Training Module
Training Module
Information Security Foundations I
Understand the core concepts behind preventive controls, including access management, cryptography, secure configuration, and protective design
Understand
Implement
Manage
Audit
Training module overview
Many organisations adopt preventive security controls as a collection of technical measures—accounts, firewalls, encryption, “hardening”—without a shared understanding of what each control is meant to prevent, what it depends on, and what evidence shows it is actually in place. The result is inconsistent implementation, unclear ownership, and controls that look present but fail in real conditions.
This full-day domain fundamentals module explains the concepts behind common preventive controls and shows how they relate to ISO/IEC 27001 Annex A control themes. It is intentionally not a risk management module, does not define ISMS scope or the Statement of Applicability, and does not cover detective or responsive controls (covered in Foundations II). It focuses on control intent, typical design choices, and practical implementation patterns at a concept level.
Many organisations adopt preventive security controls as a collection of technical measures—accounts, firewalls, encryption, “hardening”—without a shared understanding of what each control is meant to prevent, what it depends on, and what evidence shows it is actually in place. The result is inconsistent implementation, unclear ownership, and controls that look present but fail in real conditions.
This full-day domain fundamentals module explains the concepts behind common preventive controls and shows how they relate to ISO/IEC 27001 Annex A control themes. It is intentionally not a risk management module, does not define ISMS scope or the Statement of Applicability, and does not cover detective or responsive controls (covered in Foundations II). It focuses on control intent, typical design choices, and practical implementation patterns at a concept level.
Target audience
Information security managers and ISMS implementers who need a solid control vocabulary
IT service owners and platform/application owners involved in control implementation
Compliance, risk, and governance professionals who coordinate ISO/IEC 27001 delivery
Product, engineering, or operations leads who must interpret control expectations into practice
Information security managers and ISMS implementers who need a solid control vocabulary
IT service owners and platform/application owners involved in control implementation
Compliance, risk, and governance professionals who coordinate ISO/IEC 27001 delivery
Product, engineering, or operations leads who must interpret control expectations into practice
Agenda
Preventive controls in practice: what “prevention” actually means
Control intent, control boundaries, and failure modes
Dependencies: identity, configuration, assets, and human behaviour
Identity and access management fundamentals
Authentication, authorisation, and session control (what can go wrong)
Least privilege, segregation of duties, and privileged access (concepts and patterns)
Access governance patterns (without process overhead)
Joiner/mover/leaver logic as a control problem (roles, entitlements, exceptions)
Service accounts, shared access, emergency access: typical pitfalls and safeguards
Cryptography as a preventive control
Encryption goals: confidentiality, integrity, authenticity (and what encryption does not solve)
Data in transit vs. data at rest; key management basics and common misconfigurations
Protective configuration and secure build concepts
Secure defaults, baseline configurations, and hardening logic
Vulnerability and patching concepts (what prevention relies on; where operations takes over)
Network and platform protection fundamentals
Segmentation, boundary controls, and secure remote access as prevention mechanisms
Protective monitoring boundaries (what is preventive vs. what becomes detective)
Information handling and loss prevention basics
Classification/handling rules as preventive controls (intent, limits, typical misunderstandings)
Data minimisation and retention as preventive levers (concepts, not governance methods)
Workshop (case-based, collaborative)
Apply a Halderstone case: identify preventive control intents, dependencies, and likely failure modes
Map the chosen control concepts to ISO/IEC 27001 Annex A themes (without memorising numbering)
Preventive controls in practice: what “prevention” actually means
Control intent, control boundaries, and failure modes
Dependencies: identity, configuration, assets, and human behaviour
Identity and access management fundamentals
Authentication, authorisation, and session control (what can go wrong)
Least privilege, segregation of duties, and privileged access (concepts and patterns)
Access governance patterns (without process overhead)
Joiner/mover/leaver logic as a control problem (roles, entitlements, exceptions)
Service accounts, shared access, emergency access: typical pitfalls and safeguards
Cryptography as a preventive control
Encryption goals: confidentiality, integrity, authenticity (and what encryption does not solve)
Data in transit vs. data at rest; key management basics and common misconfigurations
Protective configuration and secure build concepts
Secure defaults, baseline configurations, and hardening logic
Vulnerability and patching concepts (what prevention relies on; where operations takes over)
Network and platform protection fundamentals
Segmentation, boundary controls, and secure remote access as prevention mechanisms
Protective monitoring boundaries (what is preventive vs. what becomes detective)
Information handling and loss prevention basics
Classification/handling rules as preventive controls (intent, limits, typical misunderstandings)
Data minimisation and retention as preventive levers (concepts, not governance methods)
Workshop (case-based, collaborative)
Apply a Halderstone case: identify preventive control intents, dependencies, and likely failure modes
Map the chosen control concepts to ISO/IEC 27001 Annex A themes (without memorising numbering)
Course ID:
HAM-ISF-1
Audience:
Auditor
Manager
Domain:
Information Security
Available in:
English
Duration:
7 h
List price:
CHF 550
Excl. VAT. VAT may apply depending on customer location and status.
