PECB - ISO 27001 Lead Implementer

Intro

As I shared on my earlier blog post, the end of my ISO 27001 journey was approaching. I had already studied the norm from an audit perspective (both internal and lead), and the last piece of the puzzle was the implementation of an Information Security Management System.

Eventually, after studying the different training options available, I settled on PECB ISO/IEC 27001 Lead Implementer certification. However, based on feedback gathered from Reddit, it was advisable to enroll first on Aron Lange’s Udemy Course ISO/IEC 27001:2022 Lead Implementer.

Therefore, I will start by providing a review of Aron Lange’s Udemy Course before focusing on PECB’s training.

Aron Lange’s Udemy Course

Price warning

As the reader might already be aware of, Udemy offers discounts most of the time. In the unlikely event there’s no discount available at the time of purchase, please, either look for a coupon code, or try again later. There’s no need to pay the full price of 70€!

Course content

The course spans a total of 11.5 hours of video, with the first 5 sections providing an introduction to the course, resources, basic information security concepts, ISO 27001, and the implementation project used for practical assignments.

The next sections reflect the 12 steps ISMS implementation approach followed by the course author.

Studying the norm from an audit perspective felt philosophical quite often, leading to questions regarding how an ISMS could be implemented. I might be able to go through the norm, tick checkboxes, and detect non-conformities on case scenarios. However, I simply couldn’t grasp how to implement the ISMS.

The 12 steps ISMS implementation approach, combined with the template resource files provided for each step of the process, helped to fill that void of uncertainty. It definitely felt like I could take those template files and attempt the implementation of an ISMS.

The remaining sections briefly cover each of the controls in annex A, along with its purpose. I would encourage the reader to skip this part of the course, since I didn’t find it to be that helpful. Rather than increasing video speed to 2x, it would be more useful to read the controls on annex A instead.

Besides the theory, the course offers quizzes at the end of each section, practical assignments, and a test exam. I didn’t do any of the practical assignments, so it’s not a requirement in order to prepare for the PECB certification. The quizzes and the test exam were useful to test my knowledge of the norm before and after taking the course.

Below you may find a detailed outline of the course content before providing my final impression.

Content outline

• Introduction:
  • Course Introduction
  • Course Resources
  • Chapter 1: Information Security Fundamentals
  • Chapter 2: ISO/IEC 27001:2022
  • Chapter 3: Implementation Project
• ISMS Implementation:
  • Step 1: Management Support
  • Step 2: Scope of the ISMS
  • Step 3: Gap Analysis
  • Step 4: Information Security Policy
  • Step 5: Competence Assurance
  • Step 6: Inventory of Assets
  • Step 7: Risk Management Methodology
  • Step 8: Information Security Risk Assessment
  • Step 9: Information Security Risk Treatment
  • Step 10: Performance Evaluation
  • Step 11: Improvement
  • Step 12: Certification Audit
• Annex A:
  • Organizational Controls
  • People Controls
  • Physical Controls
  • Technological Controls
• Practice Exam
• Bonus Lecture

Impression

I would recommend this course to anyone interested in learning how to implement an ISMS according to ISO 27001.

Specially, based on the value provided by the template resource files for each step of the implementation process. They help the student to feel the implementation process more realistic and doable, as opposed to a purely theory-based learning methodology.

PECB - ISO 27001 Lead Implementer

Training options

There are 4 training options provided by PECB partners:

• Onsite
• Live online
• E-learning
• Self-study

The last 2 options might appear to be the same, but there’s a tiny difference to take into consideration. E-learning training has videos and PDF slides, while self-study only has the PDF content. Therefore, it would be advisable to buy e-learning training if said option is available for the associated course.

PECB partners

It must be noticed that access to course material is provided through PECB KATE official app. In the end, you will get access to the content through the same official channel, regardless of which PECB partner you purchased the training from.

However, prices may actually differ between partners. As an example, a PECB partner (whose name I won’t disclose) offered “ISO/IEC 27001:2022 Lead Implementer E-Learning in English” training for 900€. After some Reddit digging, I found the same course for only 493€ on Mindsetcyber!

I may emphasize I am neither affiliated nor sponsored by Mindsetcyber. My sole interest is sharing the best provider I found on Reddit.

Purchasing the e-learning course through a PECB partner should include at least the following:

• Access to video content and PDF slides on PECB Kate
• 2 exam attempts
• Certification fees

Course

The self-study training content is structured as 5 days, reflecting the agenda of the onsite/live-online training.

• Day 1: Introduction to ISO/IEC 27001 and initiation of an ISMS implementation
• Day 2: Implementation plan of an ISMS
• Day 3: Implementation of an ISMS
• Day 4: ISMS monitoring, continual improvement, and preparation for the certification audit
• Day 5: Certification exam

It should be noticed that you can take the exam at any time. There’s no need to rush through the content in 4 days.

