🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
Compliance Coming Soon

CT ISO 27001

The course teaches employees the core components of ISO 27001, including ISMS fundamentals, risk assessment, Annex A controls, access control, classification, incident management, and business continuity, enabling them to support and maintain compliance.

Who Should Take This

It is intended for staff members across all levels who handle or support information assets in organizations pursuing or sustaining ISO 27001 certification. Typical learners include IT personnel, business managers, and administrative staff seeking to understand their security responsibilities and how to follow established procedures.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

60 learning goals
1 ISMS Fundamentals
3 topics

Information security principles and ISMS purpose

  • Define the three pillars of information security — confidentiality, integrity, and availability (CIA triad) — and provide workplace examples demonstrating each principle.
  • Explain the purpose of an Information Security Management System (ISMS) and describe how it provides a systematic approach to managing sensitive information through people, processes, and technology.
  • Describe the scope of ISO 27001:2022 including its applicability to organizations of all sizes and sectors, and its focus on establishing, implementing, maintaining, and continually improving an ISMS.

Plan-Do-Check-Act cycle

  • Identify the four phases of the PDCA cycle (Plan, Do, Check, Act) and describe the activities performed in each phase within the context of ISMS management.
  • Explain how the PDCA cycle drives continual improvement of the ISMS by identifying nonconformities, implementing corrective actions, and updating controls based on changing threats and business needs.
  • Describe the role of management review in the PDCA cycle, including reviewing audit results, incident trends, risk assessment updates, and improvement opportunities.

ISMS documentation and policies

  • Identify the mandatory documented information required by ISO 27001 including the ISMS scope, information security policy, risk assessment methodology, Statement of Applicability (SoA), and risk treatment plan.
  • Explain the purpose of the Statement of Applicability (SoA) and describe how it documents which Annex A controls are applicable, implemented, and justified for the organization.
2 Risk Assessment and Treatment
2 topics

Risk assessment methodology

  • Define key risk management terms: asset, threat, vulnerability, likelihood, impact, risk level, risk appetite, and risk owner, and explain their relationships in a risk assessment.
  • Describe the risk assessment process including asset identification, threat and vulnerability identification, likelihood and impact evaluation, and risk prioritization.
  • Explain the four risk treatment options — mitigate (reduce), accept (retain), transfer (share), and avoid (eliminate) — and describe when each option is appropriate.
  • Analyze a workplace information security scenario to identify assets at risk, applicable threats and vulnerabilities, and recommend an appropriate risk treatment option.

Risk ownership and monitoring

  • Explain the concept of risk ownership and describe the risk owner's responsibilities for monitoring, reviewing, and ensuring treatment of assigned risks.
  • Describe how employees contribute to risk monitoring by identifying new threats, reporting security events, and notifying risk owners of changing circumstances.
3 Annex A Controls Overview
4 topics

Organizational controls

  • Identify key organizational controls in Annex A including information security policies, roles and responsibilities, segregation of duties, contact with authorities, and threat intelligence.
  • Describe how organizational controls for information classification, acceptable use, and return of assets apply to everyday employee activities.

People controls

  • Identify people controls in Annex A including screening, terms and conditions of employment, awareness and training, disciplinary process, responsibilities after termination, and remote working.
  • Explain employee security awareness and training obligations including participating in security training programs, acknowledging policies, and maintaining competence in assigned security responsibilities.

Physical controls

  • Identify physical controls in Annex A including physical security perimeters, physical entry controls, securing offices and facilities, clear desk and clear screen policies, and equipment protection.
  • Describe employee responsibilities for physical security including badge access procedures, visitor management, securing workstations, and protecting portable equipment and storage media.
  • Explain the clear desk and clear screen policies, including requirements to secure sensitive documents, lock screens when unattended, and prevent unauthorized visual access to confidential information.

