ISO 27002 Lead Control Manager Course enables professionals to design, operationalise, evidence, measure, test and improve information security controls based on ISO/IEC 27002, ensuring consistency in execution, evidence traceability and continuous audit readiness — including support for an ISO/IEC 27001 ISMS.
Quick Access: Introduction· Why this course exists· What this course enables· Frameworks and standards· Value· Objectives· Target audience· Prerequisites· Programme· Exam & Certification· Other information· Benefits· Logistics· FAQs· Registration
Upcoming dates
Confirmed dates.
Synchronous, live training. Interaction with the trainer and the group.
Live Online • next edition
Live Online • base price
Language: available in Portuguese or English
Training: practical and case-study based
Exam: 3h
EXCELLENCE AND LEADERSHIP LEVEL — technical authority and leadership in governance.
Why this course exists
To transform defined controls into operational controls, with demonstrable evidence and effectiveness.
Many organisations have policies and controls “on paper”, but do not have an operational model: owners, routines, procedures, minimum evidence with acceptance criteria, metrics, exception management, effectiveness testing and continual improvement. The result is inconsistent execution, weak evidence, overloaded teams and recurring nonconformities.
The ISO 27002 Lead Control Manager Course develops the missing critical competence: governing the full control lifecycle, from design to testing, with a practical, systematic and results-oriented approach.
What this course enables you to do
Interpret
Analyse ISO/IEC 27002 with method: structure, logic for applying controls and practical use of attributes, including the relationship with ISO/IEC 27001 and the Statement of Applicability (SoA).
Operationalise
Convert controls into Control Profiles and define the Operating Model: owners, routines/runbooks, RACI, integration with ITSM, IAM, SDLC/DevOps, cloud and logging/monitoring.
Evidence
Build a robust Evidence Map: sources, acceptance criteria, validation, traceability, retention and continuous evidence, reducing pre-audit effort.
Test and improve
Define and apply a Control Test Plan and metrics (KPIs/KRIs and maturity), assessing design vs operating effectiveness and governing continual improvement through backlog and corrective actions.
Frameworks, standards and best practices addressed throughout the course
ISO/IEC 27001 — requirements + SoA
ISO/IEC 27004 — metrics
ISO/IEC 27005 — risk
ISO/IEC TS 27008 — technical assessment of controls
NIST SP 800-53 / 800-53A — reference, where applicable
NIST CSF / CIS Controls / SOC 2 / PCI DSS — articulation, where applicable
Value for the organisation
- Executable controls: less “document”, more real operation — owners, routines and defined evidence.
- Sustainable evidence: acceptance criteria and an Evidence Map reduce rework and weak evidence, such as screenshots with low probative value.
- Continuous audit readiness: structured evidence and tests over time, avoiding pre-audit “rushes”.
- Measurement and continual improvement: KPIs/KRIs, maturity, tested effectiveness and improvement backlog — controls do not “die” after implementation.
- Acceleration of the ISMS / ISO 27001: directly strengthens the SoA, risk treatment and management review, improving results in internal and external audits.
- Cross-functional capability: applicable to Security, IT, DevOps, Operations and Suppliers — where control execution actually happens.
Introduction
Most organisations do not fail because of a lack of policies. They fail because controls exist on paper, but not in operation.
The ISO 27002 Lead Control Manager course was designed to develop practical competence in information security control management based on ISO/IEC 27002, covering structure, application logic and operationalisation in real environments. It teaches how to transform controls into consistent execution, with owners, routines, evidence, metrics, effectiveness testing and continual improvement.
The participant learns how to design and manage a control portfolio of 93 controls with an operational model applicable to any organisation, articulating with ISO/IEC 27001 (SoA, control objectives and risk treatment) and strengthening control assessment and testing through good control assurance practices, including ISO/IEC TS 27008 and NIST SP 800-53/800-53A, where applicable.
In this ISO 27002 Lead Control Manager Course expected practical result: executable controls, robust evidence, tested effectiveness and continual improvement, reducing pre-audit effort and dependence on tacit knowledge.
This Training Plan and all associated documents are protected by Copyright and registered as a literary work with IGAC.
General Objectives
At the end of this course, participants will be able to:
- Interpret ISO/IEC 27002 and apply its structure, 93 controls, in an organisational context.
- Design complete Control Profiles, including objective, scope, owners, routines/activities, evidence, frequency, acceptance criteria, metrics, tooling and exceptions.
- Define and apply an Operating Model to govern controls over time, including responsibilities, routines, reporting and review.
- Build a robust and sustainable Evidence Map, with acceptance criteria, validation, retention and evidence traceability.
- Define metrics, including KPIs/KRIs, control objectives and simple maturity/performance models aligned with risk and priority.
- Define and apply a Control Test Plan, distinguishing design effectiveness from operating effectiveness.
- Integrate controls with operation, including ITSM, IAM, SDLC/DevOps, logging/monitoring and supplier management.
