ISO/IEC 27005 Foundation

ISO/IEC 27005 Foundation provides a clear introduction to information security risk management in line with the ISO/IEC 27005 standard. This course gives participants a solid understanding of risk management principles, processes and best practices used to support an Information Security Management System (ISMS), including how to assess and treat risks in a structured way.

ISO/IEC 27005 focuses specifically on risk management within the broader information security landscape defined by ISO/IEC 27001. During this course, participants will explore established risk assessment and treatment methodologies, learn how to identify and evaluate risk scenarios and understand how risk management underpins a secure and resilient organisation. Through examples and exercises, the course builds both conceptual understanding and practical insight into how risk processes support decision-making and compliance.

Course objectives

Upon completion of this course, participants will be able to:

Understand key concepts and terminology of ISO/IEC 27005 risk management
Explain the risk management process and its role within an ISMS
Conduct structured risk identification and analysis
Understand methods for risk evaluation and ranking
Describe risk treatment options and control selection
Prepare for the ISO/IEC 27005 Foundation certification exam

Prerequisites

There are no formal prerequisites for attending this course. A general interest in information security and risk management is helpful but not required.

Target audience

This course is suitable for anyone involved in information security or risk management activities, including team members, security professionals, IT staff, compliance officers and business stakeholders who need foundational knowledge of information security risk management practices.

Introduction to Information Security Risk

Participants are introduced to the concept of risk as it relates to information security. The section explains why structured risk management is critical for organisations, how risks can impact objectives and how risk thinking supports a secure foundation.

Structure and Purpose of ISO/IEC 27005

This part describes the scope, structure and purpose of the ISO/IEC 27005 standard, including how it aligns with other standards such as ISO/IEC 27001 and how it supports risk-based decision making.

Risk Management Concepts and Terminology

Participants learn the key terminology and concepts used in risk management — including asset, threat, vulnerability, risk evaluation and risk treatment — with practical examples and definitions that help anchor understanding in real-world contexts.

Risk Identification and Analysis

This section focuses on how to identify risk sources, evaluate their likelihood and potential impact, and document risk scenarios. Methods and tools for risk assessment are explored to support consistent application.

Risk Evaluation, Treatment and Monitoring

Participants explore how to evaluate and prioritise risks, choose appropriate treatment options, implement control selections, and set up monitoring and review mechanisms that support continual risk improvement and resilience within the organisation.

Foundation exam preparation

The course concludes with guidance on the certification exam, including a review of key topics and recommended study approaches to support successful outcomes.

After successfully completing the exam, you can apply for the credential shown on the table below. For more information about ISO/IEC 27005 certifications and the PECB certification process, please refer to Certification Rules and Policies.

The requirements for PECB Foundation Certification are:

Exam

The exam is will take place at the end of the course on onsite classroom courses.

For Virtual courses we will send out a voucher that gives you access to an online exam. This can be booked and taken home monitored by a proctor via camera. More information about the exam rules will be send from PECB.

Multiple choice “closed book” exam where the candidates are not authorized to use anything but the exam paper and a pen or,
Duration: 1 hour (+ 10 min extra time for non-native)
The use of electronic devices, such as laptops, cell phones, etc., is not allowed.

Examination rules and policies

RECEIVE YOUR EXAM RESULTS

Results will be communicated by email in a period of 6 to 8 weeks, after taking the exam. The results will not include the exact grade of the candidate, only a mention of pass or fail.

Candidates who successfully complete the examination will be able to apply for a certified scheme which is explained in the course description.

In the case of a failure, the results will be accompanied with the list of domains in which the candidate had failed to provide guidance for exams’ retake preparation.

Candidates, who disagree with the exam results, may file a complaint by writing to examination@pecb.com or through PECB ticketing system.

EXAM RETAKE POLICY

There is no limit on the number of times a candidate may retake an exam. However, there are some limitations in terms of allowed time-frame in between exam retakes, such as:

Students, who have completed the full training but failed the written exam, are eligible to retake the exam once for free within a 12 month period from the initial date of the exam.
If a candidate does not pass the exam on the second attempt, he/she must wait 3 months (from the initial date of the exam) for the next attempt (2nd retake). Retake fee applies.
If a candidate does not pass the exam on the third attempt, he/she must wait 6 months (from the initial date of the exam) for the next attempt (3rd retake). Retake fee applies.

After the fourth attempt, a waiting period of 12 months from the last session date is required, in order for candidate to sit again for the same exam. Regular fee applies.

For the candidates that fail the exam in the 2nd retake, PECB recommends to attend an official training in order to be better prepared for the exam.

To arrange exam retakes (date, time, place, costs), the candidate needs to contact Glasspaper.

Practical information

Duration: 2 days
Price: 14 900
Language: English
Format: Open course and corporate training

FAQ

Hva lærer jeg på dette kurset?
Du lærer grunnleggende prinsipper og prosesser for informasjonssikkerhetsrisikostyring, inkludert risikoidentifikasjon, analyse, evaluering og behandling i tråd med ISO/IEC 27005.

Hva kreves for å delta?
Det kreves ingen forkunnskaper, men generell interesse for risiko og informasjonssikkerhet er en fordel.

Hvordan gjennomføres eksamen?
Eksamen gjennomføres enten fysisk ved kursstedet eller online med voucher og online eksamensvakt.

Hva skjer hvis jeg ikke består første eksamen?
Du får vanligvis ett nytt eksamensforsøk online.

Får jeg ekstra tid på eksamen?
Ja, du får ekstra tid dersom engelsk ikke er ditt morsmål, i tråd med sertifiseringsreglene.

Hvilken sertifisering får jeg?
Etter bestått eksamen oppnår du PECB Certified Holder in ISO/IEC 27005 Foundation sertifisering. Se tabell under sertifisering

Får jeg ISO-standarden?
Nei, men du får tilgang til kursmateriell og rammeverksreferanser som brukes under kurset og eksamen.

Hva er forskjellen på ISO/IEC 27005 og ISO/IEC 27001 Foundation?
ISO/IEC 27001 Foundation fokuserer på informasjonssikkerhetssystemet som helhet, mens ISO/IEC 27005 Foundation går i dybden på risikoidentifikasjon, analyse og behandling i risikostyringsprosesser.

Er dette kurset relevant for ledere?
Ja, kurset er relevant for ledere, sikkerhetsansvarlige og fagpersoner som trenger innsikt i risikovurdering og risikohåndtering.

Kan jeg ta dette kurset som e-læring eller selvstudium?
Nei, det er ikke mulig å ta dette kurset som e-læring, men mulig med selvstudie. Send en mail til prosjekt@glassper.no for mer informasjon og bestilling.

Price:	14,900 NOK
Included items:	Printed course documentation, certification test , Lunch and refreshment for in class events only
Hours	09:00 - 16:00
Durance:	2 days
Credits	13 CDP
Languages	English course material, Norwegian or English speaking instructor