Internal Information Security Management System S Auditor Training Course

Internal Information Security Management
Systems Auditor Training Course

Certifcation criteria for
www.irca.org
CERTIFICATIONCRITERIAFORTHEINTERNALISMSAUDITORTRAININGCOURSE
________________________________________________________________________________________
Page1of14
IRCA/2160/07/1Jan07
CONTENTS
1. INTRODUCTION
2. LEARNINGOBJECTIVES
3. ENABLINGOBJECTIVESKNOWLEDGE&SKILLS
4. TRAININGMETHODS
5. COURSECONTENT
6. COURSEDURATION
7. TUTORSANDSTUDENTS
8. VARIATIONS
9. STUDENTASSESSMENT
10. COURSEPUBLICITYANDADVERTISING
APPENDIX1:INTERNALAUDITORSTUDENTASSESSMENT:GUIDANCEAND
EXAMPLES
CopyrightIRCA2006
Allrightsreserved.Nopartofthispublicationmaybereproduced,storedinaretrievalsystemor
transmitted in any form or by any means electronic, mechanical, photocopying, recording or
otherwise without prior permission of the CQI International Register of Certificated Auditors
(IRCA)
________________________________________________________________________________________
Page2of14
IRCA/2160/07/1Jan07
1. INTRODUCTION
1.1 We,theInternationalRegisterofCertificatedAuditors(IRCA),havedevelopedthis
documenttohelpyou,theapprovedTrainingOrganization,achievecertificationof
yourInternalInformationSecurityManagementSystems(ISMS)Auditor
trainingcourse.
1.2 BeforedesigninganInternalISMSAuditortrainingcoursetomeetthe
requirementsofthisdocumentyoushouldconsiderthefollowing:
1.2.1 Aimofthiscourse.ISO/IEC27001:2005providesindustrywithauseful
specificationformanagingandimprovinginformationsecuritywithin
organizations.TheaimoftheInternalISMSAuditortrainingcourseisto
providestudentswiththeskillsandknowledgetoperforminternalaudits
andtocontributetothecontinualimprovementofthemanagement
system.
1.2.2 ISMSAuditorCertification(IRCA/802).Forstudentswhowantto
becomeIRCAcertifiedInternalISMSAuditorsthiscoursesatisfiesonlypart
ofthetrainingrequirementofIRCA/802.Inordertosatisfythetraining
requirementforInternalISMSAuditorfullystudentswillneedtocomplete
the1dayISMSFoundationcourse(IRCA/2161)inadditiontothiscourse.
1.2.3 Priorknowledge.Studentsareexpectedtohaveknowledgeof
informationsecuritymanagementsystemsandISO/IEC27001before
attendingthecourse(thiscanbegainedbycompletingtheIRCA/2161
ISMSFoundationcourse).
1.2.4 Referencedocuments.Thecoursecontentisbasedonthestandards
ISO/IEC27001theinternationalstandardISO17799:2005andISO/IEC
13335Parts1and2(MICTS)andISO/IECTR18044:2004.Unless
otherwiseindicated,allreferenceswithinthisdocumenttoISO/IEC27001
willindicatetheISO/IEC27001:2005version.Studentsarerequiredto
haveadetailedknowledgeofISO/IEC27001beforethiscourseandwe
recommendthattheInternalISMSAuditorcourseispresentedin
conjunctionwiththeISMSFoundationCourse,(IRCA/2161).
1.2.5 TrainingvsAssessment.Theremustbetwodistinctaspectstocourses
basedonthesecriteria:
a) Effectivetrainingtohelpstudentsdeveloptheknowledgeandskills
definedinthisdocument.
b) Effectiveassessmentofeachindividualstudentsachievementofthe
learningobjectivesthroughobjectivetestingbasedondefined
outputs.
1.2.6 Flexibilityincoursedesign.Yourtrainingcoursemustbedesignedand
deliveredinaccordancewiththecriteriainthisdocument,althoughyou
mayexerciseflexibilityintheinclusionofadditionallearningobjectives,
additionalmaterial,andinthestructureandselectionofspecifictraining
methodsusedduringthecourse.Manyofthecertificationrequirements
commontothemanagementandcontrolofcoursesaredetailedin
IRCA/2000RequirementsforTrainingOrganizationApproval.These
requirementsareinadditiontotherequirementsofIRCA/2160andare
mandatory.Itisessential,therefore,thatyouarefamiliarwiththe
requirementsofIRCA/2000.
