driving worldwide business excellence

Cybersecurity Maturity Model Certification (CMMC) and ISO/IEC 27001:2013 Lead Auditor Training for Information Security Management Systems

Home > Training > ISM > Cybersecurity Maturity Model Certification (CMMC) and ISO/IEC 27001:2013 Lead Auditor Training

Seminar Content

Omnex is an Exemplar Global Certified TPECS provider for Exemplar Global AU and TL Competency Units. This five-day course has been developed to satisfy the Exemplar Global AU and TL Examination Profiles and, as such, all attendees who successfully pass the exams during this course will achieve a Certificate of Attainment for the following competency units:

  • Exemplar Global-AU
  • Exemplar Global-TL

This course was developed to cover all requirements of the ISO/IEC 27001:2013 standard, as well as provide awareness and understanding of the requirements of the Cybersecurity Maturity Model Certification (CMMC) required by Government Contractors and illustrate important linkages to the controls and requirements from the information security management systems standard ISO/IEC 27001:2013.. The course includes definitions from ISO/IEC 27000:2018 (Information Security Management Systems - Overview and Vocabulary), Guidance from ISO/IEC 27003:2017 (Information Security Management System Implementation and Guidance) and auditing requirements from both ISO 19011:2018 (Guidelines for Auditing Management Systems) and ISO/IEC 27007:2017 (Guidelines for Information Security Management Systems Auditing). Group exercises and case studies will be used to develop the required skills.

Other topics covered include the auditing process and methodologies, e. g., planning and conducting an audit, writing nonconformity statements, preparing an audit summary and report, and verifying corrective actions following the requirements of ISO 19011 and ISO 27007. Auditing case studies to develop skills for identifying nonconformities will be used.

Who Should Attend

This seminar is primarily designed for lead auditor candidates, but can also be valuable for Information Security Assurance Managers, ISO/IEC 27001:2013 Implementation and/or Transition Team Members, Management Representatives, and all others who would like to develop competency in ISO/IEC 27001:2013 and the auditing process for third party auditing.

Recommended Training and/or Experience

An understanding of the ISO/IEC 27001:2013 requirements and/or work experience in applying ISO/IEC 27001:2013 is recommended.

An understanding of Risk Management for Information Security Management required for CMMC is also important.

Seminar Materials

Each participant will receive a seminar manual and a breakout workbook that includes auditing case studies.

Seminar Goals

  • Understand the application of Information Security Assessment principles, and maturity of controls
  • Understand the application of Information Security Management principles in the context of ISO/IEC 27001:2013.
  • Relate the Information Security Management system to the organizational products, services, activities and operational processes.
  • Relate organization’s context and interested party needs and expectations to the planning and implementation of an organization’s Information Security Management system.
  • Understand the application of the principles, procedures and techniques of auditing.
  • Understand the conduct of an effective audit in the context of the auditee’s organizational situation.
  • Understand the application of the regulations, and other considerations that are relevant to the management system, and the conduct of the audit.
  • Practice personal attributes necessary for the effective and efficient conduct of a management system audit.
  • Establish, plan and task the activities of an audit team.
  • Communicate effectively with the auditee and audit client.
  • Organize and direct audit team members.
  • Prevent and resolve conflict with the auditee and/or within the audit team.
  • Prepare and complete the audit report.

Management System Requirements of CMMC

A management system is required for CMMC compliance, and in this seminar, the ISO/IEC 27001:2013 system is used for this presentation, however it should be understood that CMMC compliance could be wrapped within another Management System, such as the Quality Management System. The relevant parts of ISO 9001:2015, IATF 16949:2016, or AS9100D could be used as the Management System tools for CMMC, rather than the similar approaches described in ISO/IEC 27001:2013.

Seminar Agenda

Day One

  • Fundamentals of Information Security Management Systems (ISMS)
    • Information Security
    • What is an Information Security Management System (ISMS)
    • The ISO/IEC 270000 Fundamentals and Vocabulary
    • The ISO/IEC 270001 ISMS Described
  • ISO/IEC 27001:2013 Requirements Descriptions
    • ISO/IEC 27001:2013 Clauses
    • Annex A
    • The Process Approach
  • Risk-based Thinking
    • ISMS Risks
    • ISMS Risk Assessment
    • ISMS Risk Treatment
  • ISO/IEC 27001 Clause 4 - Context of the Organization
    • Group Exercise 1: Context of the Organization
  • ISO/IEC 27001 Clause 5 - Leadership
  • ISO/IEC 27001 Clause 6 - Planning
    • Group Exercise 2: Assessing and Evaluating Risk
  • ISO/IEC 27001 Clause 7 - Support
  • ISO/IEC 27001 Clause 8 - Operation
  • ISO/IEC 27001 Clause 9 - Performance Evaluation
  • ISO/IEC 27001 Clause 10 - Improvement
  • ISO/IEC 27001 Annex A
    • Group Exercise 3: Annex A - Required Elements and Risk Treatments

Day Two

  • How CMMC Applies the NIST 800-171 Controls
    • Certification
    • CMMC Level Control Methods (Level 1 - 5)
    • Group Exercise 4: CMMC Measurement and Analysis
    • Understanding ISMS and CMMC Final Exam
  • NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
    • NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
    • NIST 800-171A Assessing Security Requirements for Controlled Unclassified Info
    • NIST Handbook 162 NIST MEP Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements
    • What it Consists of
    • Controls
    • How It Was Supposed to be Applied and How It Was Actually Applied
    • Compliance and How It Was Evaluated
  • Cybersecurity Maturity Model Certification (CMMC)
    • Description
    • Assessment Criteria and Methodology
  • Process Approach to Auditing, Turtle Diagrams, and Audit Trails
  • Audit Guidance, Definitions, and Principles
  • The Audit Program
  • Audit Planning and Preparation including ISO 27007 Guidelines for Information Security Management Systems Auditing
    • o Breakout Exercise 1: Writing an Objective and Scope Statement
    • o Breakout Exercise 2: Documentation Review
    • o Breakout Exercise 3: Creating an Audit Plan

Day Three

  • Performing the Audit
    • Breakout Exercise 4: Performing an Audit
  • Writing Nonconformity Statements
    • Breakout Exercise 5: Writing Nonconformity Statements
  • Closing Meeting
  • Completing the Audit Report
  • Corrective Action and Close-Out
  • Management Systems Auditing Final Exam

Day Four

  • Leading Audit Teams
  • Management System Certification Scheme and Auditor Qualifications
  • Leading Management Systems Audit Teams Mock Audit Case Study

Day Five

  • Review of Audit Process and Audit Management Strategies
  • Leading Management Systems Audit Teams Final Exam
  • Practical Application of Audit Principles and Instructor Interviews

Cybersecurity Maturity Model Certification (CMMC) and ISO/IEC 27001:2013 Lead Auditor Training for Information Security Management Systems

Search for Training

Course Keyword:


Start Date:

/ /

End Date:

/ /


Plantech-Omnex Partnership ppapandaudits