Browse our certifications
Find training
Open page navigation
compliancecontinual improvementcustomer confidencecyber securitydata breachesdata protectionframeworks

ISO/IEC 27001 (ISO 27001) is an international standard for Information Security management. It provides a model to establish, implement, maintain and continually improve a risk-managed Information Security Management System (ISMS).

The standard forms the basis for effective management of sensitive, confidential information and for the application of information security controls.

An organization that conforms to the ISO/IEC 27001 standard possesses clear, objective proof of its commitment to continued improvement of control over its sensitive and confidential information.

ISO/IEC 27001 therefore provides reassurance to sponsors, shareholders and customers that the organization has expert control over its risk management and data security.

Due to the diversity of different organizations’ information assets – the ISO/IEC 27001 standard is adaptable according to an organization’s requirements.

The design and implementation of the ISMS is tailored to the organization’s objectives, information assets, operational processes, governing legal requirements and regulatory security requirements.

 

db_ISO/IEC27001_foundation

ISO/IEC 27001 Foundation

Gain foundation level knowledge of how the standard operates in a typical organization.

Compliance, Cyber Security, Information Management & Analysis, Risk Management
Who is Foundation for?

This certification is aimed at those who are:

  • Supporting the implementation, operation or maintenance of an ISMS within an organization.
  • Required to audit an ISMS and to have a basic understanding of the standard.
  • Working within an organization with an ISMS, whether the organization is already certified or is considering certification to ISO/IEC 27001.
  • Preparing for the ISO/IEC 27001 Practitioner - Information Security Officer qualification.
What are the key things you will learn?
  • The scope and purpose of ISO/IEC 27001 and how it can be used.
  • The key terms and definitions used in the ISO/IEC 27000 series.
  • The fundamental requirements for an ISMS in ISO/IEC 27001 and the need for continual improvement.
  • The processes, their objectives and high level requirements.
  • Applicability and scope definition requirements.
  • Use of controls to mitigate IS risks.
  • The purpose of internal audits and external certification audits, their operation and the associated terminology.
  • The relationship with best practices and with other related International Standards: ISO 9001 and ISO/IEC 20000.
Exam format:
  • Multiple choice format
  • 50 questions per paper
  • 25 marks or more required to pass (out of 50 available) – 50%
  • 40 minute duration
  • Closed book

 

db_ISO/IEC27001_practitioner

ISO/IEC 27001 Practitioner - Information Security Officer

Learn to apply the standard to enable the management of information security.

Compliance, IT Management, Risk Management
What is required?
  • APMG ISO/IEC 27001 Foundation certificate.
  • TÜV SÜD ISO27001 Foundation certificate. 
  • ICO-CERT ISMS 27001 Foundation certificate.
Who is Practitioner - Information Security Officer for?

This qualification is aimed at those who are:

  • Internal managers and personnel working to implement, maintain and operate an ISMS within an organization.
  • External consultants supporting an organization’s implementation, maintenance and operation of an ISMS.
  • Internal auditors who are required to have an applied knowledge of the standard.
What are the key things you will learn?
  • Applying the principles of ISMS policy and its information security scope, objectives, and processes within an organizational context.
  • Applying the principles of risk management including risk identification, analysis and evaluation and propose appropriate treatments and controls to reduce information security risk, support business objectives and improve information security.
  • How to analyze and evaluate deployed risk treatments and controls to assess their effectiveness and opportunities for continual improvement.
  • How to analyze and evaluate the effectiveness of the ISMS through the use of internal audit and management review to continually improve the suitability, adequacy and effectiveness of the ISMS.
  • How to create, apply and evaluate the suitability, adequacy and effectiveness of documented information and records required by ISO/IEC 27001.
  • How to identify and apply appropriate corrective actions to maintain ISMS conformity with ISO/IEC 27001.
Exam format:
  • Objective Testing
  • 4 questions per paper with 20 marks available per question
  • 40 marks or more required to pass (out of 80 available) – 50%
  • 2 ½ hour duration
  • Open book    
db_ISO/IEC27001_auditor

ISO/IEC 27001 Auditor

Certify your expertise in performing audits against the ISO 27001 standard.

Information Management & Analysis
Who is ISO 27001 Auditor for?
  • Third-party auditors working for Certification Bodies, responsible for conducting audits which certify organizations against ISO 27001 and ISO 19011.
  • Internal auditors seeking to understand the specific requirements of auditing Information Security Management Systems needed to confirm that an organization conforms to the ISO 27001 or ISO 19011 standard.
What are the key things you will learn?
  • How to audit organizations to identify conformity with ISO 27001.
  • How to evaluate the principles of risk management - including risk identification, analysis and evaluation.
  • How to propose appropriate treatments and controls to reduce information security risk, support business objectives and improve information security.
  • Leading organizations through an audit program.
  • Directing audit teams.
  • Evaluating the effectiveness of applied corrective actions to maintain ISMS conformity with ISO 27001.
Exam format:
  • 40 questions
  • Multiple choice format
  • 120 minute duration
  • 20 marks or more required to pass (out of 40 available) - 50%
  • Open book: ISO/IEC 27001:2013, ISO/IEC 27002:2013, ISO 19011:2018, APMG ISO/IEC 27001 Suppmenentary Paper

Rate your experience with us...

FIND A TRAINING PROVIDER

Advanced options

SFIA Framework

Visit SFIA
The SFIA Framework is the global common reference for skills and competency for the digital world
SFIA is a globally recognised framework that “identifies skills needed for the Information age”. This APMG certification has been mapped against the SFIA Framework to help you see which certifications are most relevant to your professional development.
ISO/IEC 27001 Foundation
Knowledge
This certification confirms (endorsement)
Generic attribute Knowledge up to level 3, Audit level 3, Information Security level 3, Threat Intelligence level 2
...
This certification would be useful for (development)
Same as above plus Information Security level 4, Vulnerability Assessment up to level 3
...
ISO/IEC 27001 Practitioner - Information Security Officer
Knowledge
This certification confirms (endorsement)
Generic attribute Knowledge up to level 4, Generic attribute Business Skills up to level 4, Audit up to level 4, Information Security up to level 4
...
This certification would be useful for (development)
Same as above plus Information Security level 5, Audit level 5
...
ISO/IEC 27001 Auditor
Knowledge
This certification confirms (endorsement)
Generic attribute Knowledge up to level 4, Generic attribute Business Skills up to level 4, Audit up to level 5
...
This certification would be useful for (development)
Same as above
...

RELATED PRODUCTS

IT-Security Foundation

IT-Security Foundation

A complete overview of the fundamentals of IT Security

View more

NIST Cybersecurity Professional

Teaching organizations of any size, scale, or complexity an Affordable, Pragmatic, and Scalable approach to facilitating secure, resilient, and auditable digital outcomes.

View more
CIISec Product image

CIISEC - Information and Cyber Security Foundation (ICSF)

A brand new, entry level exam for Cyber Security from the Chartered Institute of Information Security (CIISec)

View more

CONTACT US

FAQs

What is ISO/IEC 27001?

ISO/IEC 27001 is an international standard for Information Security management. It provides a model to establish, implement, maintain and continually improve a risk-managed Information Security Management System (ISMS). It forms the basis for effective management of sensitive, confidential information and for the application of information security controls.

Do I have to receive training to sit the exam?

No, however this is recommended. In addition to receiving accredited training, individuals also have the option of self-study to prepare for the examinations. APMG-International administer public exam sessions around the world to accommodate those who self-study.

How can I train for the ISO/IEC 27001 examinations?

Training for ISO/IEC 27001 is available from the network of Accredited Training Organizations (ATOs) who are assessed and certified by APMG-International. The full list of ISO/IEC 27001 ATOs can be found at https://www.apmg-international.com . Only these organizations and registered partners/affiliates are authorized to deliver ISO/IEC 27001 training.

How do I sit the exam(s)?

Accredited Training Organizations (ATOs) usually include the examination as part of their training course – please check with your ATO before booking.

For those who self-study, the exam can be taken anywhere in the world, from the comfort of your home or workplace, with online proctoring.  A proctor will access your exam as you take it to monitor the exam environment through your computer's desktop, webcam and microphone.

Once you have booked an exam, you will be given a registration email to schedule an appointment with your live proctor via our Candidate Portal. Our online proctoring system allows you to take your exam anytime as sessions are available 24 hours a day, 7 days a week. For more information, please click here: https://apmg-international.com/exams

APMG also administers a limited number of public exam sessions at some of our regional offices. Click here for further information and to book an exam: https://publicexambookings.apmg-international.com/

How much does it cost to sit the ISO/IEC 27001 examination?

If you are sitting the examination through an accredited training organization, the cost of the exam is generally included in the course fee but please check with your training provider at the time of booking.

APMG-International use a global pricing structure, so if you are studying at home, the cost is dependent on where the country in which the exam is being sat. To find out the cost in your region, please

Are there any pre-requisites for the ISO/IEC 27001 examinations?

  • Foundation: there are no pre-requisites for this level
  • Practitioner Information Security Officer: The Foundation qualification is a pre-requisite for this level. APMG will also accept TÜV SÜD ISO/IEC 27000 Foundation or ICO-CERT ISMS 27001 Foundation.
  • Auditor: It is recommended (not mandated) that candidates hold the APMG ISO/IEC 27001 Foundation level (or equivalent qualification) before attending this course. The Auditor level assumes candidates have knowledge of the ISO/IEC 27001 and ISO 19011 standards, and their application in a given situation.

What are the main publications for ISO/IEC 27001 and where can I purchase them?

Foundation

The primary references for the Foundation qualification are the International Standards:

  • ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems – Requirements
  • ISO/IEC 27000:2018 Information technology -- Security techniques -- Information security management systems - Overview and vocabulary.

Other references are made to:

  • Supplementary reference paper for ISO/IEC 27001 Qualification.

The Foundation level requires knowledge of the requirements in ISO/IEC 27001:2022 and the terms, definition and concepts in ISO/IEC 27000:2018 as well as information in the supplementary reference paper as stated in the syllabus topic. It is essential that all delegates have access to a personal copy of ISO/IEC 27001:2022  and the Supplementary Reference Paper during any training course. Delegates should have access to a personal copy of ISO/IEC 27000:2018 or to the information referenced from it in this syllabus. Please note that the examination is closed book. The references provided should be considered to be indicative rather than comprehensive, i.e. there may be other valid references within the guidance.

For the primary reference, the relevant part of the standard is used as the major part of the reference and this is followed by the section number used e.g. ISO/IEC 27001, 4.2 relates to ISO/IEC 27001:2022 Clause 4.2.

The syllabus requires awareness of but does not require a detailed knowledge of other referenced standards:

  • ISO 9001:2015, Quality management systems — Requirements
  • ISO/IEC 20000-1:2018, Information technology – Service management - Part 1: Service management system requirements
  • ISO/IEC 27002:2022, Information technology -- Security techniques -- Code of practice for information security management
  • ISO/IEC 27003:2017, Information technology -- Security techniques -- Information security management systems guidance
  • ISO/IEC 27004:2016 Information technology -- Security techniques -- Information security management – Monitoring, Measurement, Analysis and Evaluation
  • ISO/IEC 27005:2022, Information technology -- Security techniques -- Information security risk management
  • ISO/IEC 27006:2015, Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems
  • ISO/IEC 27013:2015, Information technology -- Security techniques – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1.

Practitioner Information Security Officer

The primary references for the Practitioner – Information Security Officer course are the International Standards:

  • ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems – Requirements
  • ISO/IEC 27000:2018 Information technology -- Security techniques -- Information security management systems - Overview and vocabulary
  • ISO/IEC 27002:2022, Information technology -- Security techniques -- Code of practice for information security controls
  • ISO/IEC 27005:2022, Information technology -- Security techniques -- Information security risk management

Reference is made to ISO/IEC 27003:2017, Information technology -- Security techniques Information security management system implementation guidance. Candidates do not need their own copy of this standard as the relevant information is available in the Supplementary reference paper for ISO/IEC 27001 Qualification, Sections 5 and 6.

Candidates are allowed to have a printed or digital copy of the standards listed above during the exam. 

Syllabus topics at levels 3 and 4 provide the primary references but may also include any other topic from the syllabus area. It is essential that all delegates have access to a personal copy of ISO/IEC 27001:2022 and the Supplementary Reference Paper during any training course. Delegates should have access to a personal copy of ISO/IEC 27002:2013 and ISO/IEC 27005:2022. Please note that the examination is open book.

Auditor

The primary references for the ISO/IEC 27001 Auditor course are the International Standards:

  • ISO/IEC 27001:2022 Information technology -- Security techniques -- Information security management systems – Requirements
  • ISO/IEC 27000:2018 Information technology -- Security techniques -- Information security management systems - Overview and vocabulary
  • ISO/IEC 27002:2022, Information technology -- Security techniques -- Code of practice for information security management
  • ISO 19011:2018 Guidelines for auditing management systems
  • APMG ISO/IEC 27001 Supplementary Paper

Other references are made to the Supplementary reference paper for ISO/IEC 27001 Qualification.

It is mandatory that all delegates have access to a personal copy of these documents during their training and at the Examination.

Please note that Auditor examinations are open book. No content related individual notes in the used standards are permitted.

Syllabus topics at levels 3 and 4 provide the primary references but may also include any other topic from the syllabus area.

The references provided should be considered to be indicative rather than comprehensive, i.e. there may be other valid references within the guidance.

For the primary reference, the relevant part of the standard is used as the major part of the reference and this is followed by the section number used e.g. ISO/IEC 27001, 4.2 relates to ISO/IEC 27001:2013 Clause 4.2.

How long will it take to learn the ISO/IEC 27001 material?

For individuals self-studying it is almost impossible to say. As all candidates have different experience and amount of time available for study, it varies from person to person. We suggest you buy the manual and have a look through for yourself before deciding how long you need to spend learning.

For those studying with an accredited training organization, Foundation courses are generally delivered over 3 days, while combined Foundation and Practitioner courses are generally delivered over 5 days. It is well worth investigating with individual providers, as some will offer tailored, online or blended learning solutions.

What is the structure of the ISO/IEC 27001 examinations?

Summaries of the structure of the ISO/IEC 27001 Foundation, Practitioner Information Security Officer and Auditor examinations are below:

Foundation

  • Multiple choice format
  • 50 questions per paper
  • 25 marks or more required to pass (out of 50 available) – 50%
  • 40 minute duration
  • Closed book.

Practitioner Information Security Officer

  • Objective Testing
  • 4 questions per paper with 20 marks available per question
  • 40 marks or more required to pass (out of 80 available) – 50%
  • 2 ½ hour duration
  • Open book.
  • The exam is to be taken with the support of only the following British Standards,
    ISO/IEC 27000:2018
    ISO/IEC 27001:2022
    ISO/IEC 27002:2022
    ISO/IEC 27003:2017
    ISO/IEC 27005:2022

Auditor

  • Multiple choice exam, using mini scenario-based questions
  • 40 question paper
    • APMG ISO/IEC 27001 Supplementary Paper
  • The pass mark for candidates is 50% (20/40)
  • 120 minute duration
  • Restricted open book.
  • The following documents are allowed during the exam:

            ISO/IEC 27001:2013  

            ISO/IEC 27002:2013      

            ISO 19011:2018

Is there a sample paper that I can practice on?

Yes, all candidates can access a sample exam paper to practice on via the Candidate Portal. Access to the Candidate Portal is given once you have purchased a self-study exam or your ATO has registered your exam date and time with APMG.

When can I expect the results of my ISO/IEC 27001 examinations?

ISO/IEC 27001 Foundation examinations can be marked at the end of your exam with provisional results provided. Practitioner answer sheets are marked at APMG-International offices and results released soon after.

APMG will issue formal notification of your exam result once your exam paper has been received back into our office. All results will be made available in your Candidate Portal.

If you did not take your exam through an ATO, your results will be sent directly to you via the relevant APMG-International office approximately 7-10 days after the date of your exam.

When will I receive my certificate?

Candidates will automatically be sent an electronic certificate within two business days of their exam results being released. If you have not received your certificate within this timeframe please contact our Customer Interaction Team - servicedesk@apmg-international.com

Electronic certificates are environmentally friendly but can be printed if required. It is also very easy to share them with employers and other third parties. APMG will send you a link to your registered email address. This link will take you to your Candidate Portal where you will find your electronic certificate(s). You can always access all your electronic certificates using the APMG Candidate Portal.

How do I become an ISO/IEC 27001 trainer?

To be eligible to apply to become an ISO/IEC 27001 trainer, individuals must hold the certificate for the course that you wish to teach. All trainers must be ‘sponsored’ by an APMG accredited training organization. To find out more about becoming a trainer, please contact your local APMG representative: https://apmg-international.com/contact

How do I become an ISO/IEC 27001 accredited training organization (ATO)?

An organization wishing to become an ISO/IEC 27001 ATO must first contact our Service Desk. They will put you in touch with your local busines development manager who can discuss the accreditation process with you. 

Can I earn PMI® PDUs for attending an accredited training course?

It is possible to earn PMI Education PDUs for attending third-party provider training (training courses not offered by a PMI Authorized Training Partner), as long as the training meets the requirements around the skill areas of the PMI Talent Triangle. Please check the PMI website (https://www.pmi.org/certifications/certification-resources/maintain/earn-pdus/education) for further details on how to record your PDUs and what supporting evidence is required.

FIND ME A TRAINING PROVIDER

ISO/IEC 27001

Please tell us your training requirements and we'll find you a training provider

BECOME A TRAINING ORGANISATION

Please provide your company details to begin your journey to becoming accredited

Close

Certifications & Solutions

Accredited Training Organizations

Leadership

Accredited training providers

Certifications & Solutions

Select any filter and click on Apply to see results