EXIN Information Security Foundation based on ISO/IEC 27001 certification confirms that the professional understands information security principles and concepts applied in the work environment and knows how to mitigate risk.
Globalization of the economy is leading to an ever-growing exchange of information. This information crosses not only national borders but also the thin lines between private and business domains. The scope of accountability grows together with the information that is managed. The international standard for information security management ISO/IEC 27001 is a widely respected and referenced standard and provides a framework for the organization and management of an information security program.
In the EXIN Information Security Management based on ISO/IEC 27001 program, the following definition is used: information security is the preservation of confidentiality, integrity, and availability of information.
EXIN Information Security Foundation based on ISO/IEC 27001 tests the basic concepts of information security and their relationships. Objectives of this module are to raise awareness that information is valuable and vulnerable, and to learn which controls are necessary to
protect information.
1 Information and security
1.1 Concepts relating to information
The candidate can…
1.1.1 explain the difference between data and information.
1.1.2 explain information security management concepts.
1.2 Reliability aspects
The candidate can…
1.2.1 explain the value of the CIA-triangle.
1.2.2 describe the concepts accountability and auditability.
1.3 Securing information in the organization
The candidate can…
1.3.1 outline the objectives and the content of an information security policy.
1.3.2 explain how to ensure information security when working with suppliers.
1.3.3 outline roles and responsibilities relating to information security.
2 Threats and risks
2.1 Threats and risks
The candidate can…
2.1.1 explain threat, risk, and risk management.
2.1.2 describe types of damage.
2.1.3 describe risk strategies.
2.1.4 describe risk analysis.
3 Security controls
3.1 Outlining security controls
The candidate can…
3.1.1 give examples of each type of security control.
3.2 Organizational controls
The candidate can…
3.2.1 explain how to classify information assets.
3.2.2 describe controls to manage access to information.
3.2.3 explain threat and vulnerability management, project management, and incident management in information security.
3.2.4 explain the value of business continuity.
3.2.5 describe the value of audits and reviews.
3.3 People controls
The candidate can…
3.3.1 explain how to enhance information security through contracts and agreements.
3.3.2 explain how to attain awareness regarding information security.
3.4 Physical controls
The candidate can…
3.4.1 describe physical entry controls.
3.4.2 describe how to protect information inside secure areas.
3.4.3 explain how protection rings work.
3.5 Technical controls
The candidate can…
3.5.1 outline how to manage information assets.
3.5.2 describe how to develop systems with information security in mind.
3.5.3 name controls that ensure network security.
3.5.4 describe technical controls to manage access.
3.5.5 describe how to protect information systems against malware, phishing, and spam.
3.5.6 explain how recording and monitoring contribute to information security.
4 Legislation, regulations, and standards
4.1 Legislation and regulations
The candidate can…
4.1.1 give examples of legislation and regulations relating to information security.
4.2 Standards
The candidate can…
4.2.1 outline the ISO/IEC 27000, ISO/IEC 27001, and ISO/IEC 27002 standards.
4.2.2 outline other standards relating to information security.
The certification covers:
NOK 18.500