________________________________________________________________________________________
Page3of14
IRCA/2160/07/1Jan07
1.2.7 Trainingmethods.Thiscoursemaybedesignedtobepresentedina
varietyofways:
a) Classroombasedover2daysfulltime(i.e.overtwoconsecutive
workingdays).
b) Classroombasedasaseriesofparttimemodulesoveralonger
period.
c) Blendedasacombinationofselfstudy(i.e.elearningcourse,
correspondencecourseetc)andclassroombasedlearning.
Howeveritisdesigned,studentsmustcompletethewholecourseof
studywithyourorganization.Note:wewillnotacceptcoursesthatare
whollybasedonselfstudylearning.
2. LEARNINGOBJECTIVES
2.1 LearningObjectivesdescribeinoutlinewhatsuccessfulstudentswillknowandbe
abletodobytheendofthecourse.Bytheendofthecoursestudentswillbeable
to:
Knowledge
2.1.1 DescribewithreferencetothePlan,Do,Check,Act(PDCA)cycle,the
purpose,structureandrequirementsofISO/IEC27001fromthepointof
viewofaninternalauditor(see3.1).
2.1.2 Describetheresponsibilitiesofaninternalauditoranddescribetheroleof
internalauditinthemaintenanceandimprovementofmanagement
systems(see3.2)
Skills
2.1.3 Plan,conductandreportaninternalauditofpartofaninformationsecurity
managementsysteminaccordancewithISO19011(see3.3).
3. ENABLINGOBJECTIVES SKILLS&KNOWLEDGE
InorderforstudentstoachievetheoverallLearningObjectives,theywillneedtoacquire
anddevelopspecificknowledgeandskills. ThesearespecifiedbelowasEnabling
ObjectivesandcanbeconsideredasstepstotheachievementofLearningObjectives.
3.1 DescribewithreferencetothePlan,Do,Check,Act(PDCA)cycle,the
purpose,structureandrequirementsofISO/IEC27001fromthepointof
viewofaninternalauditor
KnowledgeofISO/IEC27001isaprerequisitetothiscourse.Ifthiscourseis
beingruninisolationfromtheISMSFoundationcourse(IRCA/2161),areviewof
thestandardshouldbeincluded.
3.1.1 ExplainwhyorganizationsuseISO/IEC27001,including:
a) ThepurposeandstructureofISO/IEC27001,withreferencetothe
PDCAcycleandtheprocessapproachtoaninformationsecurity
managementSystem.
b) TheISO/IEC27001requirementforContinualImprovementand
theimplicationsofthisforinternalauditors.
c) Theprocessesinvolvedinestablishing,implementingand
operating,monitoringandreviewingandimprovinganISMS.
________________________________________________________________________________________
Page4of14
IRCA/2160/07/1Jan07
3.1.2 ExplaintherequirementsforInternalAuditasdescribedinISO/IEC27001.
3.1.3 Explainhowauditscanbeusedasatoolforthemaintenanceand
improvementofmanagementsystems.
3.2 Describetheresponsibilitiesofaninternalauditoranddescribetheroleof
internalauditinthemaintenanceandimprovementofmanagement
systems.
Knowledge
3.2.1 Defineaninternalaudit,including:
a) Thetermsanddefinitionsusedinauditing,referencing19011and
ISO/IEC27001.
b) Typicalobjectivesforaudits,includingconformance,effectiveness
andimprovement,andsuggesthowthesedifferenttypesofaudit
canaddvaluetoanorganization.
c) Theauditcycle.
d) Theresponsibilitiesofauditors,andprinciplesofauditing.
