It is an advantage to have ICT skills, a previous management role, and participation in Information Security Systems as part of professional involvement.
It happens that I had participants who didn’t believe in these principles, and participated just because their boss or their company needed employee with the certificate. It is very difficult to deal with this kind of people, trying to teach them and achieve the level of knowledge and belief that this system can help any organization to succeed and get the most from the ISMS. If you are part of the suspicious ones – just open your mind, listen to the trainer, and identify requirements applicable to your ISMS. Instead of trying hard to find facts against, try to concentrate on facts that will help on improvements in your ISMS. Trust me: this will help you to understand and achieve the highest level of benefits from this training.
You will be eligible to move on with your professional career in information security implementations, operations, consultancy, and in the area of auditing the ISMS. This will be a starting point for your future promotion, capability, and knowledge to succeed in the world of information security and be a part of the auditing community. ISMS auditors are well recognized and needed in the 21st century, since this is the era of information. Because having the right information in the right moment leads to success (as well as to destruction if in the wrong hands), we need to protect it in the best possible way. Auditing of the ISMS is mandatory and Lead (Internal) Auditors are the most required positions.
An excellent alternative to classroom-based training, this completely free ISO 27001 Lead Auditor course consists of 30 hours of video lessons and practical information about the standard, as well as how to prepare for the audit, lead the ISO 27001 audit team, perform the audit, and prepare the final audit report.