# Cyber Academy. Full content dump (English) > GRC & cybersecurity certification training. Led by Christophe Mazzola (a practicing CISO) alongside a small team of practitioners. > Canonical URL: https://cyberacademy.net > Author: Christophe Mazzola (https://cyberacademy.net/christophe) > Index: https://cyberacademy.net/llms.txt Last generated: 2026-05-30T16:03:42.999Z === # PILLAR PAGES # NIS 2: the guide that replaces your legal watch. **URL:** https://cyberacademy.net/resources/pillars/nis-2 **Published:** 2026-05-14 **Last reviewed:** 2026-05-14 ## Definition NIS 2 (Directive (EU) 2022/2555) is the EU directive that puts cybersecurity boards on the hook. Mid-sized or larger entities in 18 listed sectors are in scope. On a significant incident: 24-hour early warning, 72-hour notification, full report at one month. Penalties up to 10 million euros or 2% of worldwide turnover for essential entities. Transposed unevenly across member states since October 2024. ## TL;DR - In scope: 18 sectors, mid-sized (50+ FTE / 10M+ turnover) and larger. Two tiers — essential and important — with different supervisory intensity. - Ten cybersecurity risk-management measures under Article 21. The directive says what; ISO 27001 is the most common how. - Incident reporting: 24-hour early warning, 72-hour notification, full report at one month. Define the path before you need it. - Personal liability and management accountability are now explicit. The board is on the hook, not just the CISO. - Transposition state varies country to country — check your national authority before assuming the EU text applies as-is. ## FAQ ### Am I in scope of NIS 2? Two filters: sector and size. You must be in one of 18 listed sectors (energy, transport, finance, health, digital infrastructure, public administration, space, food, chemicals, postal services, manufacturing of critical products, research, waste management, plus a few others). And you must meet the size threshold: 50+ employees or 10 million euros annual turnover. Below that, you are out of scope by default, with national exceptions for critical entities of any size. Two tiers within scope: essential entities (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management B2B, public administration, space) face heavier supervision and higher penalties. Important entities (postal, waste, chemicals, food, manufacturing, digital providers, research) face lighter supervision but the same control obligations. ### What are the ten Article 21 measures? Article 21(2) lists ten cybersecurity risk-management measures: (a) policies on risk analysis and information system security; (b) incident handling; (c) business continuity and crisis management; (d) supply-chain security; (e) acquisition, development and maintenance security; (f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures; (g) basic cyber hygiene and cybersecurity training; (h) policies on cryptography and encryption; (i) human resources security, access control and asset management; (j) the use of multi-factor authentication, secured voice/video/text communications and secured emergency communication systems. The directive does not say how to implement each. ISO 27001 maps cleanly onto all ten; NIST CSF and CIS Controls cover most of them. Pick a framework, document the mapping, and the supervisory authority is satisfied. ### What is the incident reporting timeline? On a significant incident, three deadlines: 24-hour early warning (initial assessment, whether the incident is suspected to be caused by unlawful or malicious acts, potential cross-border impact); 72-hour notification (broader assessment, indicators of compromise); one-month final report (detailed description of the incident, severity, impact, mitigation measures taken, root-cause analysis where available). A significant incident is one that has caused or is capable of causing severe operational disruption or financial losses, or affects others by causing considerable material or non-material damage. The thresholds are clarified by national authorities; check yours. ### What are the penalties? Essential entities face administrative fines up to 10 million euros or 2% of worldwide annual turnover, whichever is higher. Important entities face up to 7 million euros or 1.4% of worldwide annual turnover. National authorities can also impose non-financial sanctions: orders to comply, public disclosure of non-compliance, temporary bans on management persons holding their role. Penalties are not the only enforcement vector. Supervisory dialogue, audits, and orders to perform a specific corrective action all sit below the fine threshold and are more common in practice. ### How does NIS 2 interact with DORA and the AI Act? For financial entities, DORA is lex specialis on ICT topics: where DORA applies, it prevails over NIS 2 for the ICT-related provisions. Financial entities still apply NIS 2 for non-ICT topics covered by the directive. The AI Act is parallel — it governs AI systems, not cybersecurity programmes. If you operate high-risk AI systems within a critical sector, you face both: NIS 2 for the cybersecurity baseline, the AI Act for the AI conformity work. ## Official sources - [EUR-Lex — Directive (EU) 2022/2555 (NIS 2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj) - [ENISA — NIS 2 hub](https://www.enisa.europa.eu/topics/cybersecurity-policy/nis-directive-new) - [ANSSI — Transposition NIS 2 (France)](https://cyber.gouv.fr/nis-2) --- # DORA: what your RSSI did not tell you. **URL:** https://cyberacademy.net/resources/pillars/dora **Published:** 2026-05-14 **Last reviewed:** 2026-05-14 ## Definition DORA (Regulation (EU) 2022/2554) is the EU regulation that imposes a unified digital operational resilience framework on financial entities and their critical ICT third-party providers. Applicable since 17 January 2025. Five pillars: ICT risk management, incident reporting, resilience testing including threat-led penetration testing, third-party ICT risk, information-sharing. Lex specialis over NIS 2 on ICT topics. ## TL;DR - Applies to ~20 categories of financial entities plus designated critical ICT third-party providers, since 17 January 2025. - Five pillars. The third-party register (Pillar 4) and the resilience testing (Pillar 3, including TLPT for significant entities) are the most operational and the most audited. - For significant entities, threat-led penetration testing every three years, supervised by the national authority under TIBER-EU. - Critical ICT third-party providers are supervised directly by the European Supervisory Authorities (ESAs). Their concentration risk now matters at EU level. - Pair with ISO 22301 for BCMS, ISO 27001 for ICT risk management, and Lead Operational Resilience Manager for the regulator-facing layer. ## FAQ ### Who is in scope of DORA? Around 20 categories of financial entities: credit institutions, payment institutions, electronic money institutions, investment firms, central counterparties, trading venues, central securities depositories, insurance and reinsurance undertakings, intermediaries, crypto-asset service providers, account information service providers, alternative investment fund managers, management companies, data reporting service providers, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, securitisation repositories. Plus a separate regime for critical ICT third-party providers (CTPPs) designated by the ESAs based on a criticality assessment. CTPPs face direct supervision by an ESA-led Joint Oversight Forum. ### What is TLPT and who needs it? Threat-Led Penetration Testing is a regulator-supervised red-team exercise required for significant financial entities under DORA. Built on the TIBER-EU framework (Threat Intelligence-Based Ethical Red Teaming). Every three years at minimum. TLPT is intelligence-driven (threat profile from a separate intelligence team), targets critical or important functions of the entity, and is supervised by the national authority. Multi-month, expensive, and the most rigorous test a financial CISO will face. ### How does DORA interact with NIS 2 for banks? DORA is lex specialis on ICT topics. Where DORA applies, it prevails over NIS 2 for the ICT-related provisions. For non-ICT NIS 2 topics (physical security, certain governance aspects, training scope), NIS 2 still applies in parallel. In practice, a bank in scope of both implements DORA fully for ICT risk, incident reporting, resilience testing and third-party ICT risk, while reading NIS 2 for the remaining cybersecurity governance baseline. ### What goes in the ICT third-party register? Article 28 plus the EBA RTS on subcontracting and on the register of information specify the fields. Each contractual arrangement with an ICT service provider is logged with: nature of services, criticality, sub-contracting chain visible to the entity, location of services, data location, performance SLAs, exit strategy, governance arrangements. The register is the document the supervisory authority asks for first. Most financial entities underestimate the maintenance burden; an outdated register is treated as a finding. ### What is the relationship between DORA and ISO 22301? DORA does not mandate ISO 22301 certification but the regulation's BCM and disaster-recovery obligations (Articles 11-12) map almost one-to-one onto an ISO 22301-compliant BCMS. Most entities that already operate a 22301 BCMS bolt on the DORA-specific testing and reporting layer without rebuilding the foundations. ## Official sources - [EUR-Lex — Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/eli/reg/2022/2554/oj) - [European Banking Authority — DORA hub](https://www.eba.europa.eu/regulation-and-policy/digital-operational-resilience-act) - [ESMA — DORA implementation](https://www.esma.europa.eu/regulation/digital-operational-resilience) --- # ISO 27001: Foundation, Lead Implementer, Lead Auditor — which one? **URL:** https://cyberacademy.net/resources/pillars/iso-27001-foundation-li-la **Published:** 2026-05-14 **Last reviewed:** 2026-05-14 ## Definition ISO 27001 has three certification levels: Foundation (2 days, vocabulary and structure), Lead Implementer (5 days, build the ISMS) and Lead Auditor (5 days, audit one). Foundation is the prerequisite for the senior credentials. Lead Implementer fits security and GRC teams owning the ISMS; Lead Auditor fits internal auditors and certification-body practitioners. ## TL;DR - Foundation is the prerequisite. It gives the vocabulary and the management-system mental model. Two days, 1-hour exam. - Lead Implementer (5 days) teaches you to build the ISMS, write the SoA, run the risk treatment and operate the management review cycle. - Lead Auditor (5 days) teaches you to plan and lead third-party or internal audits. Different mindset: evidence, sampling, interview technique, reporting. - Most CISOs and security leads take Lead Implementer. Internal auditors and Big Four consultants take Lead Auditor. Both is common over 12 to 18 months. - Pass rates on instructor-led PECB cohorts: 99.1% at first attempt on our delivery; market average is 80% to 85% depending on the partner. ## FAQ ### Should I take Lead Implementer or Lead Auditor first? Match it to your role. If you build, run or maintain the ISMS (security manager, GRC analyst, CISO of a smaller org), Lead Implementer first. The course teaches you to write the SoA, run risk treatment, draft the policies and operate the management review. If you audit (internal audit team, Big Four consultant, certification-body auditor), Lead Auditor first. The course teaches the audit cycle, evidence sampling, interview technique and the discipline of writing findings. Both is common. Order does not matter much in that case; some practitioners go LI then LA for the operational depth before the audit lens, others go LA then LI to internalise what auditors look for before they build. ### Is Foundation really required? Yes, formally. PECB requires Foundation as the prerequisite for Lead Implementer and Lead Auditor exam eligibility. The cohort itself is two days and covers the management-system mental model, the structure of ISO 27001:2022 and the Annex A control set. For senior practitioners with prior ISO 27001 experience or another ISO management-system credential, the Foundation requirement can sometimes be waived via PECB recognition of equivalent training. Check before you book; we map your case on the discovery call. ### What does the Lead