3.2.2 Planning,conductingandfollowingupanaudit:
a) Explainthesignificanceofauditcriteriaandgiveexamplesoftypes
ofdifferentauditcriteria.
b) Explaintheneedforpreauditcontactwiththeauditee.
c) Suggestapproachesandmethodsfor:
o Planninganinternalaudit,includingarrangementsfor
openingandclosingtheaudit.
o Gatheringobjectiveevidencetomeetdifferentaudit
objectives,includingconformance,improvementand
effectivenessaudits.
d) Explainthepurposeandtypicalcontentofaninternalauditreport.
e) Explainthepurposeofandmethodsforfollowupofauditfindings.
3.2.3 ExplaintheroleofIRCAinthecertificationofauditors.
3.3 Plan,conductandreportaninternalauditofpartofqualitymanagement
systeminaccordancewithISO19011.
Skills
3.3.1 Establishthepurposeandobjectivesoftheaudit,definetheauditscope
andidentifythedocumentstobereviewedandinformationtobeobtained
beforetheaudit.
3.3.2 Produceanoutlineplanforauditingtheconformanceandeffectivenessofa
process,including:
a) Whattoaudit(documents,records,activities).
b) Whotoselectforinterview.
c) Whereandwhentoaudit(includinglocations,sequence,audittrails
etc).
________________________________________________________________________________________
Page5of14
IRCA/2160/07/1Jan07
d) Whatmethodstouseforgatheringobjectiveevidence(e.g.
interview,observation,reviewofdocumentsandrecords).
3.3.3 Produceanauditplanandauditchecklist(oralternative)appropriatefor
thescope,objectiveandauditcriteriaforuseinthepracticalaudit
exercise(s).
3.3.4 Applytheauditchecklist(oralternative)inapracticalauditsituationto:
a) Gatherobjectiveevidencetoachievetheauditobjectivesthrougha
structuredauditinterviewandthesamplingofdocumentsand
records.
b) Followaudittrailstodeterminetheeffectivenessofprocesses.
c) Takeappropriatenotes.
d) Demonstrateeffectivequestioning,listening,observationand
feedbackskillsingatheringofobjectiveevidenceinanaudit
situation.
3.3.5 Reviewauditevidenceagainstcriteriaanddetermine:
a) Theeffectivenessoftheactivity/processinachievingplanned
results.
b) Conformancetodefinedauditcriteria.
c) Opportunitiesforimprovement.
3.3.6 Linkauditfindingstoestablishrootcauseofnonconformance.
3.3.7 Writeclear,actionableauditreports.
3.3.8 Plan a followup audit including methods to be used to obtain objective
evidencethatcorrectiveactioniseffective.
3.3.9 Determinetheeffectivenessofcorrectiveactionstakeningivensituations.
4. TRAININGMETHODS
4.1 Yourcoursemaybepresentedasawhollyclassroombasedcourseorasablended
course(inotherwordspartselfstudyandpartclassroombased).Youmayalso
presentthecourseasaseriesofseparatemodules,eitherasfulltimeorparttime
study.
4.2 Classroombasedtraining
4.2.1 Youmustprovideforstudentsanenvironmentconduciveto
effectivelearning.Atthebeginningofthecourseyoumustprovide
thestudentswithadescriptionofthelearningobjectives,course
structure,formatandprogramme,studentresponsibilitiesandthe
assessmentprocessesandassessmentcriteria,andyoumustdealwith
anyconcernsorworriesthatstudentsmayhave.
4.2.2 Yourcoursemustbebasedonthelearningcycle(seeguidancein
Appendix1)andincludeopportunitiesforstudentsto:
Experiencenewideasandskills.(Notethattutorledslide
presentationsasasolemethodtohelpstudentslearnnew
knowledgeisnotacceptable).
________________________________________________________________________________________
Page6of14
IRCA/2160/07/1Jan07
Reflectontheirlearningandidentifystrengthsandweaknesses.
(Notethatyourcoursemustincludemethodsformonitoringand
providingtimefortutorsandstudentstoreviewtasksand
activitiesandeachstudentsachievementofthelearning
objectives).
Addressandimproveonareasofweakness.(Notethatyour
coursemustincludeprovisionforreviewandremedialwork,and
individualcoaching,wherenecessary.)
4.2.3 Yourcoursemustincludeavarietyoflearningmethodstosuitthe
rangeoflearningstyles(seeguidanceinAppendix1).
