Training Module
Auditing ISMS Risk Management
Understand how to audit asset–threat–vulnerability logic, risk treatment decisions, and traceability to controls and the Statement of Applicability
Training Module
Auditing ISMS Risk Management
Understand how to audit asset–threat–vulnerability logic, risk treatment decisions, and traceability to controls and the Statement of Applicability
Training Module
Auditing ISMS Risk Management
Understand how to audit asset–threat–vulnerability logic, risk treatment decisions, and traceability to controls and the Statement of Applicability
Move from checking risk registers to judging risk reasoning and treatment choices
In many audits, risk management looks “complete” on paper but breaks down when you follow one risk from context to treatment and control operation. This module builds a practical audit lens for testing whether risk reasoning is credible, decisions are explainable, and traceability holds under scrutiny.
Move from checking risk registers to judging risk reasoning and treatment choices
In many audits, risk management looks “complete” on paper but breaks down when you follow one risk from context to treatment and control operation. This module builds a practical audit lens for testing whether risk reasoning is credible, decisions are explainable, and traceability holds under scrutiny.
Move from checking risk registers to judging risk reasoning and treatment choices
In many audits, risk management looks “complete” on paper but breaks down when you follow one risk from context to treatment and control operation. This module builds a practical audit lens for testing whether risk reasoning is credible, decisions are explainable, and traceability holds under scrutiny.
Training module overview
Training module overview
Training module overview
ISO/IEC 27001 expects risk assessment and risk treatment to drive the information security management system (ISMS), not to exist as standalone documentation. In practice, auditors often encounter generic asset lists, recycled threat catalogues, inconsistent scoring, and a Statement of Applicability (SoA) that cannot be traced back to specific risks and treatment decisions.
This standard-specific audit add-on focuses on how to audit ISMS risk management where information security logic materially matters: asset–threat–vulnerability reasoning, treatment decision quality, and traceability from risks to chosen controls (including Annex A) and the SoA. It does not re-teach generic risk management methods or generic audit techniques; it applies an audit judgement lens to ISO/IEC 27001 risk management expectations.
ISO/IEC 27001 expects risk assessment and risk treatment to drive the information security management system (ISMS), not to exist as standalone documentation. In practice, auditors often encounter generic asset lists, recycled threat catalogues, inconsistent scoring, and a Statement of Applicability (SoA) that cannot be traced back to specific risks and treatment decisions.
This standard-specific audit add-on focuses on how to audit ISMS risk management where information security logic materially matters: asset–threat–vulnerability reasoning, treatment decision quality, and traceability from risks to chosen controls (including Annex A) and the SoA. It does not re-teach generic risk management methods or generic audit techniques; it applies an audit judgement lens to ISO/IEC 27001 risk management expectations.
Applicable environments
This module focuses on auditing clauses and controls that are specific to ISO/IEC 27001. It is intended for auditors working with organisations operating an information security management system (ISMS) according to this standard.
Target audience
Target audience
Target audience
Aspiring auditors who want to audit against ISO/IEC 27001 following best practices
Practising ISO/IEC 27001 auditors who want to strengthen their audit knowledge, judgement, and effectiveness
Aspiring auditors who want to audit against ISO/IEC 27001 following best practices
Practising ISO/IEC 27001 auditors who want to strengthen their audit knowledge, judgement, and effectiveness
Decision support
Is this module for you?
It is a good fit if you…
aim to audit whether ISMS risk management actually drives security decisions.
want to test asset–threat–vulnerability reasoning, not just risk register completeness.
follow risks from context through treatment decisions to controls and the SoA.
strengthen judgement on risk acceptance, prioritisation, and traceability.
seek audit findings that reveal weak risk reasoning and systemic gaps.
aim to audit whether ISMS risk management actually drives security decisions.
want to test asset–threat–vulnerability reasoning, not just risk register completeness.
follow risks from context through treatment decisions to controls and the SoA.
strengthen judgement on risk acceptance, prioritisation, and traceability.
seek audit findings that reveal weak risk reasoning and systemic gaps.
