Embed Size (px)
Citation preview
PECB PECB-820-1 ISO 27001 LI Exam Preparation Guide
Page 1 of 12
EXAM PREPARATION GUIDECertified ISO/IEC 27001 Lead Implementer
PECB PECB-820-1 ISO 27001 LI Exam Preparation Guide
Page 2 of 12
The objective of the “Certified ISO/IEC 27001 Lead Implementer” examination is to ensure thatthe candidate has the knowledge and the skills to support an organization in implementing andmanaging an Information Security Management System (ISMS) based on ISO 27001.
The target population for this examination is:
Project managers or consultants wanting to prepare and to support an organization in theimplementation of an Information Security Management System ( ISMS )
ISO 27001 auditors who wish to fully understand the Information Security ManagementSystem implementation process
Managers responsible for the IT governance of an enterprise and the management of itsrisks
Members of an information security team Expert advisors in information technology Technical experts wanting to prepare for an information security function or for an ISMS
project management function
The exam content covers the following domains:
Domain 1: Fundamental principles and concepts of information security ( IS ) Domain 2: Information Security Control Best Practice based on ISO 27002 Domain 3: Planning an ISMS based on ISO 27001 Domain 4: Implementing an ISMS based on ISO 27001 Domain 5: Performance evaluation, monitoring and measurement of an ISMS based on
ISO 27001 Domain 6: Continual improvement of an ISMS based on ISO 27001 Domain 7: Preparation for an ISMS certification audit
PECB PECB-820-1 ISO 27001 LI Exam Preparation Guide
Page 3 of 12
The content of the exam is divided as follows:
Domain 1: Fundamental principles and concepts in informationsecurity
Main objective: To ensure that the ISO 27001 Lead Implementer candidate can understand,interpret and illustrate the main information security concepts related to an Information SecurityManagement System (ISMS)
Competencies
1. Understand and explain the operations ofthe ISO organization and the developmentof information security standards
2. Ability to identify, analyze and evaluate theinformation security compliancerequirements for an organization
3. Ability to explain and illustrate the mainconcepts in information security andinformation security risk management
4. Ability to distinguish and explain thedifference between information asset, dataand record
5. Understand, interpret and illustrate therelationship between the concepts of asset,vulnerability, threat, impact and controls
Knowledge statements
1. Knowledge of the application of the eight ISOmanagement principles to information security
2. Knowledge of the main standards in informationsecurity
3. Knowledge of the different sources of informationsecurity requirement for an organization: laws,regulations, international and industry standards,contracts, market practices, internal policies
4. Knowledge of the main information securityconcepts and terminology as described in ISO27000
5. Knowledge of the concept of risk and itsapplication in information security
6. Knowledge of the relationship between theconcepts of asset, vulnerability, threat, impact andcontrols
7. Knowledge of the difference and characteristics ofsecurity objectives and controls
8. Knowledge of the difference between preventive,detective and corrective controls and theircharacteristics
Domain2: Information Security Control Best Practice based on ISO27002
Main objective: To ensure that the ISO 27001 Lead Implementer candidate can understand,interpret and provide guidance on how to implement and manage information security controlsbest practices based on ISO 27002
Competencies
1. Ability to identify, understand, classify andexplain the 11 clauses, 39 securitycategories and 133 controls of ISO 27002
2. Ability to detail and illustrate the securitycontrols best practices by concrete
Knowledge statements
1. Knowledge of Information Security Policy ControlsBest Practices
2. Knowledge of Organizing Information SecurityControls Best Practices
3. Knowledge of Asset Management Controls Best
PECB PECB-820-1 ISO 27001 LI Exam Preparation Guide
Page 4 of 12
examples3. Ability to compare possible solutions to a
real security issue of an organization andidentify/analyze the strength and weaknessof each solution
4. Ability to select and demonstrate the bestsecurity controls in order to addressinformation security control objectivesstated by the organization
5. Ability to create and justify a detailed actionplan to implement a security control bylisting the activities related