4.2.4 Yourcoursemustnotrelyontutorpresentationsandtutorled
discussionstoteachknowledgebasedlearningobjectives.We
expecttoseestudentslearningtheseelementsmostlythrougha
processthatrequiresstudentstocompleteataskoractivities,oftenin
teams,andtoproduceadefinedoutput.
4.2.5 Allstudentsmustpractisetheskillbasedlearningobjectivesofthe
course(learningobjective2.1.3)throughparticipationinappropriate
tasksandactivities(roleplay,simulationetc).
4.2.6 Timekeeping,planningandprogrammemanagementareessential
elementsintheperformanceofanauditand,althoughwerecognise
thateffectivetrainingisresponsivetostudentsneeds,deviationsfrom
thetimetablemustbemanagedsothatalllearningobjectivesare
adequatelycoveredandstudentsarekeptinformedofsignificant
changestotheprogramme.
4.2.7 Youmustsubmitsessionplansortutornotesforeachindividualtraining
session.Sessionplansmustspecify:
learningobjectivesanddurationforthesession
natureoftheactivityandtrainingmethodtobeused
organizationalarrangements,tutorandstudentbriefingdetails
deliverablesrequiredfromstudentsforpracticalsessions
materials,exercisesandequipmentrequiredtorunthesession
wheretrainingmethodsoruseofexercisesetc.areoptional,this
mustbeclearlyindicatedinsessionplans.
Notethattheformatofyoursessionplanswilldependonyourapproach
totutorcompetenceandtrainingandthesizeandcomplexityofyour
organization.Mediumandhighcomplexitytrainingorganizations(see
IRCA/3000appendix)willrequiremorecomprehensivetutornotesto
ensurethattraininginnewandamendedmaterialsiscontrolledand
effective.
4.3 Blendedcourses(acombinationofselfstudy,includingelectronicmedia,and
classroombasedlearning)
4.3.1 Onlyknowledgebasedlearningobjectives2.1.1and2.1.2maybe
coveredbyselfstudymethods.
4.3.2 Learningobjective2.1.3(auditingskills)mustbecompletedina
classroomenvironmentintermsofpracticeandstudentassessment.
Seeclause4.2ofthisdocumentforrequirementsfortheclassroom
elementofblendedlearningcourses.
4.3.3 Trainingmethodsselectedshouldseektoinvolveandengagestudents
throughoutthedurationofthecourse. Simplyprovidingstudentswitha
________________________________________________________________________________________
Page7of14
IRCA/2160/07/1Jan07
setofreadingmaterialswillnotbeacceptable.Yourselfstudymaterials
mustbedesignedaroundaclearlystructuredlearningprocesswith:
Theory.
Examples(scenarios,casestudiesetc).
Practice(activities,casestudies,progresstestsetc).
Feedback/selfassessmentonactivitiesandtestswhererelevant,to
ensurestudentscanselfassesstheirunderstandingand
achievementofthelearningobjectivesandidentifyanyareas
requiringfurtherwork.
4.3.4 Selfstudycoursematerialsmustbeclearlypresentedandstructuredfor
easeofuse,withappropriatenavigationalaids.Youmustmakethe
followingcleartostudentstohelpthemmanagetheirlearning:
Thelearningobjectivesfortheoverallselfstudyelementofthe
course.
Thelearningobjectivesforeachsectionwithinthecourse.
Howtheselfstudyelementofthecourselinkswiththeclassroom
component
Thestructureandsuggestedorintendedsequenceofthematerials.
Instructionsforthestudentsuseofthematerials,including
realistictimescales.
Examplesoftypicaldocuments,reports,formsetc.
How,whenandhowoftenstudentsmaycontacttutorsforhelp,
guidanceandfeedback.
Methodsforstudentstoassesstheirlearningandtoseektimely
feedbackandcoachingfromthetutor(s).
4.3.5 Youmustensurethateachstudenthastimelyaccesstoacoursetutor
toanswerquestionsandqueries.
Note:asaguide,aresponsetocommunicationsfromstudentswithin24
hourswouldbeacceptable.
5. COURSECONTENT
5.1 Atthebeginningofthecourseyoumustprovidethestudentswithadescriptionof
theLearningObjectives,coursestructure,format,theirresponsibilities,student
assessmentprocessesandcriteria.
5.2 Thecoursemustcoverallaspectsdefinedinclause2,LearningObjectives,and
clause3,EnablingObjectives.
5.3 ThecoursemustcoverthebenefitsofcertificationasanIRCAInternalISMS
Auditor,includingbriefdetailsoftheIRCAISMSauditorcertificationprogramme,
andprovidestudentswithdetailsofhowtocontactIRCAandapplyfor
certification.YoumustuseIRCA/190andIRCA/167(orequivalents)forthis
purpose.
________________________________________________________________________________________
Page8of14
IRCA/2160/07/1Jan07
6. COURSEDURATION
6.1 Classroombasedlearning
6.1.1 Wherethecourseiswhollyclassroombased,thetotalcoursemustbeat
least14hoursnet,calculatedasdetailedinIRCA/2000.
6.1.2 Thiscoursemaybepresentedoveraminimumof2consecutivedaysfull
timeoronaparttime(modular)basisoveramaximumof4weeks.
Note:althoughnotmandatory,werecommendthatthiscourseberesidentialif
presentedoverconsecutivedays.
6.2 Blendedlearning
6.2.1 Elementsofthecoursesthataredeliveredthroughselfstudywillallow
studentsthreetimeslongerthanclassroomtraining(i.e.approximately18
hoursforlearningobjectives2.1.1&2.1.2).
6.2.2 Theclassroomelement(i.e.theskillslearningobjective2.1.3asa
minimum)mustbetimedtoalloweachstudenttopractiseandbe
assessedontheskillslearningobjective.Theamountoftimegiventothe
classroomelementwilldependonthelearningobjectivesbeingcovered.
Asaguideweexpectaminimumof7hoursover1daytobespentonthe
practiceandassessmentofthelearningobjective2.13.Courseswitha
reductioninclassroomtimemaybeallowedifagreedinadvancewith
IRCA.SeetheAppendixforguidanceforinstanceswherereduced
classroomtimemaybeallowed.
6.2.3 Eachstudentmustcompletetheboththeselfstudyandtheclassroom
partofthetrainingcourseinnomorethan90days.
6.2.4 Studentsmustcompleteeachelementofblendedcoursesinthecorrect
sequence.Forexample,forcoursesdesignedwithaselfstudyelement
thatistobefollowedbyaclassroomelement,youmustensurethat
studentswhodonotcompletetheselfstudyelementofthecoursearenot
acceptedontotheclassroombasedelement.Youmusthaveaprocessfor
recordingandvalidatingeachstudentscompletionofeachelementof
blendedcoursestoensurestudentscompletethecourseinthecorrect
order.
6.3 Translators
6.3.1 Ifthecourseisgiventhroughtranslators,thetimemustbeincreasedas
necessarytosatisfythelearningobjectives.
7. TUTORSANDSTUDENTS
7.1 Studentnumbers:
7.1.1 Themaximumnumberofstudentspercourseis20.
7.1.2 Theminimumnumberofstudentspercourseis4.
7.2 Thecoursemustberunwithatleastonetutor,whomustbepresentforthefull
durationofthecourse.
7.3 Selfstudybasedlearning:tutorswhoprovideeducationalsupportonselfstudy
elementsofblendedlearningmustbecompetenttooperateanymediarequired.
________________________________________________________________________________________
Page9of14
IRCA/2160/07/1Jan07
7.4 Tutorsforthiscoursemustdemonstratecompetenceinkeyattributes:
7.4.1 CompetenceinTrainingbysatisfyingtheTutorrequirementsas
appropriate(seeIRCA/2000).
7.4.2 CompetenceinAuditingagainstqualitymanagementsystemsby
demonstratingauditingcompetenceasacurrentlycertifiedInternalISMS
AuditorasdescribedinIRCA/802ormeetingtherequirementsforsuch
certification.
7.4.3 Competencetodelivertrainingandstudentassessmentonyourspecific
course.
7.4.4 Knowledgeofthespecificlocalregulatoryrequirementsinwhichthecourse
ispresentedorhavealocalexpertattendingatthenecessarytimes.