If most of the points above apply, this module is likely a good fit.
It may not be the best fit if you…
primarily want to design or improve risk assessment or treatment methods.
expect generic risk management frameworks or scoring models.
focus on facilitating workshops or producing risk documentation.
are unwilling to challenge formally complete but weak risk rationales.
primarily want to design or improve risk assessment or treatment methods.
expect generic risk management frameworks or scoring models.
focus on facilitating workshops or producing risk documentation.
are unwilling to challenge formally complete but weak risk rationales.
Agenda
Agenda
Agenda
What makes ISMS risk management audit-ready (in ISO/IEC 27001 terms)
Testing asset–threat–vulnerability reasoning
Risk assessment outputs that hold under audit
Judging risk treatment decisions
Traceability to controls and the Statement of Applicability (SoA)
Evidence trails: from documentation to operational reality
Case-based audit simulation
Show detailed agenda...
What makes ISMS risk management audit-ready (in ISO/IEC 27001 terms)
Testing asset–threat–vulnerability reasoning
Risk assessment outputs that hold under audit
Judging risk treatment decisions
Traceability to controls and the Statement of Applicability (SoA)
Evidence trails: from documentation to operational reality
Case-based audit simulation
Show detailed agenda...
What makes ISMS risk management audit-ready (in ISO/IEC 27001 terms)
Testing asset–threat–vulnerability reasoning
Risk assessment outputs that hold under audit
Judging risk treatment decisions
Traceability to controls and the Statement of Applicability (SoA)
Evidence trails: from documentation to operational reality
Case-based audit simulation
Show detailed agenda...
Learning outcomes
Learning outcomes
Learning outcomes
Key outcomes
Evaluate whether asset–threat–vulnerability logic is credible and fit for decision-making in an ISMS
Test internal consistency of risk assessment results using practical audit checks and targeted sampling heuristics
Assess whether risk treatment decisions are explainable, authorised, and reviewable
Evaluate whether asset–threat–vulnerability logic is credible and fit for decision-making in an ISMS
Test internal consistency of risk assessment results using practical audit checks and targeted sampling heuristics
Assess whether risk treatment decisions are explainable, authorised, and reviewable
Additional capabilities
Verify end-to-end traceability from risks to controls and to the Statement of Applicability (SoA)
Identify common systemic failure modes in ISO/IEC 27001 risk management and recognise early warning signals
Build effective audit trails and evidence requests that connect risk documentation to operational control reality
Verify end-to-end traceability from risks to controls and to the Statement of Applicability (SoA)
Identify common systemic failure modes in ISO/IEC 27001 risk management and recognise early warning signals
Build effective audit trails and evidence requests that connect risk documentation to operational control reality
Additional benefits
Additional benefits
Additional benefits
Learning materials
Slide deck
Participant workbook
Templates & tools
Practical, reusable artefacts to apply the module directly to your organisation.
ISMS risk audit trail worksheet (risk → treatment → controls → SoA)
Asset–threat–vulnerability plausibility checklist
Risk treatment decision test questions (including acceptance and residual risk)
SoA traceability and rationale review checklist
Evidence map by treatment option (reduce / retain / avoid / share)
Red-flag catalogue for “paper risk management” patterns
AI prompt set for consistency checking across risk register, treatment plan, and SoA (supporting, not replacing, professional judgement)
ISMS risk audit trail worksheet (risk → treatment → controls → SoA)
Asset–threat–vulnerability plausibility checklist
Risk treatment decision test questions (including acceptance and residual risk)
SoA traceability and rationale review checklist
Evidence map by treatment option (reduce / retain / avoid / share)
Red-flag catalogue for “paper risk management” patterns
AI prompt set for consistency checking across risk register, treatment plan, and SoA (supporting, not replacing, professional judgement)
Confirmation
Certificate of completion
Module ID
HAM-IS-A-01
Domain
Audience
Auditor
Language
English
Delivery
Live virtual
Duration
3 h
List price
CHF 250
Excl. VAT. VAT may apply depending on customer location and status.