Technological controls

  • Identify key technological controls in Annex A including user endpoint devices, privileged access rights, information access restriction, secure authentication, malware protection, and data masking.
  • Describe employee obligations for technological controls including password management, software installation restrictions, removable media policies, and secure use of web and email.
  • Analyze a workplace scenario to identify which Annex A control themes (organizational, people, physical, technological) are relevant and evaluate whether existing controls adequately address the identified risks.
4 Access Control and Information Classification
2 topics

Access control policies

  • Explain the principle of least privilege and describe how access rights should be granted based on business need, limited to the minimum necessary, and regularly reviewed.
  • Describe the user access lifecycle: registration, provisioning, review, modification, and de-provisioning upon role change or employment termination.
  • Explain strong authentication practices including password complexity requirements, multi-factor authentication, and the importance of not sharing credentials or using default passwords.
  • Analyze a scenario involving user access to determine whether access rights follow the principle of least privilege and identify potential access control violations.

Information classification and handling

  • Identify common information classification levels (e.g., Public, Internal, Confidential, Restricted) and describe the criteria for assigning each classification based on sensitivity and impact of unauthorized disclosure.
  • Describe proper handling procedures for each classification level including labeling, storage, transmission, sharing, and disposal requirements.
  • Explain secure disposal methods for information assets including paper shredding, electronic media wiping, and certificate of destruction for sensitive materials.
  • Analyze a data handling scenario to determine the correct classification level, identify handling procedure violations, and recommend corrective actions.
5 Incident Management and Business Continuity
3 topics

Incident detection and reporting

  • Identify common types of information security incidents including phishing attacks, malware infections, unauthorized access, data breaches, social engineering, and lost or stolen devices.
  • Describe the employee's obligation to report security incidents and events promptly through established channels, including what information to include in an incident report.
  • Explain the difference between a security event (observable occurrence) and a security incident (event with actual or potential adverse effect on information security) and how to assess severity.

Incident response process

  • Describe the incident response lifecycle phases: preparation, identification, containment, eradication, recovery, and lessons learned, and explain employee responsibilities at each phase.
  • Explain the importance of evidence preservation during incident response, including not modifying affected systems, maintaining chain of custody, and documenting observations.
  • Analyze a security incident scenario to determine the appropriate initial response actions, classify the incident severity, and identify the correct escalation path.

Business continuity

  • Explain the purpose of business continuity planning and describe how it ensures critical business functions can continue during and after a disruption.
  • Describe employee responsibilities during business continuity events including following documented recovery procedures, maintaining communication, and using alternate work arrangements.
  • Explain the importance of regular backup procedures, backup testing, and recovery drills in ensuring information availability and organizational resilience.
6 Supplier and Third-Party Security
1 topic

Third-party risk management

  • Explain why third-party and supplier relationships create information security risks, including shared data access, system interconnections, and supply chain dependencies.
  • Describe the key elements of supplier security management including vendor risk assessments, security requirements in contracts, right-to-audit clauses, and ongoing monitoring.
  • Explain employee responsibilities when working with third parties, including verifying authorization before sharing information, following data sharing agreements, and reporting supplier security concerns.
  • Analyze a third-party engagement scenario to identify information security risks, evaluate the adequacy of contractual security provisions, and recommend improvements.
7 Internal Audit and Certification
2 topics

Internal audit basics

  • Explain the purpose of internal ISMS audits and describe how they verify conformity with ISO 27001 requirements and the organization's own policies and procedures.
  • Describe employee responsibilities during internal audits including providing accurate information, making evidence available, cooperating with auditors, and implementing corrective actions.
  • Explain the difference between a nonconformity (failure to meet a requirement) and an observation (area for improvement) and describe the corrective action process for addressing nonconformities.

