Course objective
This 3-day course trains future Risk Managers to conduct a cyber risk analysis compliant with ISO/IEC 27005:2022 (guidance for information security risk management) and compatible with EBIOS Risk Manager, the ANSSI methodology.
It covers the full process: scoping, asset identification, threat and vulnerability analysis, risk evaluation, treatment and monitoring. At the end of the course, participants take the PECB ISO/IEC 27005 Risk Manager exam (2 hours).
Detailed programme (21 hours)
Day 1 — Scoping and identification
- Risk management principles (ISO 31000, ISO/IEC 27005)
- EBIOS RM overview — five workshops and articulation with ISO 27005
- Workshop 1: scoping and security baseline
- Workshop 2: risk sources and target objectives
- Identification and mapping of primary and supporting assets
Day 2 — Analysis and evaluation
- Workshop 3: strategic scenarios (ecosystem, stakeholders)
- Workshop 4: operational scenarios (attack trees, attack paths)
- Likelihood and severity scales
- Workshop 5: risk treatment and improvement plan
- Residual risk and acceptance
Day 3 — Steering, tooling and exam
- Risk communication (executive committee, business, technical teams)
- Tooling: spreadsheets, dedicated tools (Egerie, Risk’n’Tic, CRAMM)
- Integration with the ISO 27001 ISMS and the Statement of Applicability
- Full case study: analysis of an industrial SME
- PECB ISO/IEC 27005 Risk Manager certification exam
Teaching methods
Highly operational: 60% workshops on a single running case study. Toolkit handout (matrices, spreadsheets, deliverable templates) usable directly back at work.
Assessment
Graded exercises at the end of each workshop. Final PECB exam: 50 questions, 2 hours, written, 70% pass mark.
Accessibility
Accessible to participants with disabilities on prior request. France Travail (AIF) funding scheme available.