Implementer exam look like? Three hours, open-book, online via the PECB platform. Mix of multiple-choice and essay-style scenario questions. The scenario questions are where most candidates lose points: you receive a fictional organisation context, then must apply the ISMS methodology end to end — define scope, identify risks, propose controls, justify the SoA structure, plan the management review. Pre-cohort prep on the methodology is non-negotiable. ### How much does it cost in Europe in 2026? Standard PECB instructor-led pricing in Europe in early 2026: Foundation around 1,200 euros, Lead Implementer 2,800 to 3,200 euros, Lead Auditor 2,800 to 3,200 euros. Includes the course, the official PECB materials, the certification fee, the exam, one re-sit, and the credential lifetime. Self-paced is typically 30% to 40% cheaper but slower in completion. In-house cohorts price per team rather than per seat; expect 12,000 to 18,000 euros for a 5-day Lead Implementer cohort up to 12 learners, on-site or virtual. ### Do PECB and ISACA credentials overlap? They cover related but different ground. PECB issues credentials on ISO standards (ISO 27001, 27005, 31000, 22301, 42001…) and on EU regulations (NIS 2, DORA). ISACA issues credentials on professional disciplines (audit, security management, risk, governance, privacy) underpinned by COBIT and ISACA frameworks. Most senior practitioners hold both: an ISO 27001 Lead Implementer or Lead Auditor (PECB) plus CISA or CISM (ISACA). The audit pathway (CISA → CRISC → ISO 27001 LA) is the canonical sequence. ## Official sources - [PECB — ISO/IEC 27001 Lead Implementer](https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001) - [ISO — ISO/IEC 27001:2022](https://www.iso.org/standard/27001) --- # AI Act: compliance without the abstraction. **URL:** https://cyberacademy.net/resources/pillars/ai-act **Published:** 2026-05-14 **Last reviewed:** 2026-05-14 ## Definition The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive AI regulation. Four risk tiers: unacceptable (banned), high (heavy obligations and conformity assessment), limited (transparency), minimal. Dedicated rules for general-purpose AI models. Applies in phases until August 2027. ISO 42001 is the management-system answer to the AI Act's organisational requirements. ## TL;DR - Risk-based: unacceptable practices banned (since February 2025), high-risk systems heavily regulated, limited risk requires transparency, minimal risk untouched. - High-risk systems (employment, critical infrastructure, education, biometrics, law enforcement, justice…) require risk management, data governance, technical documentation, transparency, human oversight, accuracy and cybersecurity. - GPAI model rules apply to general-purpose AI providers, with tighter obligations for systemic-risk models. - Conformity assessment required before placing a high-risk system on the EU market. CE marking applies. - Pair with ISO/IEC 42001 for the management-system layer. The AI Act tells you what to demonstrate; ISO 42001 tells you how to organise the proof. ## FAQ ### Is my AI system high-risk? Annex III lists eight categories of high-risk AI systems: biometrics, critical infrastructure, education and vocational training, employment and worker management, access to essential public and private services, law enforcement, migration and border control, justice and democratic processes. Plus AI systems that act as a safety component or product covered by EU harmonised legislation (Annex I). If your system fits one of those categories, it is high-risk. There is a narrow exception under Article 6(3) when the system performs a narrow procedural task, improves the result of a previously completed human activity, detects decision-making patterns without replacing the human assessment, or is a preparatory task. Document the exception; the supervisor will ask. ### When does the AI Act apply? Phased application. The prohibitions (Article 5) and AI-literacy obligations apply from 2 February 2025. The GPAI obligations apply from 2 August 2025. The bulk of the high-risk obligations apply from 2 August 2026. Specific high-risk obligations relating to systems already on the market and to systems falling under Annex I apply from 2 August 2027. Practical implication: if you place a high-risk system on the EU market in 2026, the bulk of Chapter III obligations applies. Start the conformity assessment work now. ### What does the conformity assessment look like? For most high-risk systems, internal control conformity assessment under Annex VI. The provider declares compliance themselves, based on: a quality management system, technical documentation per Annex IV, post-market monitoring, registration in the EU database. For certain high-risk systems (notably biometric identification systems), a third-party notified body must be involved (Annex VII). CE marking and an EU declaration of conformity follow. ### What is the role of ISO/IEC 42001? ISO/IEC 42001 is the international standard for AI management systems (AIMS), published in late 2023. It is the AIMS equivalent of ISO 27001's ISMS. The standard does not satisfy the AI Act on its own — the Act has product-specific technical requirements — but it provides the management-system foundation that auditors and notified bodies will recognise. A typical readiness path: ISO 42001 Lead Implementer to build the AIMS, then map the AI Act high-risk obligations onto the AIMS controls, then run the conformity assessment for each in-scope system. ### What about general-purpose AI models? Articles 51-56 govern providers of general-purpose AI models. Baseline obligations: technical documentation, information for downstream providers, policy on copyright compliance, summary of training data. Systemic-risk GPAI models (currently those with cumulative training compute above 10^25 FLOP) face tighter obligations including model evaluation, systemic risk assessment and mitigation, incident reporting. The AI Office at the European Commission issues a code of practice clarifying the GPAI obligations. Most non-frontier providers adhere to the code rather than negotiate compliance from first principles. ## Official sources - [EUR-Lex — Regulation (EU) 2024/1689 (AI Act)](https://eur-lex.europa.eu/eli/reg/2024/1689/oj) - [European Commission — AI Office](https://digital-strategy.ec.europa.eu/en/policies/ai-office) - [ISO — ISO/IEC 42001:2023](https://www.iso.org/standard/81230.html) --- # Operational resilience: DORA, NIS 2 and ISO 22301 in one place. **URL:** https://cyberacademy.net/resources/pillars/operational-resilience-dora-nis-2-iso-22301 **Published:** 2026-05-14 **Last reviewed:** 2026-05-14 ## Definition Operational resilience is the ability of an organisation to deliver critical services through disruption, then recover. Three frameworks govern it in Europe: ISO 22301 (BCMS standard, the operational layer), NIS 2 (Article 21 business-continuity obligation for in-scope entities), DORA (Articles 11-12 for financial entities, plus dedicated testing). A single programme can satisfy all three; running them as separate workstreams duplicates work and creates inconsistencies. ## TL;DR - ISO 22301 is the operational backbone: BIA, recovery objectives, BCP, runbooks, tabletop exercises, BCMS under management review. - NIS 2 layers in incident reporting (24-hour early warning, 72-hour notification, one-month report) and supply-chain continuity. - DORA layers in financial-entity-specific testing (threat-led penetration testing for significant entities every three years), the ICT third-party register, and ESA-level supervision for critical providers. - Lead Operational Resilience Manager (PECB credential) is built specifically to integrate the three. - Map once, audit thrice: a single 22301-aligned BCMS with NIS 2 and DORA control mappings satisfies all three audits. ## FAQ ### Do I need ISO 22301 certification under NIS 2 or DORA? No. Neither NIS 2 nor DORA mandate ISO 22301 certification. Both require that the organisation operates business-continuity and resilience capabilities that achieve specific outcomes (recover within agreed timeframes, report incidents within deadlines, test the plans). An ISO 22301-compliant BCMS demonstrates those capabilities cleanly to a supervisor. In practice, financial entities and operators of vital importance often pursue ISO 22301 certification because the audit evidence required by NIS 2 and DORA matches the certification evidence almost one-to-one. ### What is the relationship between BCP, DR, and incident response? Three overlapping disciplines. Business Continuity Plans (BCPs) cover how the business keeps operating through a disruption — staffing, alternative sites, workarounds, communication. Disaster Recovery (DR) covers the IT-specific restoration of systems and data. Incident Response (IR) covers the detection-to-recovery cycle of security incidents. A mature programme runs them as one. The same playbook walks from incident detection (IR) to system recovery (DR) to business operation continuation (BCP). Different teams may execute different phases, but the plan is integrated. ### What is threat-led penetration testing under DORA? TLPT is the regulator-supervised red-team exercise required for significant financial entities under DORA, every three years at minimum. Built on TIBER-EU. Intelligence-driven (separate threat intelligence team produces the attacker profile), targets critical or important functions, supervised by the national authority. TLPT is multi-month, multi-hundred-thousand-euro work. It is the most rigorous resilience test a financial CISO will face, and the one that exposes the SOC, the detection rules and the incident-response chain for what they really are. ### How do I structure a single resilience programme? Start with the BCMS (ISO 22301 backbone): scope, BIA, recovery objectives, plans, tests, management review. Layer in NIS 2 incident-reporting procedures and the supply-chain continuity obligations from Article 21. Layer in the DORA-specific testing schedule, ICT third-party register and incident classification for financial entities. Map the controls in a single mapping document showing which clause of which framework each control satisfies. Auditors recognise the mapping and stop asking duplicate questions. ## Official sources - [ISO — ISO 22301:2019 Business continuity management](https://www.iso.org/standard/75106.html) - [EUR-Lex — Directive (EU) 2022/2555 (NIS 2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj) - [EUR-Lex — Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/eli/reg/2022/2554/oj) --- # GDPR in 2026: what changed since 2018. **URL:** https://cyberacademy.net/resources/pillars/gdpr-2026 **Published:** 2026-05-14 **Last reviewed:** 2026-05-14 ## Definition In 2026, GDPR remains the EU regulation governing personal data (Regulation (EU) 2016/679, in force since May 2018). What changed since 2018: international transfer framework (Schrems II, new SCCs, EU-US Data Privacy Framework), enforcement intensity (CNIL, DPC, AEPD as the active authorities), interaction with the AI Act on automated processing, and CJEU clarifications on consent, legitimate interest and right to be forgotten. ## TL;DR - GDPR itself has not been amended. What moved is the case law, the EDPB guidelines, the SCCs and the international transfer framework. - Schrems II struck down Privacy Shield in 2020. The EU-US Data Privacy Framework (DPF) replaced it in July 2023; transfers to DPF-certified US importers no longer need supplementary measures. - The 2021 SCCs replaced the 2010 versions. Every transfer outside the EEA without an adequacy decision needs a documented Transfer Impact Assessment. - EDPB and national authority enforcement is at record intensity. Major 2023-2025 cases: Meta (1.2 billion euros, transfers), LinkedIn (310 million euros, behavioural advertising), Clearview AI (multiple authorities). - AI Act interaction: high-risk AI systems processing personal data must comply with both. DPIA + AI Act conformity assessment together. ## FAQ ### Do I still need SCCs since the EU-US DPF was adopted? For transfers to US importers that are self-certified to the EU-US Data Privacy Framework, no — the adequacy decision of July 2023 covers those transfers. Check the importer's certification on the Department of Commerce DPF list. For transfers to non-DPF importers in the US, or transfers to any other third country without an adequacy