Certification and surveillance audits

  • Describe the ISO 27001 certification process including Stage 1 (documentation review) and Stage 2 (implementation audit) assessments conducted by an accredited certification body.
  • Explain the surveillance audit cycle (typically annual) and recertification audit cycle (typically every three years) and their role in maintaining ISO 27001 certification.
  • Distinguish between ISO 27001 certification (formal third-party attestation) and compliance (self-declared conformity) and explain the business value of certification.
8 Employee Responsibilities and Security Awareness
3 topics

Acceptable use and daily security practices

  • Describe the purpose and typical contents of an acceptable use policy including permitted use of company systems, email and internet guidelines, personal device rules, and social media restrictions.
  • Explain daily security practices employees should follow including locking screens, securing physical documents, recognizing phishing attempts, and reporting suspicious activities.
  • Describe remote working security requirements including VPN usage, securing home networks, protecting company data on personal devices, and physical security of equipment outside the office.

Social engineering awareness

  • Identify common social engineering techniques including phishing emails, pretexting phone calls, tailgating, baiting with USB drives, and impersonation of authority figures.
  • Describe warning signs of phishing emails including spoofed sender addresses, urgency language, unexpected attachments, suspicious links, and requests for credentials or sensitive information.
  • Analyze a simulated social engineering attempt to identify the technique used, assess the potential impact, and determine the correct response including reporting to the security team.

Integrated ISMS compliance

  • Explain how individual employee actions contribute to or undermine the organization's overall information security posture and ISMS effectiveness.
  • Synthesize knowledge of ISMS principles, Annex A controls, incident management, and access control to evaluate an organization's information security awareness program and propose improvements.
  • Synthesize ISMS documentation requirements, risk assessment results, and control implementation evidence to prepare for an internal or external audit of the organization's ISMS.

Scope

Included Topics

  • Information Security Management System (ISMS) overview: purpose, scope, benefits, and the relationship between information security and business objectives.
  • Plan-Do-Check-Act (PDCA) cycle as applied to ISMS: planning the ISMS, implementing controls, monitoring and reviewing effectiveness, and continual improvement.
  • Risk assessment methodology: identifying information assets, threats, and vulnerabilities; determining likelihood and impact; risk evaluation and treatment options (mitigate, accept, transfer, avoid).
  • ISO 27001:2022 Annex A controls overview organized into four themes: organizational controls (37), people controls (8), physical controls (14), and technological controls (34).
  • Access control policies: user access management, authentication requirements, privileged access, access reviews, and the principle of least privilege.
  • Information classification and handling: classification schemes, labeling, data handling procedures, data retention, and secure disposal.
  • Information security incident management: incident detection, reporting, response procedures, evidence collection, lessons learned, and communication during incidents.
  • Business continuity and disaster recovery: business impact analysis, continuity planning, backup strategies, recovery testing, and maintaining security during disruptions.
  • Supplier and third-party security: vendor risk assessment, security requirements in contracts, monitoring supplier performance, and managing supply chain information security risks.
  • Internal audit basics: audit planning, evidence gathering, nonconformity identification, corrective actions, and management review process.
  • Certification versus compliance: understanding what ISO 27001 certification entails, the role of certification bodies, Stage 1 and Stage 2 audits, and surveillance audit cycles.
  • Employee responsibilities within the ISMS: acceptable use policies, security awareness obligations, incident reporting duties, and personal accountability for information security.

Not Covered

  • Full ISO 27001 Lead Auditor or Lead Implementer certification content requiring detailed audit methodology and ISMS implementation expertise.
  • Detailed technical implementation of specific security controls (firewall configuration, encryption key management, SIEM deployment) beyond awareness level.
  • ISO 27002 control-by-control implementation guidance at practitioner depth.
  • Other ISO 27000 family standards (27005 risk management, 27017 cloud security, 27018 PII in cloud, 27701 privacy) beyond brief mentions of their relationship to 27001.
  • Regulatory compliance requirements specific to individual jurisdictions (GDPR, HIPAA, SOX) beyond their general interaction with ISMS frameworks.

CT ISO 27001 is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified