GIAC Certified ISO-27000 Specialist (G2700)
The ISO-27000 series of standards offers a framework to assist any organization to develop a true security minded corporate culture by instilling best practice and detailed guidance regarding all manner of security issues. This track is designed for information security officers or other management professionals who are looking for a how-to guide for implementing the ISO-27000 series of standards including an Information Security Management System (ISMS) based on ISO 27002 security controls and ISO 27005 Risk Management methods.
G2700 candidates must demonstrate understanding of the ISO-27000 series of standards and the ability to put them into practice.
Note: The G2700 certification was renamed on 2/1/2011 from G7799. The G7799 label was based on the original ISO-17799 security controls which later were moved to the ISO 27000 series standards. This change does not effect the certification status of current holders of the G7799 certification. Anyone renewing a G7799 certificate after 2/1/2011, will automatically receive an updated G2700 certificate.
Preparing for the G2700 Exam: Candidates may choose to prepare for the G2700 exam by taking the SANS Training Course: MGT411: SANS 27000 Implementation & Management
*No Specific training is required for any GIAC certification. If candidates need help in mastering the objectives for this certification, there are many sources of information available. Practical experience is one option; there are also numerous books on the market covering Computer Information Security. Another option is SANS training, or any relevant courses from other training providers.*
- 1 proctored exam
- 75 questions
- Time limit of 2 hours
- Minimum Passing Score of 70.7%
Certifications must be renewed every 4 years. Click here for details.
NOTE: GIAC exams are NOT given the day after the conference ends.
GIAC certification attempts purchased without SANS training will be activated in your SANS/GIAC account within 24 business hours of purchase. GIAC certification attempts purchased with SANS training will be activated in your SANS/GIAC account 7-10 business days after the end of the conference. In both cases, you will receive an email notification when your certification attempt has been activated in your account. You will have 120 days from the date of activation to complete your certification attempt. GIAC exams must be proctored through Pearson VUE. Please click the following link for instructions on How to Schedule Your GIAC Proctored Exam. GIAC exams are delivered online through a standard web browser.
- Certified Professionals (G2700)
- Exam Feedback Procedure
- Grievance Procedure
- Proctored exam procedure
- SANS Information Security Reading Room
Bulletin (Part 2 of Candidate Handbook)
Exam Certification Objectives & Outcome Statements
The topic areas for each exam part follow:
- Domain 1 Security Policy
- Candidate will be able to identify the primary sections of a policy, what defines good policy versus bad (proactive vs reactive), key security principles, know the process levels (1-4), understand the Security Policy domain's ISO 27002 controls, and the process of drafting and obtaining executive approval for a High Level Security Policy (HLSP).
- Domain 10 Legal Compliance
- Candidate will understand the ISO 27002 controls for legal/regulatory compliance, including identifying requirements, implementing techniques, reporting, as well as being familiar with FISMA, Sarbanes-Oxley Act, HIPAA, Graham-Leach-Bliley Act, Privacy Act of 1974, the European Parliament's involvement in security and privacy laws for the European Union, third-party access, service level contracts, the IANAL acyronym.
- Domain 2 Organizational Security
- Candidate will understand the ISO 27002 controls for coordinating security in an organization, the need for an information security forum, criteria that defines critical systems, assignment of responsibilities, management support and authorization, advantages with internal vs external security experts, benefits of establishing relationships with ISPs
- Domain 2 Organizational Security (part 2)
- Candidate will understand the ISO 27002 controls for coordinating security in an organization, value of risk assessments, Third Party and Outsourcing agreements and contracts, interfacing with legal teams, and Non Disclosure Agreements.
- Domain 3 Asset Management
- Candidate will understand the ISO 27002 controls for identifying assets, assigning accountability, and labeling/classifying assets as well as understanding IPSEC and its protocols, steganography and common tools.
- Domain 4 (part 2) HR and Awareness
- Candidate will understand the ISO 27002 controls for building, administering, and measuring a Security Awareness program, defining control objectives, and understand the incident management process and controls, as well as importance of audit controls
- Domain 4 Human Resource Security
- Candidate will understand the ISO 27002 controls for Human Resources employment policies and screening, code of ethics & published ethics organizations, security in job responsibilities, employee monitoring, Cisco standard access lists, router controls, proxy servers, honeypots, egress filtering, social engineering
- Domain 5 Physical and Environmental Security
- Candidate will understand the ISO 27002 controls for Physical Security of offices, data transportation and destruction techniques, maintenance contracts, protecting secure areas, publicly accessible areas as well as protecting equipment from environmental and external threats.