7.5 Youmustspecifythetutorresourceforallpartsofthecourse,andbeableto
demonstratetousthatthisisadequatefortheeffectivedeliveryoftheCourse
Content(clause4)andtheeffectiveimplementationoftheStudentAssessment
(clause9).
Althoughwehavenotprescribedstudent:tutorratiosforelementsofthecourse
wherestudentsauditskillsareassessed/tested(seeclause9),weconsiderit
unlikelythatonetutorwouldbeabletoassesseffectivelytheperformanceofmore
than12students.Therefore,forgroupslargerthan12,youareadvisedtoprovide
additionaltutorresourceduringelementsofthecoursewhereauditskillsare
assessed.Wewillreviewtheeffectivenessofthespecifiedtutorresourcespecified
duringtheapplicationprocess,andreviewitseffectiveimplementationduringthe
surveillanceprocess.
8. VARIATIONS
8.1 Wewillconsiderrequestsforvariationstoanyofthesecriteria,orinrespectofany
specialcircumstances.Inthissituationyoushouldsubmitawrittenrequesttous
immediatelytherequirementforthevariationbecomesapparent.
8.2 Wewillconsiderthefollowingwhenevaluatinganyrequestforvariation:
Reasonsfortherequestedvariation.
Proposedmodificationstothetraining.
Theimpactonthelearningandassessmentprocessesandhowthiswill
bemanaged.
9. STUDENTASSESSMENT
9.1 Inordertosatisfactorilycompletethecourseeachstudentmust:
9.1.1 Completeallelementsofthecourse,coveringallLearningandEnabling
Objectives.
9.1.2 Passthestudentassessment.
9.2 Studentassessment:
9.2.1 StudentsmustdemonstrateacceptableperformanceintheLearning
Objectives(clause2)tosuccessfullycompletethecourse.
9.2.2 Youmustprovideeachstudentwithfeedbackonhisorherachievementof
theselearningobjectivesasdescribedinIRCA/2000.
________________________________________________________________________________________
Page10of14
IRCA/2160/07/1Jan07
9.2.3 YoumustspecifyhoweachLearningObjectivewillbeassessedwithinthe
followingminimumrequirements:
a) Objectives2.1.1and2.1.2mustbeassessedthroughwrittenquiz
orexamination,forwhicheachstudentisawardedanindividual
mark.
b) Objectives2.1.3mustbetestedthroughrelevantpracticalactivity
withwrittenoutput,undertakenbystudentsindividuallyorinsmall
groupsandthrougheachstudentsindividualperformanceina
practicalauditsituation.Wheresmallgroupsareused,youmust
specifyarrangementsforensuringtheunderstandingandactive
contributionofeachstudent.
Anexampleofhowyoucouldapproachstudentassessmentisgivenin
Appendix1.
10. COURSEPUBLICITY&ADVERTISING
10.1 Yourtrainingcourseadvertisingandpromotionalmaterialmustnotstatenorimply
thatthiscoursefulfilsmorethanpartofthetrainingrequirementsforcertification
asanISMSInternalAuditor.
________________________________________________________________________________________
Page11of14
IRCA/2160/07/1Jan07
APPENDIX: NOTESFORGUIDANCE
CoverageofISO/IEC27001
Thisdocumentrequiresthatstudentsbeabletoexplaintheintentandrequirementsofeach
clausebeforeattendingthiscourse.Studentsshouldbemadeawareofthisandamethodof
establishingtheirknowledgeshouldbeimplemented.
ThisdocumentalsorequiresstudentstointerpretandapplyISO/IEC27001requirementsinthe
contextofaninternalaudit.Thisrequirementshouldbetestedthroughpracticalexercisesand
itisrecognisedthatstudentswillonlybeabletogainthispracticalexperienceoflimitedparts
ofISO/IEC27001.Coursedesignersshouldusetheirjudgementindecidingwhichrequirements
toconcentrateoninsuchpracticalactivities.
ProcessAuditing
Themovetoaprocessapproachtoauditingwillhaveparticularimpactontheplanningand
conductingofaudits.Thefollowingnotesareforguidanceandincludeconsiderationsauditors
mayneedtotakeintoaccountwhenplanningandconductingprocessaudits.
