The ISO 27001 Lead Auditor Certification Course

In this course the ISO 27001:2013 standard for information security is explained and you learn how to conduct information security audits. Since auditing is an important element of the standard, this course is recommended for any information security officer or information security team member.

Our Course

Based on practical exercises, you will be able to master audit techniques and become competent to manage an audit program, audit team, communication with customers, and conflict resolution. For information on date, please take a look at our training calendar.

Who should attend?

  • Auditors who may lead Information Security Management System (ISMS) certification audits
  • Managers or consultants
  • Individuals responsible for conformance with Information Security Management System requirements
  • Technical experts that prepare for an Information Security Management System audit
  • Consultants who like to have thorough knowledge about ISO 27001

Learning objectives

  • Understand the operations of an ISMS based on ISO 27001
  • Acquire the competencies of an auditor to: plan an audit, lead an audit, draft reports, and follow-up on an audit in compliance with ISO 19011
  • Relationship between ISO/IEC 27001, ISO/IEC 27002 and other standards
  • Understand an auditor’s role to: plan, lead and follow-up on a management system audit in accordance with ISO 19011
  • Learn how to lead an audit and audit team

Educational approach

  • This training is based on both theory and gives you practical input including many best practices used in ISMS audits
  • Lecture sessions are illustrated with examples based on case studies
  • Practical exercises are based on a case study
  • Practice tests, similar to the Certification Exam


General IT-knowledge or work experience in an knowledge intensive. organisation.

Course Schedule

The course takes 4 days plus exam (on the 5th day). There is preparation homework one week before the course. The course is taught regularly in our training location in Utrecht, the Netherlands. The training is taught in  Dutch, with English written materials. (teaching in English available on request).

Dag 1, Information security management systems knowledge (ISO 27001)

  • Terms and definitions
  • Management system structure (MSS) and process approach (PDCA)
  • Understanding of organization, interested parties and their requirements
  • Management system scoping
  • Top management leadership, management system policy and objectives
  • Support the management system

Dag 2, Information security risk management 

  • Information asset management (asset register, asset owner)
  • Information security risk management requirements and process
  • Risk assessment (identify the risk, risk owner, risk analysis and risk evaluation)
  • Risk treatment (treatment options, Statement of Applicability(SoA), risk treatment plan)
  • Management system operation
  • Documented management system (standard requirements and from the organization)

Dag 3, Guidelines for auditing management systems (ISO 19011) – Audit simulate the process of planning, preparation for an audit

  • Roles and responsibilities in an audit
  • Management system performance evaluation and continual improvement requirements
  • Different types of audit
  • Audit programme and purpose
  • Planning an audit (initiate the audit, feasibility analysis)
  • Conduct a Stage 1 audit (document review)
  • Preparation for Stage 2 (on-site) audit – audit plan
  • Preparation of audit work documents includes checklist and audit trails

Dag 4, Guidelines for auditing management systems (ISO 19011) – Audit simulate the opening meeting, on-site audit activities, and closing meeting

  • Opening meeting
  • Role play for audit scenarios
  • Practice audit skills of collecting audit evidence
  • Prepare audit findings and results, includes conformance, non-conformity (NC), and opportunity for improvement (OFI)
  • Prepare audit report
  • Audit conclusion
  • Closing meeting
  • Audit follow-up
  • Evaluating correction, the corrective action including root cause analysis and audit finding closure
  • Management system certification

Day 5, recap and exam

Examination will be a 2-hour written test, taken on the evening of Day 4, or the following morning (day 5)

Official Certificate

This CQI (Chartered Quality Institute) /IRCA (International Register of Certificated Auditors) certified Information Security Management Systems (ISMS) Auditor / Lead Auditor Training Course (Registered Course Nr. PR320 / A17533) is part of International recognized CQI/IRCA ISMS Auditor Certification programme

The ICT Institute view of ISO 27001

ISO 27001 helps you to create structural information security in your organization. It is one of the few certifiable international standards for an information systems management system. The regular and repeating appraisal process helps you to continuously improve your security.

ICT Institute helps you to make ISO 27001 a living process in your organization. Not a goal in itself, but a real secure organization and IT systems.  Getting the ISO 27001 certificate also shows your status of a certified organization also to external parties, often with very positive impact.

ICT Institute is known for its pragmatic approach and for its help to quickly approach matters that work well and matters that can be improved.  Several ways of working and standard procedures will be shown. We also supply ‘Best Practice’ sample documents, so you’ll hit the ground running in any ISO 27001 project.

How to Book?

You can reach us using the contact details in the website’s footer, or by filling our the form on our contact page.