decision, the 2021 SCCs (or another transfer tool) plus a Transfer Impact Assessment are required. ### What is a Transfer Impact Assessment and when do I need one? A TIA is the documented analysis required since Schrems II for any transfer of personal data outside the EEA without an adequacy decision. It assesses whether the laws of the destination country provide a level of protection essentially equivalent to that guaranteed within the EU, and identifies supplementary measures if not. You need a TIA for every such transfer, on a per-transfer-flow basis. EDPB Recommendations 01/2020 provide the methodology. Most organisations using non-EU SaaS providers underestimate the TIA work and rely on the vendor's template, which is not legally sufficient on its own. ### How does the AI Act interact with GDPR? The AI Act is an additional layer on top of GDPR, not a replacement. Where high-risk AI systems process personal data, both regulations apply: GDPR for the lawful basis, the data-subject rights, the DPIA, the international transfer framework; AI Act for the conformity assessment, the risk management, the technical documentation, the human oversight. In practice, organisations integrate the DPIA and the AI Act conformity assessment into a single document where possible, to avoid duplicate work and inconsistent risk treatments. ### What enforcement trends should I watch? Three trends since 2022: (1) supervisory authorities cooperating more (one-stop-shop decisions, joint investigations), with the DPC in Ireland still leading on cross-border cases against US tech but the EDPB binding decisions tightening their hand; (2) major fines on behavioural advertising and dark patterns (Meta, LinkedIn, Amazon, Google); (3) enforcement on cookies and tracking technologies under the ePrivacy Directive (CNIL particularly active). Expect the trend to continue: more cross-border binding decisions, tighter scrutiny on legitimate interest as a basis for behavioural processing, and growing attention to AI-related processing under GDPR Article 22 (automated decision-making). ### Does my organisation need a DPO? GDPR Articles 37 to 39 require a DPO when: (a) the controller or processor is a public authority or body; (b) the core activities require regular and systematic monitoring of data subjects on a large scale; (c) the core activities consist of large-scale processing of special categories of data or of personal data relating to criminal convictions. Beyond the legal requirement, many private-sector organisations appoint a DPO voluntarily for risk-management reasons. Group-level DPOs are permitted and common in multinationals; they must remain accessible to data subjects and to the supervisory authority. ## Official sources - [EUR-Lex — Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj) - [European Data Protection Board](https://www.edpb.europa.eu/) - [CNIL — Guidance and decisions](https://www.cnil.fr/) --- # EBIOS RM vs ISO 27005: the match. **URL:** https://cyberacademy.net/resources/pillars/ebios-rm-vs-iso-27005 **Published:** 2026-05-14 **Last reviewed:** 2026-05-14 ## Definition EBIOS Risk Manager is the French national risk-assessment method published by ANSSI, focused on strategic cyber-attack scenarios. ISO/IEC 27005 is the international risk-management standard for information security, aligned with ISO 31000 and used as the methodology layer for ISO 27001 ISMS work. Both are practitioner methodologies; they are complementary more than alternatives. ## TL;DR - EBIOS RM is strategic and scenario-driven. Maps business processes onto attacker objectives, then derives technical controls. Strong in French public sector and operators of vital importance. - ISO 27005 is methodology-agnostic and pairs natively with ISO 27001 Annex A. Standard in international audits. - EBIOS RM produces a smaller number of high-impact scenarios with rich narrative. ISO 27005 produces a comprehensive risk register. - Both are accredited PECB credentials: EBIOS Risk Manager (5 days), ISO/IEC 27005 Risk Manager (5 days). Lead Risk Manager exists only for ISO 31000. - In practice: ISO 27005 for the ISMS risk register, EBIOS RM as a complement to identify the strategic scenarios that warrant board attention. ## FAQ ### Which one does my auditor expect? For an ISO 27001 certification audit, the auditor expects an ISO/IEC 27005-aligned methodology by default. The 2022 revision of ISO 27005 explicitly bridges to ISO 27001 Clause 6 and to ISO 31000 principles. For French public-sector audits (HFDS, ANSSI inspections of operators of vital importance under LPM, NIS 2 supervision by ANSSI), EBIOS RM is the expected language. Failure to articulate strategic scenarios in EBIOS RM vocabulary will be flagged. ### Can I use both at the same time? Yes, and many organisations do. EBIOS RM produces 5 to 10 strategic attack scenarios with named threat sources, business assets and feared events; these become the inputs to an ISO 27005 risk register that handles the operational layer (vulnerability-asset combinations, likelihood-impact scoring, treatment options). The combination works because EBIOS RM operates at the scenario level (board-friendly) while ISO 27005 operates at the asset/control level (audit-friendly). Mapping the two requires discipline but is well-trodden ground in French entities subject to both ANSSI supervision and ISO 27001 certification. ### Is EBIOS RM only relevant in France? Mostly, yes. Outside France, ISO 27005 is the lingua franca for ISMS risk methodology. EBIOS RM is recognised by ENISA in some publications and used by French-influenced jurisdictions, but you will rarely encounter it in audits outside France or Francophone Africa. If your audit footprint is purely international, ISO 27005 is the safer single choice. If you operate in France, in the public sector, or sell to French state entities, EBIOS RM literacy is expected. ### What does the PECB EBIOS Risk Manager credential cover? Five days. Covers the five EBIOS RM workshops: scope and security baseline, risk sources, strategic scenarios, operational scenarios, risk treatment. Exam is open-book, three hours, mix of multiple-choice and scenario questions. The credential is recognised by ANSSI through the PECB Gold Partner accreditation pathway. It does not substitute for ISO/IEC 27005 Risk Manager if your auditor expects the ISO methodology; it complements it. ## Official sources - [ANSSI — EBIOS Risk Manager method](https://cyber.gouv.fr/la-methode-ebios-risk-manager) - [ISO — ISO/IEC 27005:2022](https://www.iso.org/standard/80585.html) --- # The real price of an ISO 27001 Lead Implementer in Europe. **URL:** https://cyberacademy.net/resources/pillars/iso-27001-lead-implementer-price-europe **Published:** 2026-05-14 **Last reviewed:** 2026-05-14 ## Definition In Europe in 2026, an instructor-led ISO 27001 Lead Implementer cohort prices between 2,800 and 3,200 euros per seat for a standard 5-day delivery, all-inclusive (course, PECB materials, certification fee, exam, one re-sit). Self-paced is 30% to 40% cheaper. In-house cohorts price 12,000 to 18,000 euros for up to 12 learners. ## TL;DR - Standard instructor-led (live online or on-site cohort), 5 days, all-inclusive: 2,800 to 3,200 euros per seat. Variance comes from the partner tier and the location, not the syllabus. - Self-paced (recorded modules, official PECB materials, exam included): 1,700 to 2,200 euros. Slower completion, fewer questions answered live. - In-house private cohort, up to 12 learners, on-site or virtual: 12,000 to 18,000 euros for the full 5 days. Quote sent within one business day from the in-house training page. - PECB Gold and Platinum partners price 5% to 15% above lower tiers, in exchange for accreditation depth and the certification or refund guarantee where applicable. - Watch the bundle: training fee, certification fee, exam fee, re-sit, materials, post-cohort coaching. Cheaper offers often unbundle the certification fee. ## FAQ ### Why is the price not on every catalogue? Most training providers default to "starting from" or "contact us for a quote" to control negotiation leverage. The trade-off is friction: individual buyers walk away, corporate buyers wait days for a number, and prices drift apart for the same cohort. Cyber Academy publishes the standard price on every catalogue course page; quote workflow is reserved for in-house and multi-seat scopes where a tailored proposal is actually useful. ### What should the bundle include? A clean ISO 27001 Lead Implementer bundle in Europe contains: the 5-day training fee, the official PECB course materials (digital and print), the certification fee paid to PECB, the first exam attempt, one free re-sit, and the credential lifetime (no renewal fee for the Lead Implementer credential itself). Common omissions in cheaper offers: the certification fee (added later as "we deliver the training, PECB issues the credential separately"), the re-sit (charged at 200 to 400 euros), or the official materials (sold as a separate kit). ### How does in-house pricing work? In-house cohorts price per cohort rather than per seat. A standard 5-day Lead Implementer cohort for up to 12 learners runs 12,000 to 18,000 euros in Europe in 2026. The price covers the trainer time, the official PECB materials for each learner, the certification fee for each learner, and the exam for each learner. Variables that move the price: location (on-site travel), schedule (single block vs split sessions), language (English default, other languages on request), sector adaptation (examples and exercises mapped to the buyer's context), and the seniority of the trainer requested. ### Is the cheapest cohort worth it? Often no. The bottom of the European market (1,500 to 2,200 euros instructor-led, including the exam) is typically: junior trainer, large cohort (15 to 25 learners), thin pre-exam coaching, limited post-cohort follow-up. The certification you receive is the same; the probability of passing on first attempt is materially lower, and the operational knowledge transfer is uneven. Our 99.1% first-attempt pass rate on instructor-led PECB cohorts is partly the trainer pool and partly the cohort size (10 to 15, never above). Both have a cost. ## Official sources - [PECB — ISO/IEC 27001 Lead Implementer training course](https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001) --- # ISO 31000: Foundation → Risk Manager → Lead Risk Manager. **URL:** https://cyberacademy.net/resources/pillars/iso-31000-foundation-risk-manager-lead-risk-manager **Published:** 2026-05-14 **Last reviewed:** 2026-05-14 ## Definition ISO 31000 is the international guidance standard for risk management — principles, framework, process — applicable to any organisation and any type of risk. It is not certifiable; the PECB pathway is Foundation, Risk Manager, then Lead Risk Manager. There is no ISO 31000 Lead Auditor: ISO 31000 is guidance, not a management-system standard, so there is nothing to audit against. ## TL;DR - ISO 31000 is guidance, not a certifiable management system. No Lead Auditor exists. - PECB pathway: Foundation (2 days), Risk Manager (5 days), Lead Risk Manager (5 days). The senior credential is Lead Risk Manager. - Foundation gives the vocabulary, the principles and the process model. Required prerequisite for the senior credentials. - Risk Manager applies ISO 31000 to a specific scope. Lead Risk Manager leads the enterprise risk programme across functions. - Complements ISO 27005 (information-security-specific risk) and EBIOS RM (strategic cyber scenarios) — different lenses on the same risk discipline. ## FAQ ### Why is there no ISO 31000 Lead Auditor? ISO 31000 is guidance, not a management-system standard. There is no certifiable system to audit against. Some training catalogues advertise ISO 31000 Lead Auditor; the credential does not exist within the PECB programme. People asking for it usually mean ISO 27001 Lead Auditor (which audits the ISMS using ISO 27005 risk methodology) or ISO/IEC 27005 Risk Manager (which applies the methodology to information security). If your auditor expects an ISO 31000 audit, push back: there is no certifiable conformity criterion. They likely mean a maturity assessment of the risk-management framework, which is a different exercise. ### Risk Manager or Lead Risk Manager — which is right for me? Risk Manager (5 days) is for practitioners running a defined risk scope: a department, a programme, a subsidiary. The