Planningtheonsiteaudit:
Auditplanincludesallactivitiesapplicabletothescopeofauditandtheauditstandard
(e.g.,ISO/IEC27001orthecontract).
AudittrailsareestablishedfromtoplevelISMSpolicytoallrelevantfunctionsand
levelsintheorganization.
Auditprogrammeenableslinksbetweenpolicy,objectives,targets,monitoringand
continualimprovementtobeestablished.
Auditprogrammereflectsthestructure,sequenceandinterrelationshipofprocessesin
theorganization.
Auditprogrammeissufficientlyflexibleandenablesobjectiveevidencetobegathered
toverifyactivitiesandresults.
Auditprogrammereflectstheorganization'sgoalsandpriorities.
Conductingtheaudit:
The purpose, inputs, outputs, controls and resources applicable to each process are
clear.
LinksareestablishedbetweenprocessesandhighlevelandlocalISMSobjectives.
The outputs of the process are compared with desired outcomes, the purpose of the
processandanyspecificqualityobjectives.
The steps in the process and associated responsibilities are determined, where
necessary.
Interrelatingprocessesareidentified.
Processmeasuresareidentified.
Evidenceofcontinualimprovementissought.
Needsofinternalandexternalcustomersareclear.
DocumentReview
Changesintheyear2005issueversionofISO/IEC17799haveimplicationsfortheprocessof
documentreview.InmanyinstancesitwillnotbepossibletoassesswhetherISO/IEC27001
requirementsaresatisfiedinprinciplefromlookingonlyattheinformationsecuritypolicy
documentandprocedures.Auditorswillneedtotakeamoreholisticapproachtoassessingthe
adequacyofsystemdocumentation(notjustprocedures)andmayperformpartorallofthis
activityonsite.Yourcourseshouldreflectthismoreholisticapproachinbothinputsessions
andexercises.
________________________________________________________________________________________
Page12of14
IRCA/2160/07/1Jan07
Helpingstudentslearnnewknowledge&skills
Wepromotetheuseofacceleratedlearningapproachesbecausetheyaremoreefficient,interms
ofspeedanddepthofcomprehension,andmoreeffective,intermsoflongtermretentionofnew
knowledge.Therefore,youshouldemploypracticaltasksandactivitiestohelpstudentsto
understandnewconceptsandideas.Youshouldnotrelyontutorfocusedlecture/presentationto
transfernewideasandconcepts.
1.TheLearningcycle
ThereisaclearlinkbetweenDeming'sfamiliarPlanDoCheckActandthelearningcycle:
a. studentsexperiencesomething(e.g.completeatasktofindoutaboutthe
requirementsofISO9001)
b. studentsreflectonwhattheydid&identifywhattheylearnedandwhat
theystilldon'tfullyunderstandorcan'tdo(e.g.feedbacktocomparetheir
answerstootherstudentsanswersand/ormodelanswers,andidentifyany
problems)
c. studentstakeactiontoaddressweakareas.(e.g.asktutorforhelporcomplete
task/activityagainorcompleteanothertask)
Ensuringthatyourtrainingsessionsfollowthissimplemodelwillmakestudents'learning
moreeffective.WereferencedthelearningcycledescribedbyDavidAKolbindeveloping
thesecriteriaandyoumightfinditusefultoconsiderthiswhendevelopingyourcourse.
2.Learningstyles
Wepromoteavarietyoftrainingmethodsinyourcoursedesign.Differentpeoplelearnin
differentwayssoyoursessionsshouldfollowthelearningcycleandyourcourseshould
includeavarietyofdifferentlearningactivitiestocaterforallneedsasfaraspossible.
HoneyandMumford(LearningStyleQuestionnaire,PeterHoneyPublications,ISBN1
902899075)provideonemodelfordescribingdifferentlearningstylesthatyoumayfind
usefulasabasis.
3.Sessionplans
Developingsessionplansisanaturalpartofdesigninglearningandtrainingprocesses.