- Manage exceptions and compensating controls with method, including approval, validity and revalidation, as well as deviations, corrective actions and continual improvement of the control portfolio.
- Prepare to successfully take the applicable certification exam.
Target Audience
- Information Security professionals, including GRC, SecOps, AppSec and CISO Office, who need operational, evidentiary and testable controls.
- Control owners, including IT Ops, IAM, Infrastructure, Networks, Cloud, DevOps, Service Management and Data — where control execution actually happens.
- Consultants, project managers and compliance teams involved in control programmes and/or ISMS initiatives, who need to transform requirements into execution and evidence.
- Compliance and assurance teams, including internal audit, that wish to raise control assessment to a model based on evidence and tested effectiveness.
- Professionals who have already completed ISO 27001 training, including Lead Implementer or Lead Auditor, and wish to master the “critical zone” between standard and execution, or work with ISO/IEC 27002 independently.
- Professionals from any area with basic knowledge of IT, cybersecurity or information security, who wish to acquire practical competences.
Prerequisites
There are no mandatory formal prerequisites. However, familiarity with basic information security concepts and IT operations is recommended, including exposure to organisational contexts where controls, processes and evidence exist, or prior attendance of the ISO 27001 Foundation course is recommended.
In addition, other specific requirements may apply depending on the quotation or proposal presented. Please consult the applicable proposal.
Programme
Fundamentals and Control Engineering
- Structure and application logic of ISO/IEC 27002, including 93 controls, 4 themes and attributes, and practical use of attributes.
- Articulation with ISO/IEC 27001: SoA, control objectives and risk treatment, including control selection and justification.
- Control Lifecycle: define → design → operate → evidence → test → improve.
- Standardisation principles: baseline vs controlled variation and definition of owners/responsibilities.
Control Profiles and Operating Model
- Complete Control Profiles: objective, scope, boundaries, acceptance criteria, owners and responsibilities (RACI).
- Operating model: periodicity, routines/runbooks and integration with processes such as change, incidents, access and SDLC.
- Operational integration: ITSM, IAM, cloud, logging/monitoring and suppliers.
- Standardisation and exception management: baseline vs controlled variance and criteria for exceptions/compensating controls.
Evidence Engineering: Evidence Map and traceability
- Evidence: minimum quality criteria and acceptance criteria — what proves what.
- Evidence sources and management: logs, tickets, records, repositories and tools, including responsible parties, periodicity and validation.
- Traceability and retention: integrity, retention and continuous evidence, reducing pre-audit effort.
- ISO/IEC TS 27008: technical assessment approach applied to evidence quality and sufficiency, where applicable.
Metrics, effectiveness and control testing
- Control measurement: KPIs/KRIs, maturity, thresholds and tolerances, including objectives and reporting.
- Control effectiveness: design vs operating effectiveness — what to test and how to test.
- Control Test Plan: approach, sampling, periodicity, minimum evidence and reporting.
- Good assessment/testing practices to support measurement and validation of control effectiveness.
Integration, exceptions and continual improvement
- Integration with an ISMS, where applicable: SoA, treatment plan and management review.
- Exception management: criteria, approvals, compensating controls, validity and revalidation.
- Findings, nonconformities, corrective actions and control improvement backlog, including review cycles.
- Exam preparation and final consolidation.
Exam(s) and Certification
Exam “Certified Information Security ISO 27002 Lead Control Manager”
The exam covers the following competence domains:
- Domain 1: ISO/IEC 27002 fundamentals and articulation with ISO/IEC 27001/SoA
- Domain 2: Control design and standardisation (Control Profiles)
- Domain 3: Operation and evidence (Evidence Map and criteria)
- Domain 4: Measurement and effectiveness testing (KPIs/KRIs and Control Test Plan)
- Domain 5: Exceptions, corrective actions and continual improvement of the control portfolio
Language(s): Portuguese and English. Please contact BEHAVIOUR for availability in other languages.
Duration: 3 hours.
Format: Development questions, including a case study, oriented towards control design, operationalisation, evidence, measurement and testing.
Pass mark: 700/1000 points.
Results: Pass or Fail.
Issuing entity: Behaviour (legal entity), through its certification service Behaviour Certification Services.
Retake: 1 free retake within a maximum period of 2 months after the date on which the exam result is made available.
Certification — levels and requirements
After successfully completing the exam and accepting or signing the applicable agreement and Code of Ethics, the candidate may apply for one of three levels, depending on experience:
- Certified Information Security ISO 27002 Associate Control Manager: no mandatory previous experience required
- Certified Information Security ISO 27002 Control Manager: 2 years of relevant professional experience
- Certified Information Security ISO 27002 Lead Control Manager: 5 years of advanced experience and leadership/coordination roles
A Certificate and a Digital Certification Badge will be issued to participants who successfully complete the certification exam and satisfy all requirements of the certification for which they are applying. The certification is issued by Behaviour (legal entity), through its certification service Behaviour Certification Services.