course teaches you to operate ISO 31000 within that scope. Most GRC analysts and risk officers stop here. Lead Risk Manager (5 days) is for senior practitioners running the enterprise risk programme: setting the risk appetite, designing the framework, integrating risk across business units, reporting to the board. Required when the role title is Head of Risk, Chief Risk Officer, or equivalent. ### How does ISO 31000 sit alongside ISO 27005? Different scopes. ISO 31000 is the generic risk-management guidance — applies to financial risk, operational risk, strategic risk, compliance risk, information-security risk, anything. ISO 27005 is the application of ISO 31000 principles specifically to information-security risk in an ISO 27001 ISMS context. A risk practitioner with ISO 31000 credentials operates across the enterprise. An information-security risk specialist with ISO 27005 credentials operates inside the ISMS scope. Senior practitioners often hold both. ### Is ISO 31000 relevant outside cybersecurity? Yes, very. ISO 31000 is sector-agnostic. It is used in financial risk management (alongside Basel and Solvency frameworks), enterprise risk management (alongside COSO ERM), supply-chain risk, environmental risk, project risk and operational risk. The principles and process model are identical across domains; only the asset and threat categories change. ## Official sources - [ISO — ISO 31000:2018 Risk management](https://www.iso.org/iso-31000-risk-management.html) - [PECB — ISO 31000 Risk Manager](https://pecb.com/en/education-and-certification-for-individuals/iso-31000) --- # CISO vs DPO vs RSSI: who does what, really. **URL:** https://cyberacademy.net/resources/pillars/ciso-dpo-rssi **Published:** 2026-05-14 **Last reviewed:** 2026-05-14 ## Definition The CISO (Chief Information Security Officer) owns the information-security strategy and programme. The DPO (Data Protection Officer) owns the GDPR-mandated independent oversight of personal-data processing. The RSSI (Responsable de la Sécurité des Systèmes d'Information) is the French equivalent of CISO. The three roles overlap at the data-security perimeter but answer to different mandates: CISO and RSSI to the executive, DPO to the regulator. ## TL;DR - CISO and RSSI are the same role with different vocabulary. RSSI is the French title; CISO is the international title. Same scope. - DPO is independent by GDPR design — reports to the highest management level, cannot be dismissed for performing the role, and is the contact point for the supervisory authority. - CISO/RSSI accountability: information security strategy, risk register, incident response, board reporting. Mandate from the executive. - DPO accountability: GDPR compliance oversight, DPIA review, data-subject rights, supervisory dialogue. Mandate from the regulation. - They overlap on data security (Article 32 of GDPR) and incident response. A single person should not hold both roles in significant organisations — the DPO must remain independent of the data-processing decisions the CISO operates. ## FAQ ### Can the same person be CISO and DPO? Technically yes in small organisations, but the EDPB strongly discourages it. The DPO must remain independent of the processing decisions; the CISO operates those decisions. In a small org where the same person makes the call, the independence is fictional. In any organisation of meaningful size (50+ FTE handling meaningful personal data), separate the roles. The DPO can sit in the legal team, the risk team, or report directly to the CEO. The CISO sits in the technology or security organisation. ### Which certifications signal a CISO? CISM (ISACA) is the most common credential on a CISO resume — about 60% of CISO postings in Europe ask for it. ISO 27001 Lead Implementer or Lead Auditor (PECB) is the next most common. CISSP is the traditional US-style alternative. For French RSSI roles, ANSSI-recognised qualifications (EBIOS Risk Manager, qualifications via the SecNumCloud or PASSI programmes) carry weight in addition to or instead of international credentials. ### Which certifications signal a DPO? The Certified Data Protection Officer (CDPO, PECB-issued, GDPR-aligned) is the European reference. The CIPP/E (IAPP) is the alternative international privacy credential, particularly recognised in firms with US presence. For technical DPOs (privacy engineers operating inside or alongside the security team), CDPSE (ISACA) is the technical complement. ISO/IEC 27701 Lead Implementer (PECB) is the management-system credential for organisations running a privacy ISMS. ### How do their salaries compare in Europe? Wide variance by country and sector. In France in 2026, an experienced CISO/RSSI in a CAC 40 company earns 130,000 to 220,000 euros base. An experienced DPO in the same company earns 90,000 to 150,000 euros base. In financial services, both roles trend 20% to 30% higher. In mid-market, both roles trend 30% to 40% lower. The salary spread reflects the scope: CISO/RSSI owns budget, headcount, technology choices. DPO owns oversight, independence, regulatory contact. ## Official sources - [EDPB — Guidelines on Data Protection Officers](https://www.edpb.europa.eu/) - [ANSSI — Référentiel d'exigences pour les RSSI](https://cyber.gouv.fr/) --- # ENCYCLOPEDIA ## AI Risk Manager **URL:** https://cyberacademy.net/resources/encyclopedia/ai-risk-manager **Last reviewed:** 2026-05-14 AI Risk Manager is the credential (PECB / ISACA emerging) for practitioners running AI-specific risk programmes: model risk, bias, drift, transparency, third-party model risk. Operational layer that complements ISO 42001 (system-level) and the AI Act (regulatory layer). Common companion to a CISO or Lead AI Auditor. --- ## Advanced in AI Audit (AAIA) **URL:** https://cyberacademy.net/resources/encyclopedia/aaia **Last reviewed:** 2026-05-14 AAIA is the advanced ISACA credential for auditing AI systems, models and governance. Newer (2024 onwards). Requires existing CISA or equivalent. Built for senior auditors adding AI capability, mapped onto ISO 42001 and the EU AI Act high-risk obligations. --- ## Business Continuity Management (BCM) **URL:** https://cyberacademy.net/resources/encyclopedia/bcm **Last reviewed:** 2026-05-14 BCM is the discipline that identifies threats to your critical operations, then designs the plans and procedures to keep them running through disruption. Not a one-off project. The BCM team that delivers under a real incident is the one that ran a tabletop exercise four months ago and wrote down what failed. --- ## Business Email Compromise (BEC) **URL:** https://cyberacademy.net/resources/encyclopedia/bec **Last reviewed:** 2026-05-14 BEC is the targeted social-engineering attack that impersonates an executive or supplier to redirect a payment or trick an employee into approving one. No malware required; pure pretexting. Average loss per incident dwarfs ransomware. Process controls (segregation of duties, callback verification) catch it; technology alone does not. --- ## Business Impact Analysis (BIA) **URL:** https://cyberacademy.net/resources/encyclopedia/bia **Last reviewed:** 2026-05-14 A BIA is the structured analysis that quantifies the impact of disruption on each critical activity over time. Outputs include the recovery time objective, recovery point objective and minimum business continuity objective. Mandatory input for ISO 22301 and DORA. Done well, it becomes the document the board actually reads. --- ## CIS Controls **URL:** https://cyberacademy.net/resources/encyclopedia/cis-controls **Last reviewed:** 2026-05-14 The CIS Critical Security Controls are a prioritised set of 18 control categories published by the Center for Internet Security. Implementation groups (IG1, IG2, IG3) match organisation maturity. The fastest way to take a small or mid-sized organisation from zero to defensible. Maps neatly onto ISO 27001 Annex A. --- ## COBIT **URL:** https://cyberacademy.net/resources/encyclopedia/cobit **Last reviewed:** 2026-05-14 COBIT is the ISACA framework for the governance and management of enterprise IT. Current edition is COBIT 2019. The framework Big Four uses to assess IT governance maturity, and the reference for the CGEIT credential. More strategic than ISO 27001; less prescriptive than NIST. --- ## Certificate of Cloud Auditing Knowledge (CCAK) **URL:** https://cyberacademy.net/resources/encyclopedia/ccak **Last reviewed:** 2026-05-14 CCAK is the joint ISACA / Cloud Security Alliance credential for cloud auditors. Covers cloud governance, CCM, the STAR programme and hyperscaler-specific audit considerations. The natural extension for a CISA-holder whose scope went cloud-first. --- ## Certified Cybersecurity Operations Analyst (CCOA) **URL:** https://cyberacademy.net/resources/encyclopedia/ccoa **Last reviewed:** 2026-05-14 CCOA is ISACA's hands-on cybersecurity operations credential, focused on SOC work: monitoring, detection, response, recovery. The technical companion to CISM. Best fit for analysts and incident responders rather than managers or auditors. --- ## Certified Data Privacy Solutions Engineer (CDPSE) **URL:** https://cyberacademy.net/resources/encyclopedia/cdpse **Last reviewed:** 2026-05-14 CDPSE is the ISACA technical-privacy credential. Three domains: privacy governance, privacy architecture, data lifecycle. The engineering-side companion to the policy-focused DPO/CDPO credentials. Strong fit for security teams owning privacy implementation and for architects working under the GDPR or the AI Act. --- ## Certified Information Security Manager (CISM) **URL:** https://cyberacademy.net/resources/encyclopedia/cism **Last reviewed:** 2026-05-14 CISM is the ISACA credential for information-security managers: governance, programme management, risk management, incident management. The gold standard for security-leadership roles, asked for in about 60% of CISO postings. Different lens from CISSP: management-focused, less technical. --- ## Certified Information Systems Auditor (CISA) **URL:** https://cyberacademy.net/resources/encyclopedia/cisa **Last reviewed:** 2026-05-14 CISA is the reference IT-audit credential, awarded by ISACA since 1978. Five domains covering the audit process, governance, acquisition, operations and asset protection. The credential Big Four engagements default to. Recognised globally; mandatory for many internal-audit and compliance roles in regulated industries. --- ## Certified in Risk and Information Systems Control (CRISC) **URL:** https://cyberacademy.net/resources/encyclopedia/crisc **Last reviewed:** 2026-05-14 CRISC is the ISACA risk credential for IT-risk practitioners. Identification, assessment, response, monitoring tied to information systems. Bridges business and IT risk. The natural complement to CISA for auditors moving into risk, and to ISO 27005 / 31000 for ISO-trained practitioners adding the ISACA vocabulary. --- ## Certified in the Governance of Enterprise IT (CGEIT) **URL:** https://cyberacademy.net/resources/encyclopedia/cgeit **Last reviewed:** 2026-05-14 CGEIT is the ISACA credential for senior practitioners advising on the governance of enterprise IT: strategic alignment, value delivery, risk and resource optimisation. Underpinned by COBIT. Smaller market than CISA / CISM, but the right credential for CIOs, board-level IT advisors and senior consultants. --- ## Chief Information Security Officer (CISO) **URL:** https://cyberacademy.net/resources/encyclopedia/ciso **Last reviewed:** 2026-05-14 The CISO is the executive accountable for the information-security strategy. Owns the risk register, leads incident response, briefs the board, signs off on the residual risk. Under NIS 2 and DORA the accountability is now explicit and personal. The job is governance, not implementation; the hardest part is the boardroom translation. --- ## Commission nationale de l'informatique et des libertés (CNIL) **URL:** https://cyberacademy.net/resources/encyclopedia/cnil **Last reviewed:** 2026-05-14 The CNIL is the French data-protection authority, founded in 1978. Enforces the GDPR in France, issues binding decisions and fines, publishes guidance (cookies, biometrics, AI), operates the PIA tool. One of the most active supervisory authorities in the EU; their decisions often set EU-wide precedent. --- ## Cyber Resilience Act (CRA) **URL:** https://cyberacademy.net/resources/encyclopedia/cra **Last reviewed:** 2026-05-14 The Cyber Resilience Act is the EU regulation that