ISO 27005 Risk Methodologies Course deepens information security risk management methodologies in the context of ISO/IEC 27005, clarifying approaches, techniques and risk assessment criteria. The training supports the consistent selection and application of risk methodologies in alignment with information security management systems.
Quick Access: Introduction· Why this course exists· What this course enables· Frameworks and standards· Value· Objectives· Target audience· Prerequisites· Programme· Exam & Certification· Other information· Benefits· Logistics· FAQs· Registration
Upcoming dates
Confirmed dates.
Synchronous, live training. Interaction with the trainer and the group.
Live Online • next edition
Live Online • upcoming editions
Language: available in Portuguese or English
Training: practical and case-study based
Exam: 2h
PROFESSIONAL LEVEL — practical application of methods in a professional context.
Why this course exists
To enable the consistent selection and application of information security risk management methodologies supported by ISO/IEC 27005.
Many organisations apply risk management using inconsistent approaches, unclear criteria and methodologies that do not properly articulate with the ISMS.
This course establishes a practical basis to assess, treat and communicate information security risk, and to select and operationalise recognised methodologies, such as NIST, OCTAVE, MAGERIT and EBIOS, while maintaining alignment with ISO/IEC 27005 and the ISO/IEC 27000 family.
What this course enables you to do
Understand
Understand ISO/IEC 27005 and the essential concepts of information security risk management, including criteria, scales and risk tolerance.
Implement methodologically
Apply a practical, step-by-step methodology to establish and operate an Information Security Risk Management (ISRM) programme supported by ISO/IEC 27005.
Select methodologies
Compare and select risk methodologies, such as NIST SP 800-30r1, MSRMG, OCTAVE, MAGERIT and EBIOS, with an overview of MEHARI, FAIR and M_o_R, and apply them to the organisational context.
Integrate with the ISMS
Integrate risk management with an ISMS based on ISO/IEC 27001, reinforcing coherence between risk, controls and evidence.
Frameworks, standards and best practices addressed throughout the course
ISO/IEC 27001 — integration with ISMS
ISO/IEC 27002 — control selection
ISO 31000 — risk management principles
NIST SP 800-30r1
MSRMG
OCTAVE
MAGERIT
EBIOS
MEHARI — overview
FAIR — overview
M_o_R — overview
Value for the organisation
- Establishes an information security risk programme supported by a standard and clear operational criteria.
- Reduces variability in risk assessment through common language, scales and criteria, increasing consistency and traceability.
- Strengthens the articulation between risk, controls and ISMS requirements, supporting decisions and evidence.
- Facilitates the selection of methodologies suited to the context, avoiding approaches chosen by habit or not aligned with the objective.
Introduction
The ISO 27005 Risk Methodologies course follows a practical approach supported by a case study, enabling participants to apply the concepts of ISO/IEC 27005 in a real scenario.
Based on a practical methodology developed by Behaviour, this course prepares participants to implement and operate an Information Security Risk Management (ISRM) programme, either as a standalone programme or in support of the implementation and operationalisation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001.
The second part of the course includes the presentation and implementation of recognised methodologies in the market, considering the available case study: NIST SP 800-30r1, MSRMG, OCTAVE, MAGERIT, EBIOS, and a high-level presentation of MEHARI, FAIR and M_o_R.
This Training Plan and all associated documents are protected by Copyright and registered as a literary work with IGAC.
General Objectives
At the end of this course, participants will be able to:
- Acquire fundamental knowledge of information security risk management concepts, standards, frameworks and methods.
- Understand ISO/IEC 27005 and apply its guidance to support an Information Security Risk Management (ISRM) programme.
- Use ISO/IEC 27005 to support the implementation and operation of an ISMS based on ISO/IEC 27001.
- Define and adapt a risk management plan, including criteria, scales, treatment, acceptance and monitoring, aligned with ISO/IEC 27005 and ISO 31000.
- Select and implement recognised methodologies, including NIST SP 800-30r1, MSRMG, OCTAVE, MAGERIT and EBIOS, with an overview of MEHARI, FAIR and M_o_R, based on the organisational context.
- Possess the knowledge required to successfully take the Certified Risk Management 27005 Manager certification exam.
Target Audience
- Consultants, auditors, managers or professionals in information security and/or IT risk.
- CISOs, CIOs, CSOs and senior executives or managers responsible for ensuring alignment and value delivery from information security risk management.
- Professionals responsible for Information Security and/or IT Governance in the organisation.
- IT, security, risk, business or other professionals involved in establishing, implementing, operating and/or continuously improving an ISRM programme.
- Anyone wishing to learn the fundamentals of ISO/IEC 27005 and acquire skills to implement an ISRM programme.
Prerequisites
There are no mandatory formal prerequisites. However, course documentation may be available in English, so understanding English is recommended. Other specific requirements may apply, where relevant, depending on the quotation or proposal presented. Please consult the proposal.