A Behaviour® professional certification, as a proprietary certification scheme, with international market recognition. The scheme is designed and operated based on good practices for personal certification, principles of impartiality and exam quality, and applicable international references, including the principles of ISO/IEC 17024.
Certification programmes are valid only for individuals, not companies, and the award and maintenance of certification depend on the exam result, professional experience and compliance with the applicable agreement and Code of Ethics.
If the professional does not comply with the agreement or the Code of Ethics, the certification is not granted or is revoked.
Other Information
General Information
- Training available in Portuguese or English.
- Training materials available in Portuguese or English, with online access, in accordance with the awarded conditions.
- Practical methodology oriented towards operational deliverables, including Control Profiles, Evidence Map, metrics and Test Plan.
- Behaviour digital Training Attendance Certificate with 40 CPD/CPE credits.
- Online Certification Exam, in Portuguese or English. The exam may be taken up to 2 months from the course start date.
- If the candidate does not pass the exam, they are entitled to one free retake within a maximum period of 2 months from the release date of the initial exam result.
- Digital Certification Diploma and Digital Certification Badge after passing the exam and completing the application process. This process has no associated cost.
Trainer(s)
Senior consultants and auditors, with proven experience in the implementation, operationalisation and assessment of information security controls in the context of ISO/IEC 27001/27002 ISMS and related good practices.
Benefits
View benefits
- Transforms ISO/IEC 27002 into consistent execution: owners, routines and sustainable evidence.
- Reduces rework and pre-audit effort through acceptance criteria and continuous evidence.
- Strengthens consistency and maturity in control management, with metrics and effectiveness testing, including design vs operation.
- Develops internal capacity to govern exceptions, compensating controls and continual improvement of the control portfolio.
- Directly supports an ISO/IEC 27001 ISMS, including SoA and audit readiness, and may be applied as an autonomous control discipline.
- The certification exam is supervised by an official BEHAVIOUR administrator.
- The certification exam is taken after the course and focuses on development questions, based on a case study.
Logistics
Useful information
- Live Online (synchronous time): 09h30–13h00 and 14h00–17h30 (Lisbon time), with short breaks
- Classroom (synchronous time): 09h30–13h00 and 14h00–17h30 (Lisbon time), with short breaks
- 35 hours of synchronous training, distributed across 5 consecutive days
- Estimated 5 hours of guided autonomous work, intended for content consolidation and production/finalisation of deliverables
- Requirements: computer with stable internet, updated browser, PDF reader and audio/video
Hotels in Lisbon
Find out where you can stay in Lisbon, near Behaviour, for classroom training.
Frequently Asked Questions
Objective answers to the most common questions about the ISO 27002 Lead Control Manager course.
What is the difference between ISO/IEC 27001 and ISO/IEC 27002?
ISO/IEC 27001 defines requirements for an Information Security Management System (ISMS) and how to manage it, including governance, planning, operation, evaluation and improvement. ISO/IEC 27002 describes and guides the implementation of controls, the operational “how”, serving as a catalogue and practical guide for executing security in day-to-day activities.
Does ISO/IEC 27002 apply even without an ISO/IEC 27001 ISMS?
Yes. It can be applied as an autonomous control discipline, for example to increase security maturity, respond to customer requirements, prepare internal audits, strengthen supplier due diligence or structure a control programme even without a formal ISMS.
Do all 93 controls have to be implemented?
No. ISO/IEC 27002 does not assume full and undifferentiated implementation. Selection should be driven by context, risk, technical dependencies and business priorities. The focus is adequacy and effectiveness — not “checklist compliance”.
How does ISO/IEC 27002 articulate with cloud and SaaS, such as M365, AWS, Azure or Google Cloud?
The standard applies, but implementation changes: many controls become “shared” under shared responsibility between the organisation and the provider. The critical point is to translate controls into concrete responsibilities, including configuration, logging, identity management, hardening, retention, backup, monitoring and change management, and to ensure consistent evidence in hybrid and multi-cloud environments.
How is ISO/IEC 27002 applied in real life, day to day?
It is applied as an operational control system, not as documentation. In practice, each control is translated into: (1) responsible owner, (2) executable routine, what is done, when and with which tool, (3) minimum evidence with acceptance criteria, what proves that it was done and that it works, and (4) metric/alert to detect degradation.
Typical example: “access management” stops being only a policy and becomes a set of routines, including JML, MFA, periodic reviews, approval records, logs and exceptions, with consistent evidence and regular review — allowing the organisation to demonstrate that the control is “working” without pre-audit rushes.
For general questions about registration, delivery modes, exams, certification and recertification, please consult the BEHAVIOUR® FAQs.
Registration
Complete the form to request your registration for the preferred edition. Check the upcoming dates.
Request more information
If you would like help to frame the course within your professional or organisational context, contact us and we will indicate the most suitable path.
Companies: request a proposal
For team registrations, we provide volume conditions and a proposal tailored to the organisational need.
This course may be attended by individual professionals. It may also be integrated into capacity-building pathways for teams responsible for the governance, management and monitoring of Information Security controls in an organisational context.