How to learn about ISO 27001 and BS 25999-2

Training is certainly one of the best ways to facilitate your ISO 27001 and BS 25999-2 implementation. As there are more and more types of courses available, I’ll try to explain their benefits and the differences between them.

The first is the list of in-person courses – these courses are still prevalent, but steadily losing share in favour of online courses (explained at the end of this article).

ISO 27001 or BS 25999-2 Lead Auditor Course

This is the most popular course for either ISO 27001 or BS 25999-2 – it lasts 5 days, and finishes with a written exam. The exam is quite difficult, so one could consider that this is the top course for those two standards. If you do pass the exam, you can become an auditor for a certification body, but that is not its main benefit – it is the most useful for professionals implementing the standards because it gives an excellent overview of the standards and provides in-depth explanations of what the certification auditors will ask for at the certification audit. Therefore, it is useful for both auditors and implementers.

The target audience for this course are professionals with moderate or significant experience in information security, business continuity, auditing or IT. You should choose only accredited courses (e.g. by IRCA).

ISO 27001 or BS 25999-2 Lead Implementer Course

This course is somewhat similar to, but not so popular as ISO 27001 or BS 25999-2 Lead Auditor Course. The difference is that it focuses on implementation techniques rather than auditing techniques – therefore, if the certification is not your concern, you may find this course more suitable.

Here the target audience is similar – professionals with moderate or significant experience in information security, business continuity or IT.

ISO 27001 or BS 25999-2 Internal Auditor Course

This course is a “light” version of ISO 27001 or BS 25999-2 Lead Auditor Course – it usually lasts 2 or 3 days, could be with or without an exam, and the content is a condensed version of Lead Auditor Course. The main difference is that with this course you cannot pursue a career as an auditor in a certification body; however, if you want to get a systematic introduction to the world of ISO 27001 or BS 25999-2 or you plan to be an internal auditor in your company, this course is the right choice for you.

The target audience are professionals with little or moderate experience in information security, business continuity or IT.

ISO 27001 or BS 25999-2 Foundation Course / Introduction Course

These courses usually last for one or two days – their purpose is not to teach you about auditing or implementation techniques, but to give you an overview of the requirements and implementation issues. If you don’t have a lot of time to spare and you want to know what you company will be experiencing during implementation, do think about one of these courses.

The target audience are members of the management, or professionals with no experience in information security or business continuity.

Other information security / business continuity courses

You may have heard of Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) or Certified Information Systems Security Professional (CISSP) – although I consider these courses very useful for your information security or business continuity career, they are not directly relevant to ISO 27001 or BS 25999-2. Therefore, you should attend CISA, CISM and/or CISSP after you complete courses directly related to the two standards.

Online courses

In addition to the above mentioned in-person courses, online courses (either in the form of e-learning or live webinars) are becoming increasingly popular, partly because of the lower costs – no travelling expenses, no lost time away from office. There are more and more vendors on the Internet, offering more and more quality content (including our 27001Academy) – you can find courses lasting from 1 hour (e.g. free webinars) to a few weeks (e.g. e-learning courses).

The main benefit of online courses is that you can receive more relevant knowledge in a shorter period of time and for less money, although the question of real effectiveness of such courses still remains unanswered.

But, regardless of which form or type of course you take, be sure about one thing – the return on investment will show very quickly.

Check out this free online training ISO 27001 Foundations Course that explains every step in ISO 27001 implementation.

Advisera Dejan Kosutic
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.