Standards and methods

List of standards covered by our training program

  • ISO/IEC 27001: Information technology – Security techniques – Information security management systems – Requirements
  • ISO/IEC 27002: Information technology – Security techniques – Code of practice for information security controls
  • ISO/IEC 27005: Information technology – Security techniques – Information security risk management
  • ISO/IEC 27034: Information technology – Security techniques – Application security
  • ISO 31000: Risk management – Guidelines
  • ISO 37001: Anti-bribery management systems – Requirements with guidance for use
  • Mehari: Integrated and comprehensive risk assessment and management methodology associated with information and its treatments

 

Description of standards and lists of related training offered by the Cogentas Academy

 

ISO/IEC 27001 standard

Information technology Security techniques Information security management systems Requirements

ISO / IEC 27001 specifies requirements for:

  • the establishment,
  • Implementation,
  • the update, and
  • continuous improvement of an Information Security Management System (ISMS) in the context of an organization.

It also includes requirements for the assessment and treatment of information security risks, tailored to the needs of the organization.

The requirements of ISO/IEC 27001 are generic and intended to apply to any organization, regardless of its type, size and nature. It is not acceptable for an organization to waive any of the requirements specified in Articles 4 to 10 when claiming compliance with ISO/IEC 27001.

Training offered

  • ISO/IEC 27001 Introduction (I)
  • ISO/IEC 27001 Foundation (F)
  • ISO/IEC 27001 Lead Auditor (LA)
  • ISO/IEC 27001 Lead Implementer (LI)

Source: ISO – International Organization for Standardization


 

ISO/IEC 27002 standard

Information technology – Security techniques – Code of practice for information security controls

ISO 27002 gives guidelines for :

  • organizational information security standards, and
  • information security management practices, including:
    • the selection, implementation and management of controls,
    • taking into account the organization's information security risk environment(s).

ISO 27002 is designed to be used by organizations that intend to:

  • select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;
  • implement commonly accepted information security controls;
  • develop their own information security management guidelines.

Training offered

  • ISO/IEC 27002 Introduction (I)
  • ISO/IEC 27002 Foundation (F)
  • ISO/IEC 27002 Lead Implementer (LI)
  • ISO/IEC 27002 Lead Manager (LM)
  • ISO/IEC 27002 Manager

Source : ISO – International Organization for Standardization


 

ISO/IEC 27005 Standard

Information technology – Security techniques – Information security risk management

ISO/IEC 27005 provides guidelines for information security risk management.

  • It supports the general concepts specified in ISO/IEC 27001.
  • It is designed to assist the satisfactory implementation of information security based on a risk management approach.
  • Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important to understand the scope of this standard.
  •  ISO/IEC 27005 standardt is applicable to all types of organizations, as:
    • commercial enterprises,
    • government agencies,
    • non profit organizations.

Training offered

  • ISO/IEC 27005 Introduction (I)
  • ISO/IEC 27005 Foundation (F)
  • ISO/IEC 27005 Risk Manager (RM)

Source : ISO – International Organization for Standardization


 

ISO/IEC 27034 Series of Standards 

Information technology – Security techniques – Application security (AS)

An application or an information computer system (IT system) includes the software and its data. Applications can be used in many contexts and for many purposes. People who develop, provide, acquire, or use an application may be living in Canada, China, or Europe. In all cases, the application must comply with the laws and regulations in force in the countries where it is deployed and used.

In this context, it becomes essential that organizations can be able to manage security risks at the application level. The ISO/IEC 27034 series of standards provides application security (AS) reference frameworks that are based on a risk management approach, and that enable the implementation and verification of application security controls that are measurable and whose evidence of effectiveness can be demonstrated. The ISO / IEC 27034 series of standards consists of 8 parts::

  • Part 1: Overview and concepts
  • Part 2: Normative framework of the organization
  • Part 3: Application security management process
  • Part 4: Validation and verification of application security
  • Part 5: Protocols and data structure of application security controls
  • Part 5-1: Protocols and data structure of application security controls – XML Schema
  • Part 6: Case studies
  • Part 7: Prediction insurance framework

ISO / IEC 27034 provides specific principles and concepts for application security:

  • a step-by-step AS implementation mechanism to help organizations understand how to develop, acquire, implement, use and maintain applications at a level of trust previously targeted by the organization at an acceptable cost;
  • components and processes that can provide verifiable evidence of meeting and maintaining AS requirements at the targeted level of trust;
  • Implementing elements of the 27034 framework and integrating application security controls (ASCs) seamlessly throughout the application lifecycle;
  • an AS that integrates not only with the software of an application, but also with all other factors that affect security, such as:
    • the technological context,
    • the regulatory context,
    • the business context,
    • the specifications,
    • the sensitivity of his data,
    • the processes and actors involved throughout the application lifecycle.
  • a normative framework that applies to all sizes and types of organizations exposed to security risks that threaten information related to their applications. It's not just big business, government agencies or non-profit organizations that use applications, but also large, medium, and small businesses that develop software, applications, and business services.