6. Ability to analyze, evaluate and validateaction plans to implement a specific control
Practices4. Knowledge of Human Resources Security Controls
Best Practices5. Knowledge of Physical and Environmental Security
Physical and Environmental Security Controls BestPractices
6. Knowledge of Communications and OperationsManagement Controls Best Practices
7. Knowledge of Access Control Controls BestPractices
8. Knowledge of Information Systems Acquisition,Development and Maintenance Controls BestPractices
9. Knowledge of Information Security IncidentManagement Controls Best Practices
10. Knowledge of Business Continuity ManagementControls Best Practices
11. Knowledge of Compliance Controls Best Practices
Domain 3: Planning an ISMS based on ISO 27001
Main objective: To ensure that the ISO 27001 Lead Implementer candidate can plan theimplementation of an ISMS in preparation for an ISO 27001 certification
Competencies
1. Ability to manage an ISMS implementationproject following project management bestpractices
2. Ability to gather, analyze and interpret thenecessary information to plan the ISMSimplementation
3. Ability to observe, analyze and interpret theexternal and internal environment of anorganization
4. Ability to perform a gap analysis and clarifythe information security objectives of anorganization
5. Ability to state and justify an ISMS scopeadapted to the security objectives of aspecific organization
6. Ability to select and justify the selectedapproach and methodology adapted to theneeds of the organization
7. Ability to perform the different steps of therisk assessment and risk treatment phases
8. Ability to state and justify a Statement ofApplicability for a specific organization
Knowledge statements
1. Knowledge of the main project management concepts,terminology, process and best practice as described inISO 10006
2. Knowledge of the principal approaches andmethodology frameworks to implement an ISMS
3. Knowledge of the main concepts and terminologyrelated to organizations
4. Knowledge of an organization’s external and internalenvironment
5. Knowledge of the main interested parties related to anorganization and their characteristics
6. Knowledge of techniques to gather information on anorganization and to perform a gap analysis of amanagement system
7. Knowledge of the characteristics of an ISMS scope interms of organizational, technological and physicalboundaries
8. Knowledge of the different approaches and mainmethodology characteristics to perform a riskassessment
9. Knowledge of the main activities of the risk identification,estimation, evaluation related to the assets included inthe ISMS of an organization
10. Knowledge of the main activities of the risk treatmentrelated to the assets included in the ISMS of anorganization
11. Knowledge of the characteristics of a statement ofapplicability
PECB PECB-820-1 ISO 27001 LI Exam Preparation Guide
Page 5 of 12
Domain 4: Implementing an ISMS based on ISO 27001
Main objective: To ensure that the ISO 27001 Lead Implementer candidate can implement theprocesses and security controls of an ISMS required for an ISO 27001 certification
Competencies
1. Ability to understand, analyze needs andprovide guidance on the attribution of rolesand responsibilities in the context of theimplementation and management of anISMS
2. Ability to define the document and recordmanagement processes needed to supportthe implementation and the operations of anISMS
3. Ability to define and design security controls& processes and document them
4. Ability the define and writing a ISMS policyand information security policies &procedures
5. Ability to implement the required processesand security controls of an ISMS
6. Ability to define and implement appropriateinformation security training, awareness andcommunication plans
7. Ability to define and implement an incidentmanagement process based on informationsecurity best practices
8. Ability to transfer an ISMS project tooperations and manage the changemanagement process
Knowledge statements
1. Knowledge of the roles and responsibilities of the keyactors during the implementation of an ISMS and in itsoperation after the end of the implementation project
2. Knowledge of the main organizational structuresapplicable for an organization to manage informationsecurity
3. Knowledge of the best practices on document andrecord management processes and the documentmanagement life cycle
4. Knowledge of the characteristics and the differencesbetween the different documents related to ISMS: policy,procedure, guideline, standard, baseline, worksheet, etc.