imposes baseline security obligations on hardware and software products with digital elements sold in Europe. Vendor obligations through the lifecycle: secure-by-design, vulnerability handling, SBOM, five years of patches. Adopted in late 2024, applies from December 2027. Pair with NIS 2 (organisational angle) and AI Act (model angle). --- ## Cybersecurity Maturity Model Certification (CMMC) **URL:** https://cyberacademy.net/resources/encyclopedia/cmmc **Last reviewed:** 2026-05-14 CMMC is the cybersecurity maturity model the US Department of Defense imposes on its contractors handling federal contract information and controlled unclassified information. CMMC 2.0 collapsed to three levels (Foundational, Advanced, Expert) aligned with NIST SP 800-171 and 800-172. If you sell to the DoD or sit in their supply chain, you are in scope. --- ## Cybersecurity Practitioner Certification (CSX-P) **URL:** https://cyberacademy.net/resources/encyclopedia/csx-p **Last reviewed:** 2026-05-14 CSX-P is the performance-based ISACA cybersecurity practitioner credential. Tested in a live cyber-range environment across the five NIST CSF functions. Less famous than CISM or CISA, but the rare credential where the exam tests what you actually do, not what you can write about. --- ## Data Protection Impact Assessment (DPIA) **URL:** https://cyberacademy.net/resources/encyclopedia/dpia **Last reviewed:** 2026-05-14 A DPIA is the structured analysis the GDPR requires before high-risk processing. Documents nature, scope, context, purposes; assesses necessity and proportionality; identifies mitigations. The CNIL ships a free PIA tool — use it. Skipping a DPIA when it was required is one of the cleaner ways to attract a regulator visit. --- ## Data Protection Officer (DPO) **URL:** https://cyberacademy.net/resources/encyclopedia/dpo **Last reviewed:** 2026-05-14 The DPO is the GDPR-mandated role that monitors compliance, advises the controller, and acts as the contact point with the supervisory authority. Mandatory for public authorities and for processing that requires large-scale systematic monitoring or special-category data. Independence and management access are the two things auditors actually check. --- ## Defense in depth **URL:** https://cyberacademy.net/resources/encyclopedia/defense-in-depth **Last reviewed:** 2026-05-14 Defense in depth is the principle of layering controls so no single failure compromises the system. Network, endpoint, application, data, people, physical — each layer slows the attacker, raises the cost and buys you detection time. Foundational since the 1990s. Auditors expect to see it; vendors love to sell extra layers of it. --- ## Digital Operational Resilience Act (DORA) **URL:** https://cyberacademy.net/resources/encyclopedia/dora **Last reviewed:** 2026-05-14 DORA is the EU regulation that imposes a unified resilience framework on financial entities and their critical ICT providers. Five pillars: ICT risk management, incident reporting, resilience testing including TLPT, third-party ICT risk, information-sharing. Applicable since 17 January 2025. It bites harder than NIS 2 on the ICT angle, and lex specialis means it wins for financial entities. --- ## Disaster Recovery (DR) **URL:** https://cyberacademy.net/resources/encyclopedia/disaster-recovery **Last reviewed:** 2026-05-14 Disaster recovery is the IT-focused subset of BCM: restoring infrastructure, applications and data after a disruption. The RPO, RTO and runbooks live here. The DR plan that has never been tested end-to-end is a fiction. ISO 24762 used to cover it; current practice points back to ISO 22301 plus the operational runbooks. --- ## Distributed Denial of Service (DDoS) **URL:** https://cyberacademy.net/resources/encyclopedia/ddos **Last reviewed:** 2026-05-14 DDoS is the attack that floods a service from many sources to exhaust capacity. Volumetric, protocol or application layer. Mitigation has commoditised (Cloudflare, Akamai, AWS Shield). The risk question is no longer "can we block it" but "are critical services routed through the protection, including the API ones we never see in dashboards". --- ## EBIOS Risk Manager (EBIOS RM) **URL:** https://cyberacademy.net/resources/encyclopedia/ebios-rm **Last reviewed:** 2026-05-14 EBIOS Risk Manager is ANSSI's cyber-risk method, focused on strategic attack scenarios. Maps business processes against attacker objectives, then derives the technical controls. Standard in French public-sector and operators of vital importance. Excellent for showing the board WHY a specific scenario matters; less common in private-sector multinational audits. --- ## EU AI Act (AI Act) **URL:** https://cyberacademy.net/resources/encyclopedia/ai-act **Last reviewed:** 2026-05-14 The EU AI Act is the world's first comprehensive AI regulation. Four risk tiers: unacceptable (banned), high (the heavy obligations and conformity assessment), limited (transparency), minimal. Applies in phases until August 2027. Pair it with ISO 42001 if you want a management-system answer rather than a checklist. The GPAI model rules sit on top. --- ## Endpoint Detection and Response (EDR) **URL:** https://cyberacademy.net/resources/encyclopedia/edr **Last reviewed:** 2026-05-14 EDR is the agent-based platform that records endpoint activity, detects suspicious behaviour and lets analysts isolate or remediate compromised hosts. XDR extends visibility across endpoints, network and cloud; MDR is the managed-service wrapper. The endpoint is still the most common entry point; EDR is now table stakes, not differentiation. --- ## European Union Agency for Cybersecurity (ENISA) **URL:** https://cyberacademy.net/resources/encyclopedia/enisa **Last reviewed:** 2026-05-14 ENISA is the EU cybersecurity agency, headquartered in Athens. Supports member states and EU institutions on cybersecurity policy, operational cooperation and the EU certification framework. Operationally involved in NIS 2 cooperation, DORA implementing standards, and the AI Act security baseline. Their threat-landscape report is the single most-cited yearly publication. --- ## French National Cybersecurity Agency (ANSSI) **URL:** https://cyberacademy.net/resources/encyclopedia/anssi **Last reviewed:** 2026-05-14 ANSSI is the French national cybersecurity agency, reporting to the Prime Minister since 2009. National authority for cybersecurity policy in France, qualifies products and service providers, publishes EBIOS Risk Manager, acts as competent authority for NIS 2 transposition. Their qualifications (SecNumCloud, PVID, PASSI) are the gold standard in the French public sector. --- ## General Data Protection Regulation (GDPR) **URL:** https://cyberacademy.net/resources/encyclopedia/gdpr **Last reviewed:** 2026-05-14 The GDPR governs personal data in the EU and anywhere serving EU residents. Lawful basis, data-subject rights, accountability, breach notification, supervisory enforcement. The headline fines (20 million euros or 4% of worldwide turnover) get the press; most enforcement actions come through the supervisory dialogue, not the maximum. --- ## ISO 19011 (ISO 19011) **URL:** https://cyberacademy.net/resources/encyclopedia/iso-19011 **Last reviewed:** 2026-05-14 ISO 19011 is the guidelines standard for auditing management systems. Generic — applies to ISO 27001, 9001, 22301 audits alike. Defines audit principles, programme management, the audit cycle and auditor competence. The Lead Auditor course teaches it; the auditors you meet in the field were trained on it. --- ## ISO 22301 (ISO 22301) **URL:** https://cyberacademy.net/resources/encyclopedia/iso-22301 **Last reviewed:** 2026-05-14 ISO 22301 is the international standard for business continuity management systems (BCMS). Specifies the requirements to plan, operate, monitor and improve a BCMS that gets critical operations running again after disruption. Increasingly demanded by financial regulators since DORA, and by NIS 2 supervisors for operators of essential services. --- ## ISO 31000 (ISO 31000) **URL:** https://cyberacademy.net/resources/encyclopedia/iso-31000 **Last reviewed:** 2026-05-14 ISO 31000 is the generic risk-management standard. Principles plus framework plus iterative process. NOT a certifiable management system — there is no ISO 31000 Lead Auditor, despite what some catalogues claim. The PECB path is Foundation → Risk Manager → Lead Risk Manager. Use it when risk is broader than information security alone. --- ## ISO/IEC 27001 (ISO 27001) **URL:** https://cyberacademy.net/resources/encyclopedia/iso-27001 **Last reviewed:** 2026-05-14 ISO 27001 is the certifiable framework auditors use to grade your information security. The 2022 revision tightened Annex A down to 93 controls across four themes (organisational, people, physical, technological). Your ISMS lives or dies on the Statement of Applicability and the operating evidence. Everyone references it; few run it well. Certification is a stage 1 documentation review followed by stage 2 operational evidence audit. Certificates run three-year cycles with annual surveillance audits. Most non-conformities come from inconsistency between the SoA, the risk treatment plan, and what actually happens in the systems. The 2022 revision merged and reorganised the old 114-control Annex A into 93 controls grouped into four themes. The five-year transition for certificates issued under the 2013 version ends in October 2025; if you are not on 27001:2022 by then, expect your auditor to call. --- ## ISO/IEC 27002 (ISO 27002) **URL:** https://cyberacademy.net/resources/encyclopedia/iso-27002 **Last reviewed:** 2026-05-14 ISO 27002 is the implementation guidance for ISO 27001's Annex A controls. Not certifiable on its own. Auditors use it when they want to challenge HOW you operate a control, not just whether it is "in place". Treat it as the operational playbook beside the certification standard. --- ## ISO/IEC 27005 (ISO 27005) **URL:** https://cyberacademy.net/resources/encyclopedia/iso-27005 **Last reviewed:** 2026-05-14 ISO 27005 is the information-security risk methodology that bolts onto ISO 27001. Identification, analysis, evaluation, treatment, acceptance. The 2022 revision aligns with ISO 31000's principles and clarifies the relationship with ISO 27001's Clause 6. Less prescriptive than EBIOS RM but the canonical lingua franca with auditors. --- ## ISO/IEC 27017 (ISO 27017) **URL:** https://cyberacademy.net/resources/encyclopedia/iso-27017 **Last reviewed:** 2026-05-14 ISO 27017 is the cloud-security control extension to ISO 27001. Adds cloud-specific controls and clarifies the shared-responsibility split between provider and customer. If your ISMS scope includes hyperscaler workloads (AWS, Azure, GCP, OVH), expect auditors to ask which 27017 controls you map onto. --- ## ISO/IEC 27018 (ISO 27018) **URL:** https://cyberacademy.net/resources/encyclopedia/iso-27018 **Last reviewed:** 2026-05-14 ISO 27018 is the privacy control extension to ISO 27001 for cloud providers acting as processors of personally identifiable information. Bridges ISO 27001 with GDPR processor obligations. Mostly held by hyperscalers, used by their customers as a vendor-due-diligence input. --- ## ISO/IEC 27034 (ISO 27034) **URL:** https://cyberacademy.net/resources/encyclopedia/iso-27034 **Last reviewed:** 2026-05-14 ISO 27034 is the application security standard. Multi-part. Covers the secure software lifecycle: requirements, design, build, test, deploy, maintain. Less famous than 27001 because it lives inside the SDLC, but the only ISO standard that speaks the language of dev teams. Pairs naturally with OWASP and SBOM practice. --- ## ISO/IEC 27037 (ISO 27037) **URL:** https://cyberacademy.net/resources/encyclopedia/iso-27037 **Last reviewed:** 2026-05-14 ISO 27037 is the digital forensics standard for identifying, collecting, acquiring and preserving digital evidence. The reference an internal forensic team, a CERT or a litigation-support consultant uses to keep chain-of-custody clean. Treat it as the playbook auditors and lawyers will compare your actions to after an incident. --- ## ISO/IEC 27701 (ISO 27701) **URL:** https://cyberacademy.net/resources/encyclopedia/iso-27701 **Last reviewed:** 2026-05-14 ISO 27701 is the privacy-information-management extension to ISO 27001. Adds controller and processor obligations on top of the ISMS. Useful for organisations that want a single certifiable management system covering both security and