Gestão Risco ISO 27005 Risk Methodologies – Risk Management

Introdução

O curso Risk Management 27005 Risk Methodologies segue uma abordagem de estudo de caso possibilitando aos participantes aplicar os conceitos desta norma ISO de gestão do riscos de segurança da informação num cenário real.

Com base numa metodologia prática desenvolvida pela Behaviour, este curso prepara os participantes para a implementação e operação de um programa de Gestão do Risco de Segurança da Informação (GRSI), baseado na ISO/IEC 27005 e que pode ser implementado como parte de qualquer organização, legislação ou requisitos regulamentares, ou ainda, como parte da implementação de um Sistema de Gestão da Segurança da Informação (SGSI) em conformidade com os requisitos da ISO/IEC 270001.

A segunda parte do curso inclui a apresentação e implementação de diversas metodologias de segurança da informação conhecidas no mercado, tendo em conta o estudo-de-caso disponibilizado. As metodologias apresentadas incluem, o NIST-800-30r1, MSRMG, OCTAVE, MAGERIT, EBIOS e uma apresentação de alto nível dos métodos MEHARI, FAIR e M_o_R.

O conhecimento do curso Risk Management 27005 Manager está incluído, e por isso não é um pré-requisito ou um percurso de formação necessário para o curso Risk Management 27005 Risk Methodologies.

Este Plano de Formação e todos os documentos associados estão protegidos por Direitos de Autor e registados como obra literária no IGAC - Portugal.

---

This course is available to be delivered in a classroom and Live-Training model. Live Training brings you the dynamic environment of the classroom, to your desk. Using your computer, you interact with the trainer and the trainees as if you were with them in the classroom. On this course, the students will acquire the expertise to establish and operate an Information Security Risk Management (ISRM) program based on ISO/IEC 27005 and supported by well-known information risk management methodologies.
Besides the fundamental concepts related with information security and risk management and an overview clause-by-clause of the ISO/IEC 27005 standard and related guidance, the course leads the students through a step-by-step BEHAVIOUR customized methodology to implement an Information Security Risk Management (ISRM) program based on the ISO/IEC 27005 international standard in an organization, either as part of an new or existing isolated ISRM program, or, in support to the implementation of an Information Security Management System (ISMS) based on the ISO/IEC 27001.
The information security risk management implementation process covered on this course is supported by the ISO/IEC 27005, and related ISO/IEC 27000 family standards (ISO/IEC 27001, ISO/IEC 27002, among others), and additional recognized international guidance such as ISO 31000 standards, NIST information security risk standards (including NIST 800-30r1), among others.
The second part of the course includes the presentation and implementation of several well-known information security methodologies on the market considering the case-study provided. Through the course the students are presented with a more in depth or more high-level details to implement each one of these methods (note that the in-depth details presented will depend on method to method). The presented methodologies include, the NIST-800-30r1, MSRMG, OCTAVE, MAGERIT, EBIOS and a high-level presentation of the MEHARI, FAIR and M_o_R methods.
Based on a real-world adapted case-study organization, and supported by several approaches, templates, and other tools, including discussions and practical exercises, the students will team-up with their peers during this course and will be challenged to demonstrate their Manager skills to implement an ISRM program for this organization. This training methodology train and prepare students for successfully implement the ISO/IEC 27005 standard in a real-world environment with the support of well-known risk management methodologies.

Metodologia

This course is based on theorical, and practical sessions supported by a real-world adapted case-study.
The course includes hands-on practical and theorical exercises to:

• better prepare the students for the real-world challenges, and
• to prepare and increase the likelihood of success on the certification exam, and
• train and prepare professionals for participating in an ISRM implementation program based on ISO/IEC 27005 or as part of an ISMS implementation based on ISO/IEC 27001.
• prepare participants to select and implement the most suitable information security risk method in response to the need of their organization

This course is available to be delivered in a Classroom and Live-Training model.
Live Training brings you the dynamic environment of the classroom, to your desk. Using your computer, you interact with the trainer and the trainees as if you were with them in the classroom.