5. Knowledge of model-building controls and processestechniques and best practices
6. Knowledge of controls and processes deploymenttechniques and best practices
7. Knowledge of techniques and best practices to writeinformation security policies, procedures and otherstypes of documents include in an ISMS
8. Knowledge of the characteristics and the best practicesto implement information security training, awarenessand communication plans
9. Knowledge of the characteristics and main processes ofan information management incident managementprocess based on best practices
10. Knowledge of change management techniques bestpractices
Domain 5: Performance evaluation, monitoring and measurement ofan ISMS based on ISO 27001
Main objective: To ensure that the ISO 27001 Lead Implementer candidate can evaluate,monitor and measure the performance of an ISMS in the context of an ISO 27001 certification
Competencies
1. Ability to monitor and evaluate theeffectiveness of an ISMS in operation
2. Ability to verify the extent to which identifiedsecurity requirements have been met
3. Ability to define and implemented aninternal audit program for ISO 27001
4. Ability to perform regular and methodicalreviews regarding the suitability, adequacy,effectiveness and efficiency of an ISMS with
Knowledge statements
1. Knowledge of the techniques and best practices tomonitor the effectiveness of an ISMS
2. Knowledge of the main concepts and componentsrelated to an Information Security MeasurementProgramme: measures, attributes, indicators,dashboard, etc.
3. Knowledge of the characteristics and thedifferences between an operational, tactical andstrategic information security indicators and
PECB PECB-820-1 ISO 27001 LI Exam Preparation Guide
Page 6 of 12
policies and security objectives of anorganization
5. Ability to define and implement amanagement review process and counselmanagement on it
dashboard4. Knowledge of the techniques and methods to
define and document an adequate and reliableindicators
5. Knowledge of the main concepts and componentsrelated to the implementation and operation of anISMS internal audit program
6. Knowledge of the differences between theconcepts of major nonconformity, minornonconformity, anomaly and observation
7. Knowledge of the guidelines and best practices towrite nonconformity report
8. Knowledge of the best practices on how to performmanagement reviews
Domain 6: Continuous improvement of an ISMS based on ISO 27001
Main objective: To ensure that the ISO 27001 Lead Implementer candidate can provideguidance on the continuous improvement of an ISMS in the context of ISO 27001
Competencies
1. Ability to understand the principle andconcepts related to continual improvement
2. Ability to counsel an organization on how tocontinually improve the effectiveness andthe efficiency of an ISMS
3. Ability to implement ISMS continualimprovement processes in an organization
4. Ability to determine the appropriatebusiness improvement tools to supportcontinual improvement processes of aspecific organization
5. Ability to identify, analyze the root-causes ofnonconformities and proposed action plansto treat them
6. Ability to identify, analyze the root-cause ofpotential nonconformities and proposedaction plans to treat them
Knowledge statements
1. Knowledge of the main concepts related tocontinual improvement
2. Knowledge of the characteristics and thedifference between the concept of effectivenessand the efficiency
3. Knowledge of the concept and techniques toperform a benchmarking
4. Knowledge of the main processes, tools andtechniques used by professionals to identify theroot-causes of nonconformities
5. Knowledge of the characteristics and thedifference between corrective actions andpreventive actions
6. Knowledge of the main processes, tools andtechniques used by professionals to develop andproposed the best corrective and preventive actionplans
Domain 7: Preparation for an ISMS certification audit
Main objective: To ensure that the ISO 27001 Lead Implementer candidate can prepare andassist an organization for the certification of an ISMS against the ISO 27001 standard
Competencies
1. Ability to understand the main steps,processes and activities related to a ISO27001 certification audit
2. Ability to understand, explain and illustratethe audit evidence approach in the context
Knowledge statements
1. Knowledge of the Knowledge of evidence basedapproach in an audit
2. Knowledge of the different types of evidences:physical, mathematical, confirmative, technical,analytical, documentary and verbal