Training offered

  • ISO/IEC 27034 Introduction (I)
  • ISO/IEC 27034 Foundation (F)
  • ISO/IEC 27034 Lead Auditor (LA)
  • ISO/IEC 27034 Lead Implementer (LI)

Sources: Cogentas and ISO – International Organization for Standardization


 

ISO 31000 Standard

Risk management – Guidelines

ISO 31000 provides :

  • guidelines on managing risk faced by organizations. The application of these guidelines can be customized to any organization and its context;

  • a common approach to managing any type of risk and is not industry or sector specific.

ISO 31000 can be :

  • used throughout the life of the organization, and
  • applied to any activity, including decision-making at all levels.

Training offered

  • ISO 31000 Introduction (I)
  • ISO 31000 Foundation (F)
  • ISO 31000 Lead Risk Manager (LRM)
  • ISO 31000 Risk Manager (RM)

Source :  ISO – International Organization for Standardization


 

ISO 37001 Standard 

Anti-bribery management systems – Requirements with guidance for use

Bribery is one of the world’s most destructive and challenging issues. With over US$ 1 trillion paid in bribes each year*, the consequences are catastrophic, reducing quality of life, increasing poverty and eroding public trust.

Yet despite efforts on national and international levels to tackle bribery, it remains a significant issue. Recognizing this, ISO has developed a new standard to help organizations fight bribery and promote an ethical business culture.

ISO 37001 specifies requirements and provides guidance for establishing, implementing, maintaining, reviewing and improving an anti-bribery management system. The system can be stand-alone or can be integrated into an overall management system. ISO 37001 addresses the following in relation to the organization's activities:

  • bribery in the public, private and not-for-profit sectors;

  • bribery by the organization;

  • bribery by the organization's personnel acting on the organization's behalf or for its benefit;

  • bribery by the organization's business associates acting on the organization's behalf or for its benefit;

  • bribery of the organization;

  • bribery of the organization's personnel in relation to the organization's activities;

  • bribery of the organization's business associates in relation to the organization's activities;

  • direct and indirect bribery (e.g. a bribe offered or accepted through or by a third party).

ISO 37001 is applicable only to bribery. It sets out requirements and provides guidance for a management system designed to help an organization to prevent, detect and respond to bribery and comply with anti-bribery laws and voluntary commitments applicable to its activities.

ISO 37001 does not specifically address fraud, cartels and other anti-trust/competition offences, money-laundering or other activities related to corrupt practices, although an organization can choose to extend the scope of the management system to include such activities.

The requirements of ISO 37001 are generic and are intended to be applicable to all organizations (or parts of an organization), regardless of type, size and nature of activity, and whether in the public, private or not-for-profit sectors. The extent of application of these requirements depends on the factors specified in 4.1, 4.2 and 4.5.

*Source : OECD

Training offered

  • ISO 37001 Introduction (I)
  • ISO 37001 Foundation (F)
  • ISO 37001 Lead Auditor (LA)
  • ISO 37001 Lead Implementer (LI)

Source : ISO – International Organization for Standardization


 

Mehari method

Integrated and comprehensive risk assessment and management methodology associated with information and its treatments

Created in 1996 by CLUSIF and then kept up-to-date by the Association, this method is now being developed and distributed by CLUSIQ (Quebecker Information Security Club), CLUSIF has established a partnership with in 2015. Today’s release includes the following features:

  • the MEHARI method complies with the guidelines laid down by the ISO 27005: 2009 standard and allows integration into a complete approach that can also be used within the framework of an Information Security Management System (ISO 27001: 2005) thanks to its ability to involve and sensitize the Management of the entity as the operational managers;
  • the MEHARI method can be carried out according to several approaches, based on the same risk model, integrating the assessment of business issues, threats and vulnerabilities attached to assets in risk situations;
  • the level of severity of the risk scenarios is determined from the potential and impact levels, and the structure of the method allows the selection of the security measures that can handle (reduce its level) each risk in the best of its organization' resources.

Training offered

  • MEHARI Risk Manager (RM)

Source : CLUSIF