Destinatários

This course is intended to:

• Information Security and/or IT Consultants, Auditors, Managers or Risk Professionals
• CISO, CIO, CSO or any Executive or Senior Manager responsible to ensure the alignment and delivery of value from Information Security Risk Management to the organization
• Professionals responsible for the Information Security/IT Governance on the organization
• Any professional, either, IT, information security, risk manager, business or any other, involved on the establishment, implementation, operations and/or continual improvement of an Information Security Risk Management program, isolated or, as part of an Information Security Management System (ISMS) based on ISO/IEC 27001
• Anyone who wants to learn the fundamentals of ISO/IEC 27005 and acquire the expertise to implement an ISRM program based on this standard

Pré-Requisitos

Students should understand English as the course documentation is in this language. Please consult BEHAVIOUR to verify the availability of the course on other languages.

Duração (dias)

5 dias.

Objectivos Gerais

At the end of this course students will be able to:

• Acquire the fundamental knowledge on the concepts related with information security risk management, including standards, frameworks, and methods
• Understand the main concepts related with ISO/IEC 27005 and know how to apply and implement the guidance of the standard to support the implementation of an Information Security Risk Management (ISRM) program on an organization
• Know how to use the ISO/IEC 27005 to support the implementation on an Information Security Management System (ISMS) based on ISO/IEC 27001
• Draft and adapt a custom based information security risk management plan based on ISO/IEC 27005, ISO 31000, and well-known available methodologies to continually support the business strategy and challenges of an organization
• Monitor, review and improve a risk management program, including, the maintenance of the risk management practices and residual risk at acceptable levels based on the risk appetite and tolerance
• Support the organization on the achievement and maintenance of an ISRM program in compliance based on the guidance of ISO/IEC 27005 and in compliance with the ISO/IEC 27001 certification requirements
• Acquire the knowledge to implement several well-known information security methodologies on the market, including, the NIST-800-30r1, MSRMG, OCTAVE, MAGERIT, EBIOS and a high-level understanding of the MEHARI, FAIR and M_o_R methods

Programa

1. Introduction to Information Security Risk Management, the ISO/IEC 27005 standard, program, and context establishment
• Course introduction
• Information security risk management standards, legislation, and regulation
• Information security risk management fundamentals
• Presentation and overview of the ISO/IEC 27005 guidance
• Planning and implementing an information security risk management program
• Information security risk management context establishment


2. Information security risk assessment, treatment, and acceptance; risk communication, consultation, monitoring and review
• Information security risk identification
• Information security risk analysis: quantitative and qualitative approaches
• Information security risk evaluation
• Information security risk treatment: treatment options and selection of controls, drafting the risk treatment plan and identification of residual risks subject to acceptance
• Information security risk acceptance: approval of risk treatment plans and residual risk
• Information security risk communication and consultation
• Information security risk monitoring and review
• Personnel certification and closing the training


3. Presentation and implementation of the NIST-800-30r1 and MSRMG methodologies
• Presentation and implementation of the NIST-800-30r1 method
• Presentation and implementation of the MSRMG method


4. Presentation and implementation of the OCTAVE and MAGERIT methodologies
• Presentation and implementation of the OCTAVE method
• Presentation and implementation of the MAGERIT method


5. Presentation and implementation of the EBIOS methodology; Other methods.
• Presentation and implementation of the EBIOS method
• Presentation of the MEHARI method
• Presentation of the FAIR method
• Presentation of the M_o_R method

Exame

The “Certified Risk Management 27005 Manager” exam covers the following competence domains:

• Domain 1: Information security risk management fundamentals and ISO/IEC 27005 guidelines
• Domain 2: Information security risk management program based on ISO/IEC 27005
• Domain 3: Information security risk assessment based on ISO/IEC 27005
• Domain 4: Information security risk treatment and acceptance based on ISO/IEC 27005
• Domain 5: Information security risk communication, monitoring and improvement based on ISO/IEC 27005

Language(s): English and Portuguese (please consult BEHAVIOUR for availability on additional languages).
Duration: 2 hours.
Exam details: One part exam.
Results: “Pass or Fail” qualitative score. In the case of a failure, the result will be accompanied with the list of domains in which you had a mark lower than the passing grade. If the candidate fails the exam, he is entitled to one free retake within a 1-year period from the initial exam date.
Passing score: 700/1000 marks.
Exam type: Scenarios-based open questions.

Certificação

After successfully completing the certification exam, participants may apply for one of the two available credentials for this personnel certification scheme, depending on their level of experience.