PECB PECB-820-1 ISO 27001 LI Exam Preparation Guide
Page 7 of 12
of an ISO 27001 audit3. Ability to counsel an organization to identify
and select a certification body that meetstheir needs
4. Ability to review the readiness of anorganization for a ISO 27001 certificationaudit
5. Ability to coach and prepare the personnelof an organization for an ISO 27001certification audit
6. Ability to argue and challenge the auditfindings and conclusions with externalauditors
3. Knowledge of the difference of the stage 1 auditand the stage 2 audit
4. Knowledge of stage 1 audit requirements, stepsand activities
5. Knowledge of the documentation review criteria6. Knowledge of stage 2 audit requirements, steps
and activities7. Knowledge of follow-up audit requirements, steps
and activities8. Knowledge of surveillance audits and
recertification audit requirements, steps andactivities
9. Knowledge of the requirements, guidelines andbest practices to develop action plans following aISO 27001 certification audit
PECB PECB-820-1 ISO 27001 LI Exam Preparation Guide
Page 8 of 12
Based on these seven domains and their relevance, twelve questions are included on the exam,as summarized in the following table:
QuestionNumber
Points perQuestion
Questionsthat measure
Comprehension,Application and
Analysis
Questions thatmeasure Synthesis
and Evaluation
Number ofQuestions percontent area
% of testdevoted to each
content area
2 5 x
3 5 x
4 10 x
IS ControlBest Practicebased on ISO
27002 1 5 xPlanning an
ISMSbased on ISO
27001 5 5 xImplementing
anISMS based on
ISO 27001 6 10 x
7 5 x10 10 x11 5 x
8 5 x9 5 x
75 12 100
5 7
41.67 58.33
Level of Understanding(Cognitive/Taxonomy) Required
8.33Total points
Preparation foran ISMS
certificationaudit
4
1
33.33
Fundamentalprinciples andconcepts of IS
Cont
ent A
rea/
Com
pete
nce
Dom
ains
7 58.33
Number of Questions per level of understanding% of Test Devoted to each level of understanding(cognitive/taxonomy)
Performanceevaluation,
monitoring andmeasurement
of an ISMSbased on ISO
27001
Continualimprovement
of anISMS based on
ISO 27001
12 5 x
PECB PECB-820-1 ISO 27001 LI Exam Preparation Guide
Page 9 of 12
The passing score is established at 70%.
After successfully passing the exam, candidates will be able to apply for the credentials ofCertified ISO/IEC 27001 Provisional Implementer, Certified ISO/IEC 27001 Implementer orCertified ISO/IEC 27001 Lead Implementer, depending on their level of experience.
TAKE A CERTIFICATION EXAM
Candidates will be required to arrive at least thirty (30) minutes before the beginning of thecertification exam. Candidates arriving late will not be given additional time to compensate forthe late arrival and may be denied entry to the exam room (if they arrive more than 5 minutesafter the beginning of the exam scheduled time).
All candidates will need to present a valid identity card with a picture such as a driver’s licenseor a government ID to the proctor and the exam confirmation letter.
The exam duration is three (3) hours.
Thirty (30) minutes of additional time can be provided to candidates taking the exam in alanguage different than their mother tongue, when requested by the candidates, on the examday.
The questions are essay type questions. This type of format was chosen because the intentis to determine whether an examinee can write a clear coherent answer/argument and toassess problem solving techniques. Because of this particularity, the exam is set to be “openbook” and does not measure the recall of data or information. The examination evaluates,instead, comprehension, application, analysis, synthesis and evaluation, which mean that evenif the answer is in the course material, candidates will have to justify and give explanations, toshow they really understood the concepts. At the end of this document, you will find sampleexam questions and their possible answers.
As the exams are “open book”; candidates are authorized to use the following referencematerials:
- A copy of the ISO 27001 standard,- Course notes from the Participant Handout,- Any personal notes made by the student during the course and- A hard copy dictionary.
The use of electronic devices, such as laptops, cell phones, etc., is not allowed.
PECB PECB-820-1 ISO 27001 LI Exam Preparation Guide
Page 10 of 12
RECEIVE YOUR EXAM RESULTS
Results will be communicated by email in a period of 4 to 8 weeks, after taking the exam. Theresults will not include the exact grade the candidate had, only a mention of pass or fail.
