In 2018:  Zygma completed 25 years of continuous independent operations;   Drafted and edited Kantara's NIST SP 800-63 rev.3 IAL2/AAL2 Service Assessment Criteria; Managed on behalf of a client the first SP 800-63 rev.3 service assessment - the service was the first to receive Kantara's "NIST 800-63 rev.3" Approval;   Performed three Kantara Service Assessments, each resulting in a Grant of Approval;   Transitioned to operating as an S-Corporation.      
   Home      Site map      About Us      Legal       Contact



ISO/IEC 27001

ISO 27001/05 Training

Kantara Support

Standards & Regulations




Curricula Vitae

Course: Certified ISO 27001 Lead Auditor (IS27001LA)
Mastering the Audit of an Information Security Management System (ISMS) based on ISO 27001


This five-day intensive course develops the expertise required to audit an Information Security Management System (ISMS) based on ISO/IEC 27001:2005 and to manage a team of auditors by applying widely-recognized audit principles, procedures and techniques.  Participants will also acquire the knowledge and skills needed to proficiently plan and perform internal and external audits of ISO 27001-conformant ISMS.  Based on practical exercises, the participant will develop the skills (mastering audit techniques) and competencies (managing audit teams and audit program, communicating with customers, conflict resolution, etc.) necessary to conduct an audit objectively and efficiently.

Back to Top»»

Who should participate?
  • Internal auditors wanting to perform and lead Information Security Management System (ISMS) audits
  • Auditors wanting to perform and lead Information Security Management System (ISMS) certification audits
  • Project managers or consultants wanting to master the Information Security Management System audit process
  • Those responsible for information security and/or GRC within an organization
  • Members of an information security team
  • IT Subject Matter Experts & Advisors
  • Technical experts wanting to prepare for an Information security audit function

Back to Top»»

Learning objectives

Participants will develop the skills for, and therefore an understanding of:

  • the expertise necessary to perform an ISO 27001 internal audit as specified by ISO 19011, ISO 17021 and ISO 27006
  • Acquiring the expertise necessary to manage an ISMS audit team
  • the application of the information security management system in the context of ISO 27001
  • the relationship between an Information Security Management System (including risk management, controls and compliance) and the interests of the various stakeholders associated with the ISMS
  • how to analyze the internal and external environment of an organization, risk assessment and audit decision-making in the context of an ISMS

Back to Top»»


Day 1: Introduction to the management of an Information Security Management System (ISMS) based on ISO 27001

  • Normative, regulatory and legal frameworks relating to information security
  • Fundamental principles of information security
  • The ISO 27001 certification process
  • An Information Security Management System (ISMS)
  • Detailed presentation of the essential requirements of ISO 27001

Day 2: Planning the audit of an ISO 27001-conformant ISMS

  • Fundamental audit concepts and principles
  • Audit approach based on evidence and on risk
  • Preparation of an ISO 27001 certification audit
  • Documenting an ISMS audit
  • Conducting an opening meeting

Day 3: Conducting an ISO 27001 audit

  • Communication during the audit
  • Audit procedures: observation, document review, interview, sampling techniques, technical verification, corroboration and evaluation
  • Drafting test plans
  • Formulation of audit findings
  • Drafting nonconformity reports

Day 4: Concluding and ensuring the follow-up of an ISO 27001 audit

  • Audit documentation
  • Quality review
  • Conducting a closing meeting and concluding an ISO27001 audit
  • Evaluation of corrective action plans
  • Surveillance audit
  • Audit management program
  • Internal audit and second party audit

Day 5: Examination

Back to Top»»


ISO 27001 Foundation certification, or a general understanding of ISO 27001 and ISO 27002 (meaning you should understand the scope, structure, purpose and content of those documents without being expected to quote from them clause numbers and titles or verbatim text).

Back to Top»»

Tutoring Approach

The course consists of presentation of the source material with examples based on real cases interspersed with practical exercises based on a full case study including role plays and narrative presentation .  The use of these exercises helps prepare participants for the examination, taken on the fifth day. 

Given the number of practical exercises, the number of training participants may be limited.

Back to Top»»

Examination and Certification

The “ISO 27001 Lead Auditor” examination lasts 3 (three) hours and fully meets the requirements of the PECB Examination Certification Programme (ECP).  The exam covers the following competence domains:

Domain 1: Fundamental principles and concepts of  information security

Domain 2: Information Security Management System (ISMS)

Domain 3: Fundamental Audit Concepts and Principles

Domain 4: Preparation of an ISO 27001 audit

Domain 5: Conduct of an ISO 27001 audit

Domain 6: Closing an ISO 27001 audit

Domain 7: Managing an ISO 27001 audit program

After successfully completing the examination, participants may apply for an ISO  27001 Provisional Auditor, ISO 27001 Auditor or ISO 27001 Lead Auditor credential, depending on their level of professional experience.  These credentials are available for both internal and external auditors.  Certification will be granted to participants who successfully pass the examination and comply with all other requirements related to this credential.

Back to Top»»

Certification Experience Requirements

The table below shows the professional experience required for each of the ISO 27001 Auditor Certifications.

Course Professional Experience ISMS-specific Experience
Certified ISO 27001 Provisional Auditor None None
Certified ISO 27001 Auditor 2 years total;
1 year in information security
200 hours of ISMS Audit
Certified ISO 27001 Lead Auditor 5 years total;
2 years in information security
300 hours of ISMS Audit

For Certification purposes, the following audit types constitute valid auditing experience:

  • Pre-assessment/pre-audit
  • Gap analysis
  • Internal audits
  • Second party audits
  • Third/external audits
  • Opinion audits

To be considered valid, auditing activities should follow best audit practices and include most of the following activities:

  • Audit planning
  • Audit interviews
  • Managing an audit program
  • Drafting audit reports
  • Drafting non-conformity reports
  • Drafting audit working documents
  • Documentation review
  • On-Site Audit
  • Non-conformity follow-up actions
  • Leading an auditor team

In addition, all applicants for Certification will be required to sign and to uphold PECB's Code of Ethics and should also make themselves aware of the applicable Rules & Policies.  Further details may be found here: PECB: Certification & Examination Process.

Back to Top»»

General Information

Each participant will receive:

  • a student manual containing over 450 pages of information and practical examples
  • a 31 CPE (Continuing Professional Education) participation certificate
All examination and certification charges are included in the course fee.

Back to Top»»

© 1993 - 2018   Zygma Incorporated     Telephone: +1 714 797 99 42      Email: Enquiries @    
All Zygma services are provided in accordance with its Ethics Policy.
Note - if you are submitting an enquiry or expect to receive email from us, please ensure that your spam filtering will accept mail from the domain ''