- Domain 6 Communications and Operations Management
- Candidate will understand the ISO 27002 controls for managing and monitoring network and communication operations, ports for common services, change control, third party services, and separation of duties.
- Domain 6 Communications and Operations Security (part 2)
- Candidate will understand the ISO 27002 controls for publicly accessible or shared information and systems, physical security, importance of patch management, operations process improvements, security principles such as economy of mechanism, and tools for monitoring and protecting information.
- Domain 7 Access Control
- Candidate will understand the ISO 27002 controls for Access Control policy, common access control types (RBAC, MAC, DAC), dynamic routing protocols, time synchronization, password management, storing, and auditing, authentication, access and privilege management, and monitoring access.
- Domain 8 Security Requirements of Information Systems
- Candidate will understand the ISO 27002 controls for developing and maintaining systems, including secure coding processes, importance of input validation, web vulnerabilities, integrity testing tools, troubleshooting techniques, error handling, differences between encryption types, encryption algorithms, and benefits of cryptographic controls.
- Domain 9 Business Continuity
- Candidate will understand the ISO 27002 controls for managing and reporting incidents, disaster recovery (DR), business continuity planning (BCP) and management, steps involved with BCP creation, BCP history, differences between BCP and DR, importance of testing, importance of a Business Impact Analysis (BIA).
- IS017799/27001 Background
- Candidate will understand the background of the ISO 17799 and 27000 Series standards, including registration of an ISO 27001 ISMS, purpose of audit controls, role of the Information Systems Security Manager and the Information Security Officer, and common terminology.
- Policy Writing
- Candidate will understand common security principles (least privilege, open design, complete mediation, economy of mechanism) to help guide in the drafting of new and assessing existing policies for overall effectiveness along with understanding intent of an audit
- Process Improvement and Site Security
- Candidate will be familiar with the importance of Continual Process Improvement levels, pros and cons of various training methods, and concepts regarding security controls, policy and competence of personnel.
- Risk Analysis Techniques and Methods (part 1)
- Candidate will understand the ISO 27002/27005 controls and techniques for qualitative, quantitative, FMECA steps, risk analysis, and severity levels and be familiar with cost-benefit analysis, return on investment (ROI), single loss expectancy (SLE), annualized loss expectancy (ALE), corrective controls, detective controls, and preventative controls.
- Risk Analysis Techniques and Methods (part 2)
- Candidate will understand the ISO 27002/27005 controls and risk analysis techniques for Cause Consequence Analysis (CCA), CCA history, fault trees, event trees, and Risk Dynamics.
- Risk Analysis Techniques and Methods (part 3)
- Candidate will understand the ISO 27002/27005 controls and risk analysis techniques for Time Based Analysis (preventative, detective, and reactive controls), cost benefit analysis, formula for measurable loss and exposure time, the term triple constraint.
- Risk Analysis Techniques and Methods (part 4)
- Candidate will be familiar with risk analysis tool categories and examples of tools (such as the BITS calculator, CRAMM).
- Risk Analysis Techniques and Methods (part 5)
- Candidate will understand ISO 27002/27005 Risk Management principles, including risk elimination, steps for establishing security controls (FMECA), enforcement and audit controls, role of the Information Security Officer, importance of security controls, goal of the Information Security Management System (ISMS), motivation for employee conformance to security policies, importance of protecting audit trails, handling policy violations.
- Specifying Controls
- Candidate will understand the role of security controls, audit controls, risk treatment plans, steps for implementing an ISMS, common security principles (including least privilege and separation of duties) and the Plan-Do-Check-Act methodology
- Twelve Steps
- Candidate will understand the basic steps and processes for scoping, implementing and maintaining an ISO 27001 Information Security Management System (ISMS) along with their order to be completed
Where to Get Help
Training is available from a variety of resources including on line, course attendance at a live conference, and self study.
Practical experience is another way to ensure that you have mastered the skills necessary for certification. Many professionals have the experience to meet the certification objectives identified.
Finally, college level courses or study through another program may meet the needs for mastery.
The procedure to contest exam results can be found at http://www.giac.org/about/procedures/grievance.