Candidates who successfully complete the examination will be able to apply for a certifiedscheme.
In the case of a failure, the results will be accompanied with the list of domains in which thecandidate had a low grade, to provide guidance for exams’ retake preparation.
Candidates who disagree with the exam results may file a complaint. For more information,please refer to www.pecb.org
EXAM RETAKE POLICY
There is no limit on the number of times a candidate may retake an exam. A retake fee applies.
Only students, who have completed the full training but fail the written exam, are eligible toretake the exam for free, under one condition:
“A student can only retake an exam once and this retake must occur within 12 months from theinitial exam’s date.”
According to our training provider agreement, students who have completed the full training andwho wish to prepare to retake an exam could attend, for free, to an entire training or to part oftraining, depending on the students’ needs. Certain fees could apply, for meals, trainingmaterials or other related expenses. Students who are interested in this preparation need tocontact the training provider.
EXAMINATION SECURITY
A significant component of a successful and respected professional certification credential ismaintaining the security and confidentiality of the examination. PECB relies upon the ethicalbehaviour of certificate holders and applicants to maintain the security and confidentiality ofPECB examinations. When someone who holds PECB credentials reveals information aboutPECB examination content, they violate the PECB Code of Ethics. PECB will take actionagainst individuals who violate PECB Policies and the Code of Ethics. Actions taken mayinclude permanently barring individuals from pursuing PECB credentials and revokingcertifications from those who have been awarded the credential. PECB will also pursue legalaction against individuals or organizations who infringe upon its copyrights, proprietary rights,and intellectual property.
PECB PECB-820-1 ISO 27001 LI Exam Preparation Guide
Page 11 of 12
SAMPLE EXAM QUESTIONS AND POSSIBLE ANSWERS
1. Security controls
For each of the following clauses of the ISO 27001 standard, please provide an action plan withat least two concrete actions that would be acceptable to ensure conformity to the clause andsatisfy the control objectives.
- Determining the necessary competencies for personnel performing work effecting theISMS (Clause 5.2.2 a)
Possible answers:Determine the qualifications necessary for the operations of each security control included inthe ISMS.Describe the necessary qualifications for each position occupied by the personnel related toISMS operations.
2. Development of information security indicators
For each of the following clauses of the ISO 27001 standard, please provide two examples ofmetrics that would be acceptable to measure the conformity to the clause.
- Corrective action (Clause 8.2.)
Possible answers:Number of corrective actions implemented in the last year.% corrective action requests being processed within three months.Average delay in days to resolve a non-compliance.
3. Selection of controls
For each risk identified, provide the appropriate controls (by providing the clause number of thecontrol) which allows to reduce, transfer or avoid risks.
Possible answers:
Statements Vulnerabilities Threats C I A Potential Impacts ControlsThe formervice-president ofAccounting ishired by acompetitor
Lack of an endof contractmanagementprocessThe former VPhas knowledgeof sensitivedata (payroll,financialresults, etc.)
Revealingconfidentialdata to arivalcompany
x Loss of customers A.6.1.5A.8.1.3A.8.3.1A.8.3.2A.8.3.3
PECB PECB-820-1 ISO 27001 LI Exam Preparation Guide
Page 12 of 12
4. Classification of controls
For each of the following 5 controls, indicate if it used as a preventive, corrective, and/ordetective control; and indicate, if the control is an administrative, technical, managerial or legalmeasure. Explain your answer.
- Encryption of electronic communications
Possible answers:
Preventive control: prevents unauthorized people reading messagesTechnical (could be legal) measure: encryption is a technical solution to ensure informationconfidentiality (could be a legal requirement)
5. Recommendations
The management of the organization would like to receive recommendations from you toimprove the processes in place to comply with the requirements of ISO 27001 on changemanagement.
Possible answers:
1. Document and implement formal change control procedures (documentation,specification, testing, quality control and implementation).
2. This process should provide a risk assessment, impact analysis of the change and aspecification of required security controls.
3. Maintain a change log with records of the approvals.4. Communicating the new process and organize training session.
