Post

Bureau Veritas - ISO 27001, GDPR and LOPDGDD

A review of the education offered by Bureau Veritas

Posted
By twypsy
6 min read
Bureau Veritas - ISO 27001, GDPR and LOPDGDD

Intro

Recently, I decided to start learning about the ISO 27001 security standard. Among the different education providers available in Spain, I opted for Bureau Veritas. Their education offer regarding the standard could be summarized as follows:

The Lead Auditor course required previous knowledge of the norm, hence this wasn’t an option for me. On the other side, the Internal auditor education path encompassed the ISO 27001 introduction course, along with a course focused on the audit of information security management systems.

Therefore, this was the right choice for me.

However, digging a bit further into their education offer, I found a bundle containing:

  • The Internal Auditor Education path earlier mentioned
  • GDPR + 🇪🇸 LOPD
  • Cybersecurity and cyber-terrorism essentials

Ref: Pack de Auditor Interno de Seguridad de la InformaciĂłn ISO 27001, ActualizaciĂłn RGPD y LOPDGDD y Ciberseguridad y Ciberterrorismo

Being able to educate myself not only on the ISO 27001, but also a bit in data protection from a Spanish/European perspective definitely picked my interest. Thus, this ended up being my final choice, which I will review in the sections down below.

Course

ISO 27001

The Internal Auditor education path comprises 2 modules with the following lessons:

  • Module 1: Information Security Management Systems ISO 27001
    • Importance of ISO 27001 on a Information Security Management System
    • Analysis and review of ISO 27001:2022
    • Needs and expectations within the organization: Leadership and compromise by management
    • Planning and resource management for the Information Security Management System
    • Evaluation of the performance and improvement processes on a Information Security Management System
    • Implementation of ISO 27001:2022 on a Information Security Management System
  • Module 2: Audit and Certification of Information Security Management Systems
    • International infrastructure of quality
    • Key facts on audits
    • Audit program: development and execution
    • Field audit
    • Communication and results
    • Audit profile

The first module gives an overview of ISO 27001 and information security management systems.

The second one entails a deep dive into the audit process itself, which is the one I found the most interesting.

At the end of each module’s lesson you are required to pass a simple quizz in order to move to the next lesson. However, rather than a tool to test your knowledge, these quizzes are more of a “logic block” preventing you from jumping between lessons, or even modules. You can’t start modules 3 or 4 before completing the first two.

There were optional assignments which I found truly helpful to solidify my knowledge.

Most of them consisted of realistic audit case scenarios, which forced me to review the lessons, and reflect on the audit process itself. Therefore, if a reader decided to enroll on this education, I would strongly recommend completing the optional assignments.

You can provide them to the teacher through DM for further review and feedback.

Additionally, I would advise buying a copy of the standard, or borrowing one from a public library. While it’s entirely possible to complete the course without the ISO, reading the whole specification along the course and assignments will increase your knowledge of the norm.

Upon completing the 2 modules and the optional assignments, the student should be more than prepared to take the exam. The exam consists of an internal audit case scenario according to the ISO 27001:2022 norm.

There’s a 45 minutes limit, and 2 possible results, PASS/FAIL. No proctoring, fortunately. While I understand the purpose of proctoring in order to prevent cheating, it’s far from being a pleasant experience. I would rather do an exam in person as opposed to a proctorized one.

Regarding my exam experience, I took the proper time at the beginning to evaluate the case scenario based on the norm, then proceeded to compile my findings on the final report. In fact, I submitted my exam with only 2 minutes left.

Still, it’s truly doable to submit the exam way before its deadline. I simply wanted to ensure a proper understanding of the case scenario at the beginning, along with a thorough review of the norm, so that I wouldn’t miss any deficiency.

It took no more than 2 days before receiving the results that I passed the exam. The sweet irony is that I didn’t wait to get the teacher’s feedback regarding the optional assignments before attempting the exam. I knew I had 2 attempts at my disposal, so it made the decision way easier.

Overall, I was satisfied with the quality of the 2 modules, assignments, exam, and the training provided.

Data protection

This module comprised the following lessons:

  • Data Protection: GDPR and LOPDGDD
    • Legal regulation of Data Protection
    • Fundaments, Principles and Legitimation of Data Protection
    • User rights: ARCO rights
    • New GDPR Rights: Right to forget, Data Portability and Restriction of Processing
    • Personal Data Security: Proactive Responsibility
    • Security Measures: Register of Processing Activities
    • Analysis and Risk Management in Personal Data
    • International Data Transfer
    • Data Protection Officer
    • Control Authorities

The module is denser in Law, as opposed to the previous ones. Still, I found the subject to be pretty interesting. The student will gain an overview of data protection rights in a Spanish and European legal context, which can serve as a basis for further education into the subject.

As a citizen, I believe it’s useful to know the data protection rights that assist me, which quite often happen to be hidden on large documents full of technical and legal jargon.

Nevertheless, there are some points worth addressing:

  1. Besides the quizzes at the end of each lesson, there are no optional assignments to reinforce your knowledge. I would have personally enjoyed a few case scenarios in order to interpret the law and apply it accordingly.

  2. You may find outdated references which no longer apply under the current legislation. Therefore, it’s advisable to study the module along with GDPR and LOPD to ensure the latest up to date study of the law.

Despite the cons outlined above, I would still recommend this module to anyone willing to acquire an introductory understanding of data protection rights on a spanish and european context.

Cybersecurity and cyber-terrorism essentials

The last module entails the following lessons:

  • Cybersecurity and cyber-terrorism essentials
    • Scope, definitions and principles of security in the digital world
    • Prevention, detection patterns and cybersecurity intelligence
    • Data science and ethical hacking
    • Cybersecurity legislation
    • Cybercrime and black economy
    • Cyberattacks, cyber-terrorism and critical infrastructure

I will be brief on this one. This is pretty much an introductory course aimed at people without knowledge or experience on the field. Besides a few historical references I wasn’t aware of, I couldn’t extract any meaningful value out of it, nor am I able to provide an objective review of it either.

Overall impression

I would absolutely recommend this bundle to anyone willing to gain a proper understanding of the ISO 27001 standard, the process behind an internal audit, plus an introductory overview of data protection rights in Spain and Europe.

Next steps

Mastermind offers an “ISO 27001 Lead Auditor” self-paced certification course and exam for free.

Ref: https://learn.mastermindassurance.com/products/courses/iso-27001-lead-auditor

I will share my impressions of the course in a new blog post once I finish it.

vivi walking

learning, reviews
iso27001 gdpr law
This post is licensed under CC BY 4.0 by the author.