privacy. Maps onto the GDPR but does not "replace" GDPR compliance work. --- ## ISO/IEC 42001 (ISO 42001) **URL:** https://cyberacademy.net/resources/encyclopedia/iso-42001 **Last reviewed:** 2026-05-14 ISO 42001 is the first international standard for AI management systems, published end of 2023. The AIMS equivalent of ISO 27001's ISMS. Built for organisations that need to govern AI design, deployment and operation: risk, accountability, transparency, continuous improvement. Maps cleanly onto the AI Act's high-risk obligations. --- ## Identity and Access Management (IAM) **URL:** https://cyberacademy.net/resources/encyclopedia/iam **Last reviewed:** 2026-05-14 IAM is the discipline that manages who can access what, when, how and under which conditions. Provisioning, authentication, authorisation, deprovisioning. Identity is the new perimeter. Every Zero Trust architecture is, at the core, a hard IAM problem disguised as a network one. --- ## Information Security Management System (ISMS) **URL:** https://cyberacademy.net/resources/encyclopedia/isms **Last reviewed:** 2026-05-14 An ISMS is the documented system you run to protect information assets — risk-based, evidence-backed, under management review. It is not a binder of policies. Auditors do not grade your policies; they grade your operating evidence. Plan-Do-Check-Act cycle, certified under ISO 27001, with the SoA as the central artefact. --- ## Information Systems Audit and Control Association (ISACA) **URL:** https://cyberacademy.net/resources/encyclopedia/isaca **Last reviewed:** 2026-05-14 ISACA is the global association for IT audit, security, risk and governance professionals. Founded 1969, headquartered Schaumburg IL, 165,000+ members in 188 countries. Awards CISA, CISM, CRISC, CGEIT, CDPSE, AAIA, CCOA. Publishes COBIT. Cyber Academy is an ISACA Accredited Premium Partner. --- ## Inherent vs residual risk **URL:** https://cyberacademy.net/resources/encyclopedia/inherent-residual-risk **Last reviewed:** 2026-05-14 Inherent risk is the exposure before controls. Residual risk is what remains after the controls operate. Auditors look at the gap: it must be justified, accepted (or treated further) by a named owner, and consistent with the risk appetite. Showing "residual = zero" anywhere in the register is a red flag, not a win. --- ## Lead Auditor **URL:** https://cyberacademy.net/resources/encyclopedia/lead-auditor **Last reviewed:** 2026-05-14 Lead Auditor is the PECB credential for practitioners who can plan and lead third-party or internal audits of a management system. Five-day course built on ISO 19011. Entry point to becoming an accredited certification-body auditor. Different mindset from Lead Implementer: evidence, sampling, reporting, interview technique. --- ## Lead Ethical Hacker **URL:** https://cyberacademy.net/resources/encyclopedia/lead-ethical-hacker **Last reviewed:** 2026-05-14 Lead Ethical Hacker is the PECB-certified credential for offensive-security practitioners. Covers methodology, scoping, reconnaissance, exploitation, reporting and ethics. The accreditation companion to hands-on credentials like OSCP and CRTO. Pairs with Lead Penetration Testing Professional for engagement leadership. --- ## Lead Implementer **URL:** https://cyberacademy.net/resources/encyclopedia/lead-implementer **Last reviewed:** 2026-05-14 Lead Implementer is the PECB credential for practitioners who can plan, build and run a management system based on a specific ISO standard (most often ISO 27001, ISO 42001, ISO 22301). Five-day course, exam, certificate. The implementation half of the ISO discipline; complements Lead Auditor on the audit side. --- ## Least privilege **URL:** https://cyberacademy.net/resources/encyclopedia/least-privilege **Last reviewed:** 2026-05-14 Least privilege is the principle that every identity (human or machine) gets the minimum permissions needed for the job, and no more. Sounds obvious; rarely applied. Most data-exfiltration incidents start with an over-permissioned service account that nobody could justify when asked. Pair with regular access reviews. --- ## MITRE ATT&CK **URL:** https://cyberacademy.net/resources/encyclopedia/mitre-attack **Last reviewed:** 2026-05-14 MITRE ATT&CK is the open knowledge base of adversary tactics, techniques and procedures (TTPs) observed in the wild. Standard vocabulary for threat-informed defence: detection rules, red-team scenarios, SOC analyst training. Updated continuously, free to use. If your SIEM rules do not reference ATT&CK technique IDs, you are working harder than needed. --- ## Mean Time to Detect / Recover (MTTD / MTTR) **URL:** https://cyberacademy.net/resources/encyclopedia/mttd-mttr **Last reviewed:** 2026-05-14 MTTD is the average time from incident start to detection. MTTR is the average time from detection to recovery. Together they are the headline operational metrics for a SOC and an incident response programme. Industry benchmarks float in the days/weeks; mature programmes target hours. --- ## Multi-Factor Authentication (MFA) **URL:** https://cyberacademy.net/resources/encyclopedia/mfa **Last reviewed:** 2026-05-14 MFA is the requirement that authentication uses two or more factors from different categories (knowledge, possession, inherence). Not all MFA is equal: SMS and email codes are phishable, push notifications get fatigued, hardware tokens and passkeys are the strong forms. NIS 2 and DORA both mandate "strong" MFA on critical access. --- ## NIS 1 Directive (NIS 1) **URL:** https://cyberacademy.net/resources/encyclopedia/nis-1 **Last reviewed:** 2026-05-14 NIS 1 (Directive 2016/1148) was the EU's first cross-sector cybersecurity directive, covering operators of essential services and digital service providers. Replaced by NIS 2 in October 2024 because scope was too narrow, enforcement uneven and incident reporting toothless. Cited here mainly so you know what the "old regime" your colleagues still half-remember actually was. --- ## NIS 2 Directive (NIS 2) **URL:** https://cyberacademy.net/resources/encyclopedia/nis-2 **Last reviewed:** 2026-05-14 NIS 2 is the EU directive that puts cybersecurity boards on the hook. Mid-sized or larger, in any of 18 listed sectors, you are in scope. The clock starts on the first significant incident: 24-hour early warning, 72-hour notification, full report at one month. Penalties bite (10 million euros or 2% of worldwide turnover). Transposition state varies country to country. Scope expanded massively from NIS 1: energy, transport, finance, health, digital infrastructure, public administration, space, food, chemicals, postal, manufacturing of critical products, research, waste management. Two entity tiers (essential vs important) drive the supervision intensity and the penalty cap. Article 21 lists ten cybersecurity risk-management measures you must demonstrate: risk policy, incident handling, business continuity, supply chain security, vulnerability handling, training, encryption, access control, MFA, incident reporting. The directive does not say HOW to implement them; ISO 27001 is the most common operational answer. --- ## NIST Cybersecurity Framework (NIST CSF) **URL:** https://cyberacademy.net/resources/encyclopedia/nist-csf **Last reviewed:** 2026-05-14 NIST CSF is the cybersecurity framework published by the US National Institute of Standards and Technology. The 2.0 revision (2024) added "Govern" to the existing five functions (Identify, Protect, Detect, Respond, Recover). Not certifiable; used as a maturity reference. Common companion to ISO 27001 in transatlantic organisations. --- ## NIST SP 800-171 **URL:** https://cyberacademy.net/resources/encyclopedia/nist-800-171 **Last reviewed:** 2026-05-14 NIST SP 800-171 is the US standard that defines security requirements for protecting controlled unclassified information in non-federal systems. The technical backbone of CMMC for defence contractors. Revision 3 (2024) tightened the controls. If you sell to the US DoD, this is mandatory; if you sell only in Europe, it is informational. --- ## Non-conformity (NC) **URL:** https://cyberacademy.net/resources/encyclopedia/non-conformity **Last reviewed:** 2026-05-14 A non-conformity is the auditor finding that a requirement is not met. Major NCs threaten the certificate; minor NCs require a corrective action plan with a deadline. Repeated minor NCs in the same area can escalate to major at the next surveillance audit. The goal is not zero NCs — it is honest, traceable corrective action. --- ## PCI DSS **URL:** https://cyberacademy.net/resources/encyclopedia/pci-dss **Last reviewed:** 2026-05-14 PCI DSS is the Payment Card Industry Data Security Standard. Mandatory for anyone storing, processing or transmitting cardholder data. Version 4.0.1 is the current revision, fully mandatory since 31 March 2025. Scope-reduction (tokenisation, segmentation) is where the smart money goes; "compliant" is binary, but how small you make the scope is everything. --- ## Patch management **URL:** https://cyberacademy.net/resources/encyclopedia/patch-management **Last reviewed:** 2026-05-14 Patch management is the operational process that takes a published fix and applies it across the estate, on a defined SLA, with verification. Often the weakest link: emergency patches collide with change windows, vendor compatibility, third-party dependencies. The audit always asks for the SLA, the exception list and the metrics. --- ## Penetration testing **URL:** https://cyberacademy.net/resources/encyclopedia/penetration-testing **Last reviewed:** 2026-05-14 A penetration test is an authorised, scoped attack simulation to find exploitable weaknesses before real attackers do. Black box / grey box / white box, internal / external, application / infrastructure. Distinguish from a vulnerability scan (automated, breadth) and from a red team (multi-month, objective-based). Reports drive the remediation backlog. --- ## Phishing **URL:** https://cyberacademy.net/resources/encyclopedia/phishing **Last reviewed:** 2026-05-14 Phishing is the social-engineering attack that tricks a user into clicking a malicious link, opening a malicious file or revealing credentials. Variants: spear phishing (targeted), whaling (executives), smishing (SMS), vishing (voice), BEC (business email compromise). Training matters; phishing-resistant MFA matters more. --- ## Privacy by design and by default **URL:** https://cyberacademy.net/resources/encyclopedia/privacy-by-design **Last reviewed:** 2026-05-14 Privacy by design (GDPR Article 25) is the obligation to bake privacy controls into systems from the requirements stage. Privacy by default is the obligation to make the highest-protection option the standard. Auditors look for documented evidence (DPIA, design review, retention defaults) rather than a slogan in a policy. --- ## Privileged Access Management (PAM) **URL:** https://cyberacademy.net/resources/encyclopedia/pam **Last reviewed:** 2026-05-14 PAM is the subset of IAM focused on privileged accounts: admins, root, service accounts, break-glass. Vaults credentials, brokers sessions, records activity. The first thing the attacker goes for after the initial foothold, and the control auditors test hardest under NIS 2 and DORA. --- ## Professional Evaluation and Certification Board (PECB) **URL:** https://cyberacademy.net/resources/encyclopedia/pecb **Last reviewed:** 2026-05-14 PECB is the Montreal-based accredited certification body that issues professional credentials on 30+ ISO standards across 150+ countries. Information security, risk, BCM, AI governance, privacy, quality. Cyber Academy is a PECB Gold Partner. The credentials carry PECB branding; the cohorts run through accredited partners. --- ## Pseudonymisation **URL:** https://cyberacademy.net/resources/encyclopedia/pseudonymisation **Last reviewed:** 2026-05-14 Pseudonymisation is the GDPR Article 4(5) technique of replacing direct identifiers with reversible tokens, with the key stored separately. Reduces risk and earns regulatory goodwill, but the data is still personal data. Anonymisation is the version that escapes GDPR entirely; pseudonymisation does not. Watch the conflation. --- ## Ransomware **URL:** https://cyberacademy.net/resources/encyclopedia/ransomware **Last reviewed:** 2026-05-14 Ransomware is the malware class that encrypts data and demands payment for the key, often paired with data theft and extortion (double extortion). Attack vectors: phishing, internet-facing