Shulou(Shulou.com)06/01 Report--

Learning experience of Auditor, Director of ISO27001LA Information Security Management system

The weather is not cold or hot just right May, the green is also lush, Shanghai Information training Center ISO27001LA class! This class can be called not only the information security management system chief auditor training class, but also the "Xueyou re-alliance class". In particular, there are five students in this period, three of whom unexpectedly found that they had participated in CISA (International Information system Auditor) and CBCP (International Business continuity Management expert) together on the first day of class. The old classmates met and the atmosphere soon became lively. The two new students were also infected and introduced like old friends, which quickly created a relaxed and comfortable learning environment.

The teacher who teaches the students is Tiger from Taiwan, who has worked with Shanghai Information training Center for 15 years, is a registered lecturer of IRCA, was the president of TUV Asia Pacific region of Germany, and was named the best lecturer in the Asia Pacific region. Before the beginning of the course, the Tiger teacher introduced himself and the course, as well as the training organizations recognized by IRCA, such as ISMS (ISO/IEC27001:2013), ITSMS (ISO/IEC20000-1 ISMS 2001) and so on. After introducing himself and IRCA, the Tiger teacher proposed that the students introduce themselves in the form of Icebreak "ice-breaking trip". The two students pair up to introduce themselves to each other, why they want to study ISO27001LA, and how much they understand ISO27001LA. According to the teacher's requirements, the students begin to introduce themselves to each other and quickly enter the training state.

1. What exactly does ISO27001LA talk about and what problems can it help enterprises solve?

ISO27001 system, issued by the International Organization for Standardization as the international standard ISO27001: 2005, has become the international common language of "information security management". It was updated and revised to ISO27001: 2013 on September 27th, 2013, which is more closely integrated with ISO 9000 and ISO 20000. ISO27001 has been adopted by more than 18000 government agencies and well-known enterprises around the world. The method is to cut into the information security needs of enterprises through "risk assessment" and "risk management", so as to effectively reduce the risks faced by enterprises. In ISO27001:2005, there are 11 domains with 133 control points, while in ISO27001:2013, there are 14 domains with 114 control points (39 control points have been deleted and 20 control points have been added in the old version). The organization has ISO27001LA employees who can:

L train qualified auditors to scientifically evaluate the organization's information assets, improve security efficiency, and provide more effective services for the organization's business operations; l protect information from various threats and establish a meticulous disaster recovery plan to ensure business continuity and reduce business losses; l evaluate security-related management policies, procedures and practices to form a corporate culture of "information security and everyone's responsibility" L characterize the organization's information security management capabilities, prepare for registration, and gain the full trust of customers. 2. What kind of customer enterprises is the ISO27001LA course suitable for?

The establishment of information security management system (ISMS) has become an indispensable and important mechanism for various organizations, especially high-tech industries and financial institutions, to manage operational risks. In some industries, such as software outsourcing, ISO27001 certification has become a prerequisite for customers. Individuals who become ISO27001LA (IRCA) authoritative registered auditors need to attend training courses approved by IRCA and accumulate audit experience: this audit experience can be the audit experience of a second party or a third party. For courses that are not approved by IRCA, it must be proved that the training meets the requirements. IRCA is an independent organization, if approved by IRCA, it means that an individual is not only an auditor of an audit institution or unit, but also an internationally recognized auditor of IRCA, recognized by all audit institutions and audit units, with higher value. Training and certificates that are not recognized by IRCA are only recognized by the institution, while certificates and training recognized by IRCA are internationally recognized.

3. What kind of people in the enterprise need to learn ISO27001LA?

ISO27001LA is suitable for enterprise personnel who are interested in introducing ISO27001 and information technology service management systems; auditors of information technology service management systems (who want to improve their audit skills); consultants (who want to engage in the introduction and verification of ISO27001 information technology service management systems); information technology and quality experts

Students participating in ISO27001LA should have experience in information technology service or information technology service management, basic knowledge of ISO27001 and basic concepts of information technology service management system. The benefits that can be brought to individuals by studying ISO27001LA in SITC are as follows:

L in-depth understanding of ISO27001\ ISO27002 and other relevant provisions; l master the process and methods of establishing and implementing ISMS; l master the knowledge and skills of auditing and monitoring ISMS; l obtain ISO27001LA certificate recognized by IRCA; l join SITC alumni circle and give priority to participate in alumni activities

4. What is the overall framework of the ISO27001LA curriculum?

The following picture shows the overall framework of ISO27001LA's curriculum.

Compared with ISO 27001: 2005, ISO 27001 2013 has a lot of changes in structure and details, and its compatibility and flexibility have been enhanced. Notable points include the following:

a. Text structure: consistent with ISO management system standard template AnnexSL (previously ISO Guide 83) in text structure, and consistent with ISO31000 risk management standard in principle. In practice, it is easier to integrate with ISO9000, ISO20000,ISO22301 and other standard systems.

0 Introduction

1 Scope

2 Normative references

3 Terms anddefinitions

4 Context of theorganization

5 Leadership

6 Planning

7 Support

8 Operation

9 Performanceevaluation

10 Improvement

b. Domains and controls: optimized from 11 domains in version 2005 to 14 domains. The controls used are determined according to the risk management process and are no longer required to be selected from Appendix A. The significance of the 114controls listed in Appendix An is to provide cross-check to ensure that the necessary controls are not omitted.

c. Risk assessment and disposal methodology: assets, vulnerabilities and threats (Assets, vulnerabilities and threats) are no longer required to be the basis of risk assessment. No matter which risk identification method, as long as it can identify the risk-related CIA (confidentiality, integrity and availability). Asset owner is replaced by the concept of "risk owners", and the responsibility is moved up accordingly.

d. Continuous improvement methodology: you can use a methodology other than PDCA

5. Summary of the reasons why the current trainees participate in ISO27001LA

In fact, as mentioned earlier, before the class, the Tiger teacher asked the students to introduce themselves to the ISO27001LA.

Chen, a student of Wengchuang Chemistry, said that he had been in the company for more than 10 years, had been in the IT,12 and transferred to the business department, and had participated in the 05 version of ISO27001LA before. Now he wants to know how the upgraded ISO27001LA is different from that before.

Mitsubishi Bank students said that the company has not yet established information security standards and would like to know the latest situation in this area.

Students from SAIC GM's Shenyang branch said that it has been less than a year since they took over information security, and the company needs to build its own information security standards in August this year and wants to improve its professional knowledge through training.

Students from Pudong Development Silicon Valley said that they are currently engaged in project management, and studying ISO27001LA will certainly be helpful to their current work.

As you can see, whether it is related to your current job, or to understand the theoretical knowledge in this field, as teacher Tiger said at the beginning: the information security course has changed his career. The students who took the information security course at the beginning are now big bulls in the industry, it is not too late, it is never too late.

Attachment: http://down.51cto.com/data/2367750

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.