Sessionplansshouldbesimpleandeasytouseworkingdocumentstohelpyourtutors
manageeffectivelearning.Fororganizationswithonlyafewtutors,outlinesessionplans
areacceptable.Forlargerorganizationswithanumberofbranchesorsubcontractors,and
theconsequentnumberandturnoveroftutors,wewillrequiremorecomprehensive
sessionplans.Asamplesessionplanisprovidedbelow.
4.Continuousassessment
Continuousassessmentshouldhaveaclearlinkbetween:sessionplans(fortutors),clear
task/activityinstructionswithdefinedandmeasurableoutputs(forstudentsandtutors),
activitymarkingschemes/modelanswers(fortutors),modelanswers(forstudents),
individualstudentcontinuousassessmentrecord(forrecordingstudentperformance).
BlendedLearningcourseduration&tutor:studentratios
Wewillconsidercoursesdesignedwithlessthan60%ofthecourseduration(ascalculatedin
IRCA/2000)devotedtoclassroomactivityincircumstanceswhere,forexample,thereisasmaller
tutor:studentratio:forexample2tutorsandamaximumof6students.
________________________________________________________________________________________
Page13of14
IRCA/2160/07/1Jan07
SelfStudy
Werecommendthatyouconsiderthefollowingdocumentswhendevelopingtrainingbasedon
informationtechnologysolutions:
BS7988:2002ACodeofPracticefortheuseofinformationtechnologyforthedeliveryof
assessments
BS8426:2003ACodeofPracticeforesupportinelearningsystems
________________________________________________________________________________________
Page14of14
IRCA/2160/07/1Jan07
Examplecontinuousassessmentoptions
The following tableprovides examples of how you could assess/test student achievement of the
Learning Objectives and how feedback and followup work could be approached: the items in
whiteboxesareexamplesonly.
LearningObjective IRCA
requirement
fortesting
Example
arrangementfor
testing
ExamplePass
Criteria
ExampleFeedback
tostudents
Describethe
responsibilitiesofan
internalauditorand
describetheroleof
internalauditinthe
maintenanceand
improvementof
managementsystems.
Written(Quiz/
exametc)
Quizattheendof
themorningof
day1.
Minpassmark70% Verbalduringreview
ofquiz.
Writtennotificationof
mark.
Explainwithreference
tothePDCAcycleand
modelofaprocess
basedmanagement
systemthepurpose
andstructureof
ISO/IEC27001
Written(Quiz/
exametc)
Quizattheendof
day1.
Minpassmark70% Verbalduringreview
ofquiz.
Writtennotificationof
mark.Remedialwork
withanyfailures.
Planandpreparefor
aninternalaudit,
includingpreparinga
checklist
Practicalactivity
withwritten
output.
Day1:preparation
ofchecklist
exercise.
Seemarking
scheme.Minscore
7outof10
Tutorstoreview
progressandcoach
studentsas
appropriateduringthe
exercise.
Writtencommentsand
scoretobeprovided
day2a.m.
Gatherobjective
evidencethrough
interviewand
samplingof
documents.
Observed
practical
activity.
Day2:auditrole
play.
Tutorstoallocatea
competentornot
yetcompetent
marktoeach
studentforeachof
theenabling
objectivesin
section3.4
Verbalfeedback
followingtheexercise.
Remedialworkwith
anyfailures.
Markstobeallocated
attheendofthe
course.
Writefactualaudit
reportsthathelpto
improvethe
effectivenessofthe
managementsystem
Practicalactivity
withwritten
output.
Day2:reporting
ontheauditrole
playexercise.
Seemarking
scheme.Minscore
7outof10
Verbalfeedback
followingtheexercise.
Remedialworkwith
anyfailures.Scoreto
benotifiedtostudents
attheendofthe
course.
Suggestwaysin
whichthe
effectivenessof
correctiveactions
mightbeverified.
Quiz/exam ShortTestday2. Minpassmark7
outof10
Paperstobemarked
afterthecourseand
resultnotifiedto
studentsafterthe
course.

Internal Information Security Management System S Auditor Training Course

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Internal Information Security Management System S Auditor Training Course

Uploaded by

Copyright:

Available Formats

Internal Information Security Management

Systems Auditor Training Course

You might also like