What you get
Learning outcomes
Explain the intent, boundaries, and typical failure modes of common preventive security controls
Distinguish authentication, authorisation, and access governance problems—and choose suitable control patterns
Describe where cryptography fits (and does not fit) as a preventive control, including key-management basics
Interpret “secure configuration” as a prevention mechanism, including baselines, hardening logic, and dependency traps
Identify common preventive control implementation pitfalls (e.g., privileged access, shared accounts, misconfigured encryption, weak defaults)
Relate preventive control concepts to ISO/IEC 27001 Annex A control themes to support coherent implementation discussions
Explain the intent, boundaries, and typical failure modes of common preventive security controls
Distinguish authentication, authorisation, and access governance problems—and choose suitable control patterns
Describe where cryptography fits (and does not fit) as a preventive control, including key-management basics
Interpret “secure configuration” as a prevention mechanism, including baselines, hardening logic, and dependency traps
Identify common preventive control implementation pitfalls (e.g., privileged access, shared accounts, misconfigured encryption, weak defaults)
Relate preventive control concepts to ISO/IEC 27001 Annex A control themes to support coherent implementation discussions
Learning materials
Slide deck
Participant workbook
Certificate of completion
Slide deck
Participant workbook
Certificate of completion
Templates & tools
Preventive controls concept map (control intent → dependency → typical failure mode)
Access control patterns checklist (users, roles, privileged access, service accounts, exceptions)
Cryptography use-case matrix (in transit / at rest / integrity / authenticity)
Secure configuration baseline checklist (scope, inheritance, drift, evidence)
ISO/IEC 27001 Annex A crosswalk (concept → control theme references, indicative)
Preventive controls concept map (control intent → dependency → typical failure mode)
Access control patterns checklist (users, roles, privileged access, service accounts, exceptions)
Cryptography use-case matrix (in transit / at rest / integrity / authenticity)
Secure configuration baseline checklist (scope, inheritance, drift, evidence)
ISO/IEC 27001 Annex A crosswalk (concept → control theme references, indicative)
Prerequisites
This module assumes general professional familiarity with organisational IT and information handling. No prior ISO/IEC 27001 clause knowledge is required.
Helpful background includes:
Basic understanding of users, systems, networks, and common enterprise tooling (e.g., directories, cloud services)
Familiarity with operational realities (access requests, admin roles, configuration changes)
Comfort reading simple technical diagrams or control descriptions
This module assumes general professional familiarity with organisational IT and information handling. No prior ISO/IEC 27001 clause knowledge is required.
Helpful background includes:
Basic understanding of users, systems, networks, and common enterprise tooling (e.g., directories, cloud services)
Familiarity with operational realities (access requests, admin roles, configuration changes)
Comfort reading simple technical diagrams or control descriptions
Helpful preparatory modules
The modules below prepare for an optimal learning experience – but are not strictly necessary for participants to follow.
Risk Management Foundations: Consistent Risk and Opportunity Logic Across Management Systems
Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems.
7 h
Risk Management Foundations: Consistent Risk and Opportunity Logic Across Management Systems
Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems.
7 h
Risk Management Foundations: Consistent Risk and Opportunity Logic Across Management Systems
Learn the fundamentals of identifying, evaluating, treating, and monitoring risks and opportunities across management systems.
7 h
Information Security Risk Management – Applying the Risk Process to Assets, Threats, and Vulnerabilities
Understand ISO/IEC 27001 requirements for information security risk assessment, risk treatment, and traceable risk decisions
7 h
Information Security Risk Management – Applying the Risk Process to Assets, Threats, and Vulnerabilities
Understand ISO/IEC 27001 requirements for information security risk assessment, risk treatment, and traceable risk decisions
7 h
Information Security Risk Management – Applying the Risk Process to Assets, Threats, and Vulnerabilities
Understand ISO/IEC 27001 requirements for information security risk assessment, risk treatment, and traceable risk decisions
7 h
Continuous learning
Follow-up modules
Follow-up modules
After completion of this module, the following modules are ideal to further deepen the participant's competence.
After completion of this module, the following modules are ideal to further deepen the participant's competence.
Ready to achieve mastery?
Bring ISO requirements into everyday practice to reduce avoidable issues and strengthen the trust of your customers and stakeholders.
Ready to achieve mastery?
Bring ISO requirements into everyday practice to reduce avoidable issues and strengthen the trust of your customers and stakeholders.
Ready to achieve mastery?
Bring ISO requirements into everyday practice to reduce avoidable issues and strengthen the trust of your customers and stakeholders.