ISO/IEC 27005 Lead Risk Manager is an advanced course designed to provide participants with in-depth knowledge and practical skills in information security risk management based on the ISO/IEC 27005 standard. The course focuses on equipping delegates with the ability to lead risk management activities, perform complex risk assessments, implement risk treatment strategies, and embed risk practices into organisational processes.
ISO/IEC 27005 focuses specifically on risk management within the broader information security landscape defined by ISO/IEC 27001. During this course, participants will explore established risk assessment and treatment methodologies, learn how to identify and evaluate risk scenarios and understand how risk management underpins a secure and resilient organisation. Through examples and exercises, the course builds both conceptual understanding and practical insight into how risk processes support decision-making and compliance.
Course objectivesUpon completion of this course, participants will be able to:
PrerequisitesThere are no formal prerequisites for attending this course. A general interest in information security and risk management is helpful but not required.
Target audienceThis course is suitable for anyone involved in information security or risk management activities, including team members, security professionals, IT staff, compliance officers and business stakeholders who need foundational knowledge of information security risk management practices.
Participants are introduced to the concept of risk as it relates to information security. The section explains why structured risk management is critical for organisations, how risks can impact objectives and how risk thinking supports a secure foundation.
This part describes the scope, structure and purpose of the ISO/IEC 27005 standard, including how it aligns with other standards such as ISO/IEC 27001 and how it supports risk-based decision making.
Participants learn the key terminology and concepts used in risk management — including asset, threat, vulnerability, risk evaluation and risk treatment — with practical examples and definitions that help anchor understanding in real-world contexts.
This section focuses on how to identify risk sources, evaluate their likelihood and potential impact, and document risk scenarios. Methods and tools for risk assessment are explored to support consistent application.
Participants explore how to evaluate and prioritise risks, choose appropriate treatment options, implement control selections, and set up monitoring and review mechanisms that support continual risk improvement and resilience within the organisation.
The course concludes with guidance on the certification exam, including a review of key topics and recommended study approaches to support successful outcomes.
After successfully completing the exam, you can apply for the credentials shown on the table below. You will receive a certificate once you comply with all the requirements related to the selected credential. For more information about ISO/IEC 27001 certifications and the PECB certification process, please refer to the Certification Rules and Policies.
The exam is will take place at the end of the course on onsite classroom courses
For Virtual courses we will send out a voucher that gives you access to an online exam. This can be booked and taken home monitored by a proctor via camera. More information about the exam rules will be send from PECB
The exams an Multiple Choice exam; candidates are only authorized to use the following reference materials:
Information Security Risk Acceptance, Communication, Consultation, Monitoring and Review
Risk Assessment Methodologies