exposure, supply chain. Insurance pays less, regulators scrutinise more. Pre-event work (backups, segmentation, IR plan) determines the outcome, not the negotiation. --- ## Record of Processing Activities (ROPA) **URL:** https://cyberacademy.net/resources/encyclopedia/ropa **Last reviewed:** 2026-05-14 The ROPA is the documented inventory of processing activities required by GDPR Article 30. Controllers list purpose, categories, recipients, retention, transfers; processors list controllers served, categories, transfers. Most organisations underestimate the maintenance work. The supervisory authority asks for the ROPA first when an investigation starts. --- ## Recovery Time and Recovery Point Objectives (RTO / RPO) **URL:** https://cyberacademy.net/resources/encyclopedia/rto-rpo **Last reviewed:** 2026-05-14 RTO is the maximum acceptable duration a business process can stay down before unacceptable harm. RPO is the maximum data loss measured in time before the disruption. Both come out of the BIA. The numbers your CIO writes in the BCP without consulting the business are the numbers that fail under pressure. --- ## Risk appetite **URL:** https://cyberacademy.net/resources/encyclopedia/risk-appetite **Last reviewed:** 2026-05-14 Risk appetite is the amount and type of risk the organisation is willing to take to meet its objectives. Set at executive or board level, in writing. Without it, every risk-treatment decision is a personal judgement call by the risk team, and the audit will tear it apart. Pair with risk tolerance (the deviation tolerated around the appetite). --- ## Risk register **URL:** https://cyberacademy.net/resources/encyclopedia/risk-register **Last reviewed:** 2026-05-14 The risk register is the canonical, living list of identified risks with their analysis, evaluation, treatment and ownership. Not a one-time spreadsheet. Auditors expect dated entries, named owners, traceable changes and review cycles tied to management review. The board version is shorter; the operational version has everything. --- ## Risk treatment **URL:** https://cyberacademy.net/resources/encyclopedia/risk-treatment **Last reviewed:** 2026-05-14 Risk treatment is what you do once you know the risk: avoid, reduce, transfer, accept. Each decision is documented, justified by the risk appetite, and traced through the SoA to the controls and the operating evidence. Most failed audits boil down to one thing: the treatment plan and reality drifted, nobody updated the SoA. --- ## SOC 2 **URL:** https://cyberacademy.net/resources/encyclopedia/soc-2 **Last reviewed:** 2026-05-14 SOC 2 is the AICPA attestation report on a service organisation's controls covering five trust criteria (security, availability, processing integrity, confidentiality, privacy). North-American canonical for SaaS vendors; ISO 27001 is the European equivalent. Type I = point-in-time; Type II = operating effectiveness over 6–12 months. Often demanded by enterprise procurement. --- ## Schrems II **URL:** https://cyberacademy.net/resources/encyclopedia/schrems-ii **Last reviewed:** 2026-05-14 Schrems II is the 2020 CJEU judgement that struck down the EU-US Privacy Shield and added the Transfer Impact Assessment requirement. Every transfer to a third country now needs a documented analysis of local surveillance law and supplementary measures. Replaced in practice by the EU-US Data Privacy Framework (2023), but the TIA discipline stuck. --- ## Security Information and Event Management (SIEM) **URL:** https://cyberacademy.net/resources/encyclopedia/siem **Last reviewed:** 2026-05-14 A SIEM aggregates logs, normalises events and runs detection rules across your stack. The visibility layer the SOC depends on. Modern SIEM vendors (Splunk, Sentinel, Elastic, Sumo) increasingly bundle SOAR and UEBA. The hard work is not buying the SIEM; it is the data engineering and the detection-as-code pipeline that follows. --- ## Security Operations Center (SOC) **URL:** https://cyberacademy.net/resources/encyclopedia/soc **Last reviewed:** 2026-05-14 A SOC is the team and toolset that monitors, detects, analyses and responds to security events in real time. Tiered analysts (T1 detection, T2 investigation, T3 threat hunting), 8x5 or 24x7. Internal, outsourced (MSSP) or hybrid. Without a SOC the SIEM is a log archive; with one it is an early-warning system. --- ## Security Orchestration, Automation and Response (SOAR) **URL:** https://cyberacademy.net/resources/encyclopedia/soar **Last reviewed:** 2026-05-14 SOAR is the layer that takes SIEM alerts and runs playbooks: enrichment, triage, containment, ticketing. Goal: reduce MTTR and free analysts from copy-paste work. Watch for vendor over-promise: a SOAR is only as good as the playbooks you write and maintain. Most failed SOAR projects ran out of playbook authors. --- ## Stage 1 / Stage 2 audit **URL:** https://cyberacademy.net/resources/encyclopedia/stage-1-2-audit **Last reviewed:** 2026-05-14 Initial ISO certification splits into stage 1 (documentation and readiness review, usually 1–2 days) and stage 2 (operational evidence audit, 2–5 days). Stage 1 confirms the management system exists on paper; stage 2 verifies it actually operates. Most "failed" stage 2 audits are stage 1 problems that nobody fixed in between. --- ## Standard Contractual Clauses (SCC) **URL:** https://cyberacademy.net/resources/encyclopedia/scc **Last reviewed:** 2026-05-14 SCCs are the European Commission-approved template clauses for transferring personal data to third countries without an adequacy decision. The 2021 SCCs replaced the older versions and require a Transfer Impact Assessment (TIA) since Schrems II. Mandatory paperwork for anyone using non-EU SaaS providers. --- ## Statement of Applicability (SoA) **URL:** https://cyberacademy.net/resources/encyclopedia/soa **Last reviewed:** 2026-05-14 The SoA is the controlled document that tells the auditor which Annex A controls apply to you, why, where the evidence lives. Mandatory under ISO 27001. Inconsistency between SoA, risk treatment plan and actual operations is the most common cause of non-conformities at stage 2 audit. --- ## Tabletop exercise **URL:** https://cyberacademy.net/resources/encyclopedia/tabletop **Last reviewed:** 2026-05-14 A tabletop exercise is a discussion-based simulation of a disruptive scenario with the response team around a table. Cheap, fast, exposes the gaps no document review will. Required practice under ISO 22301, NIS 2 and DORA, and the single highest-ROI activity in a BCM programme. Schedule them quarterly, not annually. --- ## Third-Party Risk Management (TPRM) **URL:** https://cyberacademy.net/resources/encyclopedia/tprm **Last reviewed:** 2026-05-14 TPRM is the discipline that governs the risk introduced by suppliers, subcontractors and service providers. Onboarding due diligence, contract clauses, ongoing assurance, off-boarding. Mandated by NIS 2 (supply chain security) and DORA (ICT third-party risk). The Crowdstrike outage, the SolarWinds incident — both made TPRM a board-level conversation. --- ## Threat-Led Penetration Testing (TLPT) **URL:** https://cyberacademy.net/resources/encyclopedia/tlpt **Last reviewed:** 2026-05-14 TLPT is the regulator-supervised red-team exercise required by DORA for significant financial entities. Built on the TIBER-EU framework (Threat Intelligence-Based Ethical Red Teaming). Multi-month, intelligence-driven, supervised by the national authority. The most rigorous test a CISO will face, and the one that exposes the SOC for what it really is. --- ## Vulnerability management **URL:** https://cyberacademy.net/resources/encyclopedia/vulnerability-management **Last reviewed:** 2026-05-14 Vulnerability management is the cycle of discovering, prioritising, remediating and verifying vulnerabilities in your estate. Scanners flag thousands; the discipline is in the prioritisation (asset criticality + exploit availability + business exposure) rather than the scan. CVE, CVSS and KEV are the vocabulary. --- ## Zero Trust **URL:** https://cyberacademy.net/resources/encyclopedia/zero-trust **Last reviewed:** 2026-05-14 Zero Trust is the security model where you stop trusting the network perimeter. Every access decision is authenticated, authorised and contextually evaluated, every time. Identity becomes the perimeter. Born at Forrester, popularised by Google's BeyondCorp, codified by NIST SP 800-207. Read past the vendor pitch decks; it is an architecture, not a product. --- ## ePrivacy Directive (ePrivacy) **URL:** https://cyberacademy.net/resources/encyclopedia/eprivacy **Last reviewed:** 2026-05-14 The ePrivacy Directive (2002/58/EC, amended in 2009) is the "cookie law" everyone half-implements. Governs confidentiality of electronic communications and tracking technologies on user devices. Older than GDPR and still in force; the ePrivacy Regulation that was supposed to replace it has been stuck in negotiation since 2017. National DPAs (CNIL, Garante, AEPD) enforce it on their patch. --- # COURSES CATALOGUE ## CISA: Certified Information Systems Auditor **URL:** https://cyberacademy.net/courses/cisa **Issuer:** ISACA **Level:** practitioner **Duration:** 4 days **Price:** Live €2900 · Self-paced €790 The ISACA reference credential for IT audit. Five domains, four-hour exam, the audit credential Big Four engagements default to. Four-day cohort with one re-sit included. **You will learn how to:** - Plan and execute a risk-based IS audit aligned with ISACA standards. - Evaluate governance and management of IT against COBIT and ISO 27001. - Assess controls across IS acquisition, development and implementation. - Audit IS operations, business resilience and asset protection. - Produce audit reports that hold up in a Big Four review. **For:** - IT auditors moving from internal audit into a specialised IS audit role. - Compliance officers in regulated industries (banking, insurance, healthcare). - Security analysts transitioning into audit or GRC. - Big Four consultants targeting client-facing engagements. **NOT for (when you should not take this certification):** - Aspiring CISOs with no audit interest. CISM is the management-focused alternative. - Risk managers without an audit angle. CRISC fits better. - Practitioners under three years of experience. ISACA recognises only experience earned within the ten years preceding the application. --- ## CISM: Certified Information Security Manager **URL:** https://cyberacademy.net/courses/cism **Issuer:** ISACA **Level:** manager **Duration:** 4 days **Price:** Live €2900 · Self-paced €790 The ISACA reference credential for security management. Four domains, the cert asked for in roughly 60% of CISO postings. Four-day cohort with one re-sit included. **You will learn how to:** - Design and govern an information-security programme aligned with business strategy. - Run an information risk management process feeding board-level decisions. - Build and operate the security programme (resourcing, architecture, awareness, vendor risk). - Lead incident management, from preparation through lessons learned. - Translate technical security posture into board narrative without losing precision. **For:** - Aspiring CISOs and deputy CISOs. - Security architects moving into people-management roles. - IT directors taking on the security portfolio. - Consultants advising on security programme design. **NOT for (when you should not take this certification):** - Hands-on security engineers with no management ambition. CISSP or specialised technical credentials fit better. - IS auditors with no operational interest. CISA stays the primary credential. - Junior security analysts under three years of experience. --- ## CRISC: Certified in Risk and Information Systems Control **URL:** https://cyberacademy.net/courses/crisc **Issuer:** ISACA **Level:** risk-manager **Duration:** 4 days **Price:** Live €2900 · Self-paced €790 The ISACA reference credential for IT risk. Four domains bridging business risk to IS controls. The natural complement to CISA and to ISO 31000 / 27005 for the ISACA vocabulary. **You will learn how to:** - Embed IT risk management into enterprise governance. - Identify, assess and prioritise IT risk against business objectives. - Design risk response options aligned with risk appetite and tolerance. - Monitor IT risk and report to the board in language they act on. - Map the CRISC vocabulary onto ISO 31000 / 27005 / NIST RMF when working with mixed audits. **For:** - IT