In this five-day intensivecourse, the participants develop the competence to master the basic riskmanagement elements related to all assets of relevance for information securityusing the ISO/IEC 27005:2011 standard as a reference framework and the EBIOSmethod. The EBIOS (Expression des Besoins et Identification des Objectifs deSécurité) method was developed by ANSSI in France. Based on practical exercisesand case studies, participants acquire the necessary knowledge and skills toperform an optimal information security risk assessment and manage risks intime by being familiar with their life cycle. This training fits perfectly inthe framework of an ISO/IEC 27001:2005 standard implementation process.

Day 1: Introduction, risk management program according to ISO 27005

•Concepts and definitions related to risk management

Risk management standards, frameworks and methodologies 

Implementation of an information security risk management program

Understanding an organization and its context

Day 2: Risk identification and assessment, risk evaluation, treatment, acceptance, communication and surveillance according to ISO 27005

•Risk identification 

Risk analysis and risk evaluation

Risk assessment with a quantitative method

Risk treatment

Risk acceptance and residual risk management

Information Security Risk Communication and Consultation

Risk monitoring and review

Day 3: Exam and Start of a risk assessment with EBIOS

•Certified ISO/IEC 27005 Risk Manager Exam (2 hours)

Presentation of EBIOS

Phase 1 - Context establishment

Phase 2 – Feared security event analysis 

Phase 3 – Threat scenarios analysis

Day 4: Completing a risk assessment with EBIOS

•Phase 4 – Risk analysis

Phase 5 - Determination of security controls

Risk assessment with EBIOS software

Workshop with case studies

Day 5: Workshop with case studies and EBIOS exam

•Workshop with case studies

EBIOS Advanced exam (3 hours)

Prerequisites

A basic knowledge of risk management is recommended

Educational approach

•This training is based on both, theory and practice:

-Sessions of lectures illustrated with examples based on real cases

-Practical exercises based on case studies including role playing and oral presentation

-Review exercises to assist the exam preparation

-Practice test similar to the certification exam

To benefit from the practical exercises, the number of training participants is limited

Exam

•The “Certified ISO/IEC 27005 Risk Manager” exam fully meets the requirements of the PECB Examination and Certification Program (ECP). 

The “Certified ISO/IEC 27005 Risk Manager” exam covers the following competence domains:

-Domain 1: Fundamental concepts, approaches, methods and techniques of information security risk management 

-Domain 2: Implementation of an information security risk management program

-Domain 3: Information security risk assessment based on ISO 27005

The “Certified ISO/IEC 27005 Risk Manager” exam is available in different languages (the complete list of languages can be found by writting to examination@pecb.org)

The “Certified ISO/IEC 27005 Risk Manager” exam duration is 2 hours. 

The EBIOS Advanced exam duration is 3 hours. 

For more information about the exam, refer to the PECB section on ISO/IEC 27005Risk Manager Exams

Certification

•After successfully completing the “ISO/IEC 27005Risk Manager” exam, participants can apply for the credentials of Certified ISO/IEC 27005Provisional Risk Manager or Certified ISO/IEC 27005Risk Manager, depending on their level of experience. A certificate will be issued to participants who successfully pass the exam and comply with all the other requirements related to the selected credential

For more information about ISO/IEC 27005certifications and PECB certification process, refer to PECB section on ISO/IEC 27005 Risk Manager Certification

General information

•Exam and certification fees are included in the training price

The training material on EBIOS is only available in French and is based on ANSSI official training material

A copy of the official documentation on EBIOS published by ANSSI is given to participants together with a student manual containing over 400 pages of information and practical examples

A participation certificate of 35 CPD (Continuing Professional Development) credits is awarded to the participants

In case of failure of an exam, participants are allowed to retake the exam for free under certain conditions

ISO/IEC 27005 is a guidance standard on risk management and it is not a certifiable standard for an organization

"Taken from PECB <https://pecb.com

Risk managers 
Persons responsible for information security or conformity within anorganization
Members of the information security team
IT consultants
Staff implementing or seeking to comply with ISO 27001 and involved in a riskmanagement program based upon the EBIOS method

To understand the concepts, approaches, methods andtechniques allowing an effective management of risk according to ISO 27005
To interpret the requirements of ISO 27001 on information security riskmanagement
To develop the necessary skills to conduct a risk assessment with the EBIOSmethod
To master the steps to conduct a risk assessment with the EBIOS method
To understand the relationship between the information security riskmanagement, the security controls and the compliance with the requirements ofdifferent stakeholders of an organization
To acquire the competence to implement, maintain and manage an ongoinginformation security risk management program according to ISO 27005 
To acquire the competence to effectively advise organizations on the bestpractices in information security risk management