This course combines structured theory with practical, scenario-based application. Participants work through realistic examples and conclude with a comprehensive Information Security Risk and Control Matrix that can be directly applied to implementation, assurance, or audit activities.
Topics Covered
Day 1 – Theory: Information Security Normative Requirements
Overview of the Information Security Management System (ISMS)
- Purpose and structure of the Information Security standard
- Relationship to information security governance, risk management, and assurance
- Overview of the Plan-Do-Check-Act (PDCA) cycle
Context and Leadership
- Understanding organisational context and interested parties
- Defining ISMS scope
- Leadership responsibilities, Information Security policy, and accountability
Planning and Support
- Information Security risk assessment and risk treatment planning
- Risk criteria, acceptance, and documentation requirements
- Resources, competence, awareness, and documented information
Operation, Performance Evaluation, and Improvement
- Operational planning and control
- Monitoring, measurement, internal audit, and management review
- Nonconformity management, corrective action, and continual improvement
Day 2 – Practical Application and Hands-On Exercises
Applying Information Security Controls in Practice
- Overview of the Information Security control suite
- Selecting controls based on risk, business priorities, and maturity
- Worked examples covering selected technical, organisational, and people-related controls
Control Implementation and Assessment Exercises
- Evaluating control design and intent
- Mapping controls to risks and control objectives
- Identifying common implementation and assurance gaps
Capstone Practical Exercise – Information Security Risk and Control Matrix Project
- Building an end-to-end Information Security Risk and Control Matrix
- Linking risks, controls, control objectives, and evidence
- Using the RCM to support implementation, internal audit, and certification readiness
Learning Outcomes
By the end of this two-day course, participants will be able to:
- Understand and interpret the requirements of world’s only leading Information Security standard ISO/IEC 27001 and how they establish, operate, monitor, and continually improve an Information Security Management System (ISMS).
- Explain the intent and practical application of the Information Security standard’s clauses, including context, leadership, planning, support, operation, performance evaluation, and improvement.
- Apply risk-based thinking to identify information security risks, define risk criteria, and select appropriate risk treatment options in line with Information Security expectations.
- Select and justify Information Security controls from the available suite of controls based on risk assessment outcomes and organisational context.
- Assess the design and alignment of Information Security controls to business objectives, regulatory obligations, and stakeholder expectations.
- Develop a comprehensive Information Security Risk and Control Matrix (RCM) that integrates risks, controls, control objectives, and assurance considerations.
Course information:
IIA-Australia Member: $660.00 AUD
IIA-Australia Non-member: $795.00 AUD
Knowledge Level: Intermediate
CPE Points: 7
Delivery Format: Facilitator-led training via Zoom (Note: This training program will be delivered in two 4-hour lessons, over two days using Zoom. Registrations will be strictly limited to 15 participants to allow maximum interaction in the online environment.)
Facilitator: Aamir Husain PMIIA CIA – Consultant and Lead Auditor, GCC Australia and VIC Chapter Chair 2023-2025, IIA-Australia
Aamir is a highly experienced GRC professional and trainor, specialising in practical, hands-on delivery of large-scale regulatory remediation programs including technology risk management improvements. With senior leadership experience across financial services, fintech, and legal sectors, he brings deep expertise in internal audit, risk, compliance, and technology risk. Aamir is recognised for turning complex regulatory and technical requirements into clear, actionable solutions that work in real operating environments. He holds a BCom (Hons), MBA, FCPA, CIA, CISA, and is currently pursuing his CISSP.