risk managers, GRC analysts and risk consultants. - Business analysts moving into IT risk. - IS auditors expanding from controls testing to risk advisory. - CISOs and deputy CISOs needing the risk-quantification vocabulary the board recognises. **NOT for (when you should not take this certification):** - Pure technical risk practitioners (vulnerability management, threat hunting). Look at CISSP or specialised credentials instead. - ISO-trained risk practitioners who do not work in IT or IS context. ISO 31000 Lead Risk Manager is broader. - Practitioners under three years of relevant work experience. --- ## AAIA: Advanced in AI Audit **URL:** https://cyberacademy.net/courses/aaia **Issuer:** ISACA **Level:** expert **Duration:** 3 days **Price:** Live €2500 · Self-paced €490 The ISACA advanced credential for auditors moving into AI. Audit methodology for AI systems, AI risk assessment, AI governance frameworks. Three-day intensive, CISA recommended as foundation. **You will learn how to:** - Plan and execute an audit of AI systems against the ISO 42001 AIMS and AI Act obligations. - Assess model lifecycle controls (data governance, training, validation, monitoring, decommissioning). - Test AI fairness, explainability and bias-monitoring controls against the regulatory and audit expectations. - Audit AI vendor risk and third-party model dependencies. - Produce AI audit reports that withstand notified-body and supervisory-authority review. **For:** - Senior IT auditors moving into AI assurance. - GRC managers building an AI audit programme. - Compliance officers in regulated industries deploying AI (banking, insurance, healthcare, public sector). - Big Four senior managers and directors taking on AI engagement leadership. **NOT for (when you should not take this certification):** - Practitioners with no audit background. CISA first, then AAIA. - AI engineers wanting to learn audit. The AAIA assumes audit fluency; ISO 42001 Lead Auditor is a better starting point. - Junior auditors under two years of experience. --- ## AAIR: Advanced in AI Risk **URL:** https://cyberacademy.net/courses/aair **Issuer:** ISACA **Level:** expert **Duration:** 3 days **Price:** Live €2500 · Self-paced €490 The ISACA advanced credential for risk managers building an AI risk programme. AI risk assessment, risk treatment, AI risk governance. Three-day intensive, CRISC recommended as foundation. **You will learn how to:** - Integrate AI risk into the enterprise risk-management framework alongside cyber, operational and strategic risk. - Assess AI risk across the model lifecycle (intake, design, deployment, monitoring, retirement) using AIMS-aligned methodology. - Quantify AI-specific risks (bias, hallucination, model drift, regulatory exposure under the AI Act) for board reporting. - Design AI risk treatment options balancing innovation velocity against regulatory and reputational exposure. - Build AI risk monitoring and reporting telemetry for ongoing oversight. **For:** - IT risk managers expanding portfolio to AI. - CROs and deputy CROs adding AI to the enterprise risk taxonomy. - GRC managers building the AI risk workstream. - Compliance officers in regulated industries quantifying AI exposure for board sign-off. **NOT for (when you should not take this certification):** - Practitioners with no risk management background. CRISC or ISO 31000 Lead Risk Manager first. - AI engineers wanting to learn risk. AAIR assumes risk-practitioner fluency. - Junior risk analysts under two years of experience. --- ## AAISM: Advanced in AI Security Management **URL:** https://cyberacademy.net/courses/aaism **Issuer:** ISACA **Level:** expert **Duration:** 3 days **Price:** Live €2500 · Self-paced €490 The ISACA advanced credential for security managers building an AI security programme. AI threat modelling, secure model lifecycle, AI security operations. Three-day intensive, CISM recommended as foundation. **You will learn how to:** - Design and govern an AI security programme aligned with ISO 42001 and the AI Act. - Run AI threat modelling (prompt injection, model poisoning, adversarial examples, data exfiltration via inference). - Operate AI security in production: monitoring, incident response, model drift, supply-chain risk for foundation-model dependencies. - Integrate AI security into the broader ISMS (ISO 27001) and AIMS (ISO 42001) programmes. - Translate AI security posture for board and audit committee consumption. **For:** - CISOs and deputy CISOs taking on AI security oversight. - Security programme managers building the AI security workstream. - Security architects designing AI-system security controls. - GRC managers integrating AI risk into the security programme. **NOT for (when you should not take this certification):** - Pure red-team / offensive AI practitioners. AAISM covers governance and management, not pentesting. - Hands-on ML engineers wanting to learn security. CISSP or a specialised AI-security technical course fits better. - Security managers without prior management experience (under three years). --- ## CGEIT: Certified in the Governance of Enterprise IT **URL:** https://cyberacademy.net/courses/cgeit **Issuer:** ISACA **Level:** manager **Duration:** 4 days **Price:** Live €2900 · Self-paced €790 The ISACA reference credential for IT governance at executive level. Five domains covering framework, strategic management, benefits realisation, risk optimisation and resource optimisation. Built for CIOs, governance leads and board-facing IT executives. **You will learn how to:** - Design and operate an enterprise IT governance framework aligned with COBIT and the business strategy. - Lead IT strategic management cycles that the board signs off and audits validate. - Quantify and report IT investment benefits realisation. - Integrate IT risk into the enterprise risk-management framework. - Optimise IT resources (people, technology, vendor partnerships) against governance objectives. **For:** - CIOs and deputy CIOs taking the governance portfolio. - IT governance leads in regulated industries (banking, insurance, utilities, public sector). - Big Four senior managers running governance reviews. - Board members on technology or audit committees. **NOT for (when you should not take this certification):** - Hands-on IT managers without executive exposure. CISM or CRISC fit better. - IS auditors looking for an audit credential. CISA stays the primary credential. - Practitioners under five years of governance-level experience. --- ## CDPSE: Certified Data Privacy Solutions Engineer **URL:** https://cyberacademy.net/courses/cdpse **Issuer:** ISACA **Level:** practitioner **Duration:** 3 days **Price:** Live €2900 · Self-paced €790 The ISACA credential at the intersection of privacy and technology. Three domains spanning privacy governance, privacy architecture and data lifecycle. The cert for privacy engineers building GDPR-grade systems, not just policies. **You will learn how to:** - Design data architectures that meet GDPR and equivalent privacy regimes by construction. - Implement privacy controls across the data lifecycle (collection, processing, storage, sharing, deletion). - Run privacy impact assessments alongside technical controls reviews. - Translate legal privacy requirements into engineering specifications product teams can ship. - Operate privacy monitoring + incident response specific to data subject rights and breaches. **For:** - Privacy engineers and DPOs with technical depth. - Data architects and software architects building GDPR-compliant systems. - Security engineers expanding into privacy-by-design. - CDPOs supplementing legal expertise with engineering credibility. **NOT for (when you should not take this certification):** - Pure legal DPOs without engineering exposure. PECB CDPO fits better. - Junior privacy analysts under three years of cross-domain experience. --- ## CCOA: Certified Cybersecurity Operations Analyst **URL:** https://cyberacademy.net/courses/ccoa **Issuer:** ISACA **Level:** practitioner **Duration:** 3 days **Price:** Live €2200 · Self-paced €690 The ISACA hands-on credential for SOC analysts and cyber-defence operators. Five domains covering monitoring, incident response, threat hunting and threat intelligence. Practitioner-level, exam mixes scenarios with multiple-choice. **You will learn how to:** - Operate a security-monitoring stack (SIEM, EDR, network telemetry) at SOC tier-2 level. - Run a full incident-response cycle from triage to lessons learned, with the documentation auditors expect. - Conduct hypothesis-driven threat hunts using MITRE ATT&CK as the navigation grid. - Consume and produce actionable threat intelligence in standard formats (STIX/TAXII). - Bridge the cyber-ops floor to the broader GRC programme — incidents into risk, controls into telemetry. **For:** - SOC tier-1 analysts levelling up to tier-2. - Incident-response practitioners adding a recognised credential. - Threat hunters formalising their methodology. - Cyber engineers transitioning into a defence-operations role. **NOT for (when you should not take this certification):** - GRC practitioners without an ops background. CISA or CISM fits better. - Aspiring CISOs. Look at CISM. - Beginners without any hands-on defensive security experience. --- ## COBIT 2019 Foundation **URL:** https://cyberacademy.net/courses/cobit-foundation **Issuer:** ISACA **Level:** foundation **Duration:** 2 days **Price:** Live €1250 The entry-level credential for the COBIT 2019 governance framework. Two-day cohort covering the framework structure, principles, design factors and governance system components. Live cohort with ISACA exam included. **You will learn how to:** - Navigate the COBIT 2019 framework: governance objectives, management objectives, design factors. - Apply the governance system design workflow to a real enterprise context. - Map COBIT to adjacent frameworks (ITIL, ISO 27001, ISO 38500, NIST CSF). - Position COBIT as the integrating layer above operational standards in a multi-framework programme. **For:** - IT managers and GRC analysts entering enterprise IT governance. - Auditors expanding their framework vocabulary beyond ISO 27001. - Consultants pitching governance system design engagements. **NOT for (when you should not take this certification):** - Hands-on engineers without governance exposure. - Aspiring CISOs seeking a leadership credential. CISM fits better. --- ## COBIT 2019 Design & Implementation **URL:** https://cyberacademy.net/courses/cobit-design-implementation **Issuer:** ISACA **Level:** practitioner **Duration:** 3 days **Price:** Live €1900 The advanced COBIT credential. Three-day cohort focused on applying the design factors to build a tailored governance system, then driving the implementation roadmap. Live cohort with ISACA exam included. Foundation is a prerequisite. **You will learn how to:** - Run the COBIT 2019 design workflow end-to-end for a real enterprise. - Score and apply design factors to focus the governance system. - Build the implementation roadmap with prioritised goals cascade and capability targets. - Lead change management for governance adoption across IT and business teams. **For:** - IT governance leads delivering the design system in their organisation. - GRC consultants pitching governance design engagements. - Internal auditors validating governance system design choices. **NOT for (when you should not take this certification):** - Practitioners without COBIT Foundation. Take Foundation first. --- ## Cybersecurity Audit Certificate (ISACA) **URL:** https://cyberacademy.net/courses/cybersecurity-audit-certificate **Issuer:** ISACA **Level:** practitioner **Duration:** 2 days **Price:** Live €1450 The ISACA certificate dedicated to cybersecurity audit. Two-day cohort, scenario-driven, designed to bridge classical IS audit (CISA) and modern cyber-defence operations. Useful for auditors evaluating SOC, IR and threat intel programmes. **You will learn how to:** - Plan and execute a cybersecurity audit covering monitoring, incident response and threat intelligence. - Evaluate cyber-defence controls against industry frameworks (NIST CSF, ISO 27001, CIS Controls). - Audit a SOC: roles, runbooks, telemetry, incident metrics. - Test breach-readiness exercises and tabletop outcomes against the playbook. **For:** - IS auditors expanding into cybersecurity assessment. - Internal-audit teams adding cyber to the audit-universe taxonomