In this five-day intensive course, the participantsdevelop the competence to master the basic risk management elements related toall assets of relevance for information security using the ISO/IEC 27005:2011standard as a reference framework and MEHARI method. The MEHARI method wasdeveloped by “Club de la Sécurité des Systèmes d’Information Français” (CLUSIF)in France. Based on practical exercises and case studies, participants acquirethe necessary knowledge and skills needed to perform an optimal informationsecurity risk assessment and manage risks in time by being familiar with theirlife cycle. This training fits perfectly in the framework of an ISO/IEC27001:2005 standard implementation process

Day 1: Introduction, risk management program according to ISO 27005

•Concepts and definitions related to risk management

Risk management standards, frameworks and methodologies 

Implementation of an information security risk management program

Understanding an organization and its context

Day 2: Risk identification and assessment, risk evaluation, treatment, acceptance, communication and surveillance according to ISO 27005

•Risk identification 

Risk analysis and risk evaluation

Risk assessment with a quantitative method

Risk treatment

Risk acceptance and residual risk management

Information Security Risk Communication and Consultation

Risk monitoring and review

Day 3: Exam and Start of a risk assessment with MEHARI

•Certified ISO/IEC 27005 Risk Manager Exam (2 hours)

Presentation of MEHARI

Assessment and classification issues

Overview of the process

The value chain for failures

Classification of resources

Day 4: Assessment of vulnerabilities and risk, according to MEHARI

•Assessment of the vulnerabilities

Qualities of a security service

Measuring the quality of a security service

Evaluation process

Risk assessment

Day 5: Security planning according to MEHARI & Exam

•Security plans and procedures

Tools to support the implementation of MEHARI

The “MEHARI advanced” exam (3 hours)

Prerequisites

A basic knowledge of risk management and the MEHARI method is recommended.

Educational approach

•This training is based on both, theory and practice:

-Sessions of lectures illustrated with examples based on real cases

-Practical exercises based on case studies 

-Review exercises to assist the exam preparation

-Practice test similar to the certification exam

To benefit from the practical exercises, the number of training participants is limited

Exam

•The “Certified ISO/IEC 27005 Risk Manager” exam fully meets the requirements of the PECB Examination and Certification Program (ECP). 

The “Certified ISO/IEC 27005 Risk Manager” exam covers the following competence domains:

-Domain 1: Fundamental concepts, approaches, methods and techniques of information security risk management 

-Domain 2: Implementation of an information security risk management program

-Domain 3: Information security risk assessment based on ISO 27005

The training " Risk assessment with MEHARI method” including exam is labeled by CLUSIF

The “Certified ISO/IEC 27005Risk Manager” exam is available in different languages (the complete list of languages can be found in the examination application form)

Duration: 3 hours 

For more information about the exam, refer to the PECB section on ISO/IEC 27005 Risk Manager Exams

Certification

•After successfully completing the “ISO/IEC 27005 Risk Manager” exam, participants can apply for the credentials of Certified ISO/IEC 27005 Provisional Risk Manager or Certified ISO/IEC 27005 Risk Manager, depending on their level of experience. A certificate will be issued to the participants who successfully pass the exam and comply with all the other requirements related to the selected credential

A certificate of “MEHARI Advanced” will be issued to the participants who successfully pass the exam and comply with all the other requirements related to this credential

For more information about ISO 27005certifications and PECB certification process, refer to the PECB section on ISO/IEC 27005Risk Manager Certification

General information

•Exam and certification fees are included in the training price

An educational version of the software "Risicare” is given to the participants and a copy of the official MEHARI documentation published by the CLUSIF

A student manual containing over 400 pages of information and practical examples are given to participants

A participation certificate of 35 CPD (Continuing Professional Development) credits is awarded to the participants

In case of failure of an exam, participants are allowed to retake the exam for free under certain conditions

ISO/IEC 27005 is a guidance standard on risk management and it is not a certifiable standard for an organization

"Taken from PECB <https://pecb.com

Risk managers 
Persons responsible for information security or conformity within anorganization
Members of the information security team
IT consultants
Staff implementing or seeking to comply with ISO 27001 and involved in a riskmanagement program based upon the MEHARI method

To understand the concepts, approaches, methods andtechniques allowing an effective management of risk according to ISO 27005
To interpret the requirements of ISO 27001 on information security riskmanagement
To develop the necessary skills to conduct a risk assessment with the MEHARImethod
To master the steps to conduct a risk assessment with the MEHARI method
To understand the relationship between the information security riskmanagement, the security controls and the compliance with the requirements ofdifferent stakeholders of an organization
To acquire the competence to implement, maintain and manage an ongoinginformation security risk management program according to ISO 27005 
To acquire the competence to effectively advise organizations on the bestpractices in information security risk management