Delivery & learning format
Delivery & learning format
Delivery & learning format
Virtual live teaching
This module is delivered live, with a strong focus on discussion, practical application, and direct interaction with the instructor.
Sessions work through realistic examples, clarify concepts in context, and apply methods directly to participants’ organisational realities.
Custom delivery options
For organisations with specific constraints or learning objectives, the module can be adapted in format or scope, including in-house delivery and contextualised case material.
Not sure if this module is right for you?
Not sure if this module is right for you?
Not sure if this module is right for you?
For an optimal learning experience
Preparation guidance
This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.
For an optimal learning experience
Preparation guidance
This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.
For an optimal learning experience
Preparation guidance
This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.
Assumed background
This module assumes participants can already work with audit evidence and professional judgement, and have baseline familiarity with ISO/IEC 27001 ISMS terminology (including the Statement of Applicability).
Helpful background includes:
Understanding of generic risk and opportunity treatment logic (methods are not re-taught here)
Ability to distinguish documented intent from evidence of operation
Familiarity with common information security assets and dependencies (for example, identity, endpoints, cloud services, critical data flows)
This module assumes participants can already work with audit evidence and professional judgement, and have baseline familiarity with ISO/IEC 27001 ISMS terminology (including the Statement of Applicability).
Helpful background includes:
Understanding of generic risk and opportunity treatment logic (methods are not re-taught here)
Ability to distinguish documented intent from evidence of operation
Familiarity with common information security assets and dependencies (for example, identity, endpoints, cloud services, critical data flows)
Preparatory modules
Foundational modules (depending on background)
Useful if you are new to the underlying concepts or want a shared baseline before attending this module.
Risk Management Foundations
Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems
7 h
Risk Management Foundations
Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems
7 h
Risk Management Foundations
Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems
7 h
Information Security Risk Management
Understand ISO/IEC 27001 requirements for information security risk assessment, risk treatment, and traceable risk decisions
7 h
Information Security Risk Management
Understand ISO/IEC 27001 requirements for information security risk assessment, risk treatment, and traceable risk decisions
7 h
Information Security Risk Management
Understand ISO/IEC 27001 requirements for information security risk assessment, risk treatment, and traceable risk decisions
7 h
Audit Foundations
Understand core audit mindset, evidence logic, materiality-based focus, and audit test plan design
7 h
Audit Foundations
Understand core audit mindset, evidence logic, materiality-based focus, and audit test plan design
7 h
Audit Foundations
Understand core audit mindset, evidence logic, materiality-based focus, and audit test plan design
7 h
Supporting modules (optional)
Helpful if you want to deepen related skills, but not required to participate effectively.
Audit Execution: Communication & Interviewing
Learn the skills for effective interview planning, questioning, and conversation control for reliable audit evidence
7 h
Audit Execution: Communication & Interviewing
Learn the skills for effective interview planning, questioning, and conversation control for reliable audit evidence
7 h
Audit Execution: Communication & Interviewing
Learn the skills for effective interview planning, questioning, and conversation control for reliable audit evidence
7 h
Audit Reporting & Follow-up
Understand how to write evidence-based findings, structure audit reports, and follow up agreed actions to verified closure
7 h
Audit Reporting & Follow-up
Understand how to write evidence-based findings, structure audit reports, and follow up agreed actions to verified closure
7 h
Audit Reporting & Follow-up
Understand how to write evidence-based findings, structure audit reports, and follow up agreed actions to verified closure
7 h
Continuous learning
Follow-up modules
Continuous learning
Follow-up modules
Continuous learning
Follow-up modules
After completion of this module, the following modules are ideal to further deepen your competence. If you are looking for a structured learning path, modules can also be taken as part of a professional track.
Ready to improve your management systems?
We support continuous improvement by embedding ISO requirements into everyday practice and daily operations.
Ready to improve your management systems?
We support continuous improvement by embedding ISO requirements into everyday practice and daily operations.
Ready to improve your management systems?
We support continuous improvement by embedding ISO requirements into everyday practice and daily operations.