Programme
Introduction and framing of the risk management programme — ISRM
- Introduction to the course and case study
- Information security risk fundamentals
- Relevant standards, legislation, regulations and requirements
- Overview of ISO/IEC 27005 and related standards
- Planning and implementation of an ISRM programme
- Establishing context, criteria and scales
Risk assessment, treatment and acceptance — ISO/IEC 27005
- Risk identification
- Risk analysis: quantitative and qualitative approaches
- Risk evaluation
- Risk treatment: options, control selection and treatment plan
- Residual risk and acceptance
- Communication and consultation
- Monitoring and review
Recognised methodologies: NIST SP 800-30r1 and MSRMG
- Presentation and implementation of the NIST SP 800-30r1 method
- Presentation and implementation of the MSRMG method
Recognised methodologies: OCTAVE and MAGERIT
- Presentation and implementation of the OCTAVE method
- Presentation and implementation of the MAGERIT method
Recognised methodologies: EBIOS and others — overview
- Presentation and implementation of the EBIOS method
- Overview: MEHARI
- Overview: FAIR
- Overview: M_o_R
- Closing and exam preparation
Exam(s) and Certification
Exam “Certified Risk Management 27005 Manager”
The exam covers the following competence domains:
- Domain 1: Information security risk management fundamentals and ISO/IEC 27005 guidance
- Domain 2: ISRM programme based on ISO/IEC 27005
- Domain 3: Risk assessment based on ISO/IEC 27005
- Domain 4: Risk treatment and acceptance based on ISO/IEC 27005
- Domain 5: Risk communication, monitoring and improvement
Language(s): Portuguese and English.
Duration: 2 hours.
Format: Open questions based on scenarios.
Number of questions: 40 questions.
Pass mark: 700/1000 points.
Results: Pass or Fail.
Issuing entity: Behaviour (legal entity), through its certification service Behaviour Certification Services.
Retake: 1 free retake within a maximum period of 2 months after the result of the initial exam.
Certification
After successfully completing the exam and accepting or signing the applicable agreement and Code of Ethics, the candidate may apply for one of two levels, according to experience:
- Certified Risk Management 27005 Associate Manager — no previous professional experience is required.
- Certified Risk Management 27005 Manager — 2 years of experience in information security risk management.
A Certificate and a Digital Certification Badge will be issued to participants who successfully complete the certification exam and satisfy all requirements of the certification for which they are applying. The certification is issued by Behaviour (legal entity), through its certification service Behaviour Certification Services.
Behaviour® professional certification — own scheme — with international recognition in the market. The scheme is designed and operated based on best practices for the certification of persons, principles of impartiality and examination quality, and applicable international references, including the principles of ISO/IEC 17024.
Certification programmes are valid only for individuals, and the award and maintenance of certification depend on the exam result, professional experience and compliance with the applicable agreement and Code of Ethics.
If the professional does not comply with the agreement or the Code of Ethics, the certification is not granted or is revoked.
Other Information
General Information
- Training available in Portuguese or English.
- Training materials with online access, typically in English, in accordance with the awarded conditions.
- Behaviour digital Training Attendance Certificate with 40 CPD/CPE credits.
- Online Certification Exam, in Portuguese or English. The exam may be taken up to 2 months from the course start date.
- If the candidate does not pass the exam, they may be entitled to one free retake, in accordance with the exam rules.
- Digital Certification Diploma and Digital Certification Badge after passing the exam and completing the application process.
Trainer(s)
The trainers are consultants and auditors with experience in implementation, auditing and training in the ISO/IEC 27000 family, with particular focus on ISO/IEC 27005, ISO/IEC 27001 and ISO 31000, and recognised risk methodologies.
Benefits
View benefits
- ISO/IEC 27005 is a guidance standard for information security risk management, supporting consistent risk programmes that can be integrated with an ISMS.
- The course provides a practical methodology to implement and operate an ISRM programme, with a case study and applied exercises.
- It includes the presentation and implementation of recognised risk methodologies, such as NIST SP 800-30r1, MSRMG, OCTAVE, MAGERIT and EBIOS, and an overview of MEHARI, FAIR and M_o_R.
- The programme is based on a personal certification model aligned with ISO/IEC 17024.
- The exam is supervised by an official BEHAVIOUR administrator.
Logistics
Useful information
- Live Online (synchronous time): 09h30–13h00 and 14h00–17h30 (Lisbon time), with short breaks
- Classroom (synchronous time): 09h30–13h00 and 14h00–17h30 (Lisbon time), with short breaks
- 5 days of synchronous training — real-time course
- Requirements: computer with stable internet, updated browser, PDF reader and audio/video
Hotels in Lisbon
Find out where you can stay in Lisbon, near Behaviour, for classroom training.
Frequently Asked Questions
Objective answers to the most common questions about the ISO 27005 Risk Methodologies course.
Do I need to have completed the ISO 27005 Risk Manager course before?
No. The knowledge from the previous Risk Management 27005 Manager course is included, so it is neither a prerequisite nor a mandatory path to attend ISO 27005 Risk Methodologies.
Is this course practical?
Yes. It includes a case study, exercises and the application of recognised methodologies, such as NIST, OCTAVE, MAGERIT and EBIOS, with guidance for consistent selection and implementation in the organisational context.
Are the materials available in Portuguese?
The training may be delivered in Portuguese or English. Depending on the awarded conditions, documentation and resources may be in Portuguese or English. Please contact Behaviour for confirmation.
Is ISO/IEC 27005 a certifiable standard for organisations?
No. ISO/IEC 27005 is a guidance standard for information security risk management. It is frequently used to support risk programmes and to articulate risk with an ISMS based on ISO/IEC 27001.
Is this course suitable to support an ISMS based on ISO/IEC 27001?
Yes. The course was designed so that risk management based on ISO/IEC 27005 can be applied either as a standalone programme or in support of the implementation and operation of an ISMS based on ISO/IEC 27001.
For general questions about registration, delivery modes, exams, certification and recertification, please consult the BEHAVIOUR® FAQs.
Registration
Complete the form to request your registration for the preferred edition. Check the upcoming dates.
Request more information
If you would like help to frame the course within your professional or organisational context, contact us and we will indicate the most suitable path.
Companies: request a proposal
For team registrations, we provide volume conditions and a proposal tailored to the organisational need.
This course may be attended by individual professionals. It may also be integrated into capability-building paths for teams responsible for applying risk management methodologies in Information Security.