As part of my preparation, I decided to watch the videos on a first pass, then read the PDF materials afterwards in order to deepen my knowledge. However, the video experience was far from being pleasing due to the following reasons:

• KATE app doesn’t offer an option to watch captions. Since I am a non-native English speaker, there might be certain bits I wouldn’t catch properly despite my best efforts at replaying. On a side note, I believe captions should be added from an accessibility perspective to any application.

• There’s no option either to increase the playback speed. While I rarely increase the speed of videos (I don’t like watching people speak at 1337x), some of the instructors would speak way too calmly for my taste, forcing me to reconsider my Youtube principles.

• I felt the instructors were reading slides most of the time, except for a few instances where additional insights might be provided.

Based on my experience, I wouldn’t recommend watching the videos (at least for this course). The only reason I watched the 14 hours “ISOnic 27001” movie was following my original preparation plan till the end, along with gaining peace of mind in the event there might be some useful information.

Unfortunately, I didn’t miss anything.

The experience was completely different with the PDF content though. I found it to be well detailed, as opposed to a generic PDF with slides where the information gaps are filled by the instructor. The PDF material is definitely more than enough to prepare for the certification.

Exam

The exam is open-book, which means you can check the course content through the PECB Exams app, including the notes you registered on PECB KATE app. Kindly remember to close the KATE app before the exam, otherwise you won’t get access to the course content and notes.

While some redditors advised to print and bind the course material, I completely managed with the PDF slides on the exams app. You can’t use Ctrl-F to search for content though, that’s why I would suggest printing the index of the course. This should allow you to locate content more accurately.

I had a printed copy of the standard with me as well.

The online exam is proctored, requiring to be present 30 minutes before the scheduled time in order to verify your identity. The irony though, is that after finishing the verification process in merely 5 minutes, I found myself looking at a countdown for 25 minutes before I could start my exam.

I don’t like proctored exams, but I may say that after starting the exam, you eventually forget about the proctor.

The exam duration is 3 hours, even though if you take the exam in a non-native language, you should be allocated 30 extra minutes. Such a long exam can be tiring, specially early in the morning.

Regarding the format, it’s multiple-choice, combining case-scenario questions with standard ones. In retrospective, as an strategy, I would suggest tackling the standard questions first. This should help to ease your mind after seeing the number of answered questions going up quickly.

2 additional pieces of advice:

• Don’t overthink questions, but pay attention to details.
• Check the remaining time left, specially if you need to start working on other case scenarios.

I personally finished all the questions with approximately only 20 minutes left. Normally, as a rule of thumb, I would review all my answers before finishing an exam. On this case, I was so tired that the mere thought of reviewing 80 questions made me more sleepy.

You need a 70% score to pass, so I simply decided to submit my exam and check the results.

I got 71 out of 80 questions correct, therefore I passed.

P.S. Don’t forget to close the app after finishing your exam! The proctor could still see my “I am done with this” face right after checking my results.

(Over)Preparation

This is the preparation plan I followed in chronological order:

• Aron Lange’s Udemy Course (including test exam).
• PECB Videos.
• PECB quizzes, relying solely on my own knowledge.
• PECB PDF content.
• PECB quizzes (again), relying solely on my own knowledge.
• Aron Lange’s Udemy Course test exam.
• PECB quizzes checking the content, in order to ensure I would be able to find the required information within the course material, if needed.

In all honesty, this was overkill. By the end I felt iso-toxicated, if such word actually exists and doesn’t constitute a major non-conformity for a grammar auditor. On top of that, I already had knowledge of the standard due to the internal and lead auditor courses I recently completed.

In the end, this is a onsite/online course meant to be completed in 4 days before taking the exam. Therefore, such level of preparation it’s just not necessary. I would rather recommend the following preparation plan to any potential student:

• PECB PDF content.
• PECB quizzes, using your own knowledge.
• Read ISO 27001:2022.
• PECB quizzes checking the content, in order to ensure you are able to find the required information within the course material, if needed.

While I highly praised Aron Lange’s course before, you can definitely pass the exam without it. As long as you read the PDF content, and most importantly, understand the core and philosophy of the norm, you should be more than prepared.

Impression

Overall, I recommend this course to anyone willing to learn the implementation of an ISMS, and most importantly, getting certified as an ISMS implementer. However, if you are not interested on a certification, and you only seek the knowledge, Aron Lange’s Udemy Course might be a better option.

Additionally, the line between implementation and audit training happens to be quite blurry. In the end, both options aim to convey a proper understanding of ISO 27001, with the only difference being a slight focus towards either ISMS implementation or auditing.

After taking both trainings, I believe an ISO 27001 trained auditor could work on the implementation of an ISMS, and at the same time a trained ISMS implementer could shift towards an audit role. Both roles share the same core knowledge, which is the body of the norm.

In consequence, while it might seem contradictory to the reader, if I enroll on any additional ISO training in the future, I will definitely focus only on one aspect (audit or implementation). The net profit of taking both trainings seems quite negligible besides certifying twice your knowledge of an ISO standard.