• Certified Risk Management 27005 Associate Manager: no previous experience required.
• Certified Risk Management 27005 Manager: 2 years of experience on information security risk management

A certificate will be issued to participants who successfully pass the exam and comply with all the other requirements related to the selected credential. Candidates also receive the digital badge of the certification achieved.
The “Certified Risk Management 27005 Manager” personnel certification program is drafted and maintained according to the ISO/IEC 17024 standard.

Formador

Our specialists are renowned consultants and auditors, with several years of experience in the areas of implementation, auditing and training in family ISO 27000, with particular focus on standards ISO 27001, ISO 27005, ISO 31000 and their associated standards.

Informações Gerais

• Formação na língua portuguesa ou inglesa
• Recursos materiais da formação online e em Inglês, com acesso online, e de acordo com as condições adjudicadas
• Metodologias de gestão do risco
• Certificado digital de Frequência de Formação Behaviour com 40 créditos CPD/CPE
• Exame de Certificação online, em Português ou Inglês. O exame pode ser realizado até 2 meses, a contar da data de início do curso
• Se o candidato não for aprovado no exame, tem o direito a uma nova tentativa gratuita dentro de um período máximo de 2 meses, a contar da data de lançamento da nota do exame inicial
• Diploma digital de Certificação e Insígnia digital de Certificação, após passagem com sucesso no exame e conclusão do processo de candidatura. Este registo não tem qualquer custo associado

Benefícios

• ISO/IEC 27005 is a guidance and support standard to information security risk management.


• ISO/IEC 27005 is not a certifiable standard for an organization; however, this standard was designed to assist the implementation of an information security risk management program, to enable organizations to manage risks that could compromise the organization's information security.


• Risk Management 27005 Risk Methodologies course bases its pedagogical model in a certification program based on the ISO/IEC 17024 standard, which defines the requirements for certification of people, fulfilling the recommendations of ISO.


• Risk Management 27005 Risk Methodologies course is oriented towards to master the risk management elements related to all assets of relevance for information security using the ISO/IEC 27005 standard as a reference framework. The course covers the fundamental concepts for information security risk management, and reference is made to the optimal approach to information security risk assessment and to the management of risks through its complete life cycle. This training fits perfectly in the framework of an ISO/IEC 27001standard implementation process.


• Risk Management 27005 Risk Methodologies course includes the presentation and implementation of several well-known recognized information security risk management methodologies.


• Certification exam is monitored by an official Behaviour administrator.


• The Certified Risk Management 27005 Manager certification exam is conducted at the end of the course, on the last day of training, which focuses on development questions and case studies allowing the certifying entity to measure, more effectively, the knowledge of the candidates. Note that this exam only covers the subjects related with ISO/IEC 27005.


• Upon success in the exam, the professional will achieve one the Risk Management 27005 Manager certification. In case of failure, professional may repeat the exam at no additional cost, within 1 year after the date of the 1st examination.


• Behaviour Pedagogical Model aims to provide a learning environment conducive to acquisition of competences, in accordance with objectives of each training program. Promoting interaction, participation, and appreciation of experiences, we contribute to meaningful learning, certification, and international recognition but, above all to the development of critical thinking and autonomy.


• Behaviour is an organization accredited by DGERT (Portuguese Government Entity). Behaviour has its Quality Management System (QMS) implemented in accordance with the requirements of ISO 9001, the requirements of DGERT, the requirements of the European standard NP 4512 and the standard ISO 10015.

Datas, Preço e Inscrição

Clique em “Inscreva-se” para aceder a mais informação, incluindo data e preços:

Programa Datas Garantidas

(*) Todas as datas deste curso são garantidas nos eventos de ocorrem em Lisboa. Nas outras localizações os eventos estão sujeitos a um número mínimo de participantes
Na Behaviour todos os cursos em Lisboa ocorrem independentemente do número de formandos em sala. O conceito de constituição de turmas não existe no modelo pedagógico da Behaviour, por isso é que todas as datas públicas no site são garantidas. Assim, se estiver em Portugal ou em qualquer outra parte do mundo pode preparar a sua semana e a sua viagem, desde que garanta a sua inscrição no curso.

Descontos de Volume

A Behaviour para empresas atribui descontos dependendo do número total de participantes inscritos. Peça simulação de valores para o número de participantes que pretende inscrever para training@behaviour-group.com ou fale connosco através do chat.

Hotéis e Informações Úteis

Saiba onde pode ficar em Lisboa, perto da Behaviour. Consulte >>Onde Ficar<<