ISO 27005: 2018 Risk Manager training, preparation for certification `{`risk analysis`}` risk analysis

  • Understand the concept of information security risk
  • Use ISO 27005: 2018 for risk analysis
  • Know other methods (EBIOS RM, MEHARI)
  • Make a rational choice of risk analysis method.

CISO or Security correspondents, security architects, IT directors or managers, engineers, project managers (MOE, MOA) who must integrate security requirements.

Good knowledge of IS security and the 27005 standard.

3 Jours.

Practical exercises and demonstrations will allow you to put into practice the theoretical concepts presented.

For “Distance” training, they are carried out with a Teams or Zoom type videoconferencing tool depending on the case, allowing the trainer to adapt his teaching methods.
Find on our website all the details about distance sessions or virtual classes.

  • Introduction
  • ISO 27000 terminology.
  • Threat Definitions. Vulnerability. Risks.
  • Availability, Integrity and Confidentiality requirements: taking account of traceability / proof.
  • Reminder of regulatory and normative constraints (RGPD, LPM / NIS, PCI DSS …).
  • The role of the RSSI versus the Risk Manager.
  • The 31000 standard, of the interest of the “hat” standard as a universal reference.
  • The concept of “risk”
  • Identification and classification of risks.
  • Operational, physical and logical risks.
  • The consequences of risk (financial, legal, human …).
  • Risk management (prevention, protection, risk avoidance, transfer).
  • Insurability of a risk, financial calculation of the transfer to insurance.
  • Risk management according to ISO
  • The initial assessment in Plan phase of Section 6: Planning.
  • The 27005: 2018 standard: Information Security Risk Management.
  • The implementation of a PDCA risk management process.
  • The context, assessment, treatment, acceptance and review of risks.
  • The stages of risk analysis (identification, analysis and evaluation).
  • Preparation of the declaration of applicability (SoA) and the action plan.
  • Risk sharing with third parties (cloud, insurance, etc.); Domain 15 of ISO 27002.
  • The 27001: 2013 method and its “Risk Management” process.

 

  • Risk analysis methods
  • Compliance approach vs risk scenario approach.
  • Taking into account sophisticated intentional threats of the APT type.
  • The objectives of EBIOS RM (Identify the security base, Be in compliance, Identify and analyze, etc.).
  • The activities of the method.
  • CRAMM, OCTAVE … History and the rest of the world.
  • MEHARI methods (2010, PRO and Manager).
  • Conclusion and choice of a method
  • Convergence towards ISO, the necessary update.
  • To be or not to be “ISO spirit”: the constraints of the PDCA model.
  • One global method or one method per project.
  • The real cost of a risk analysis.
  • How to choose the best method?
  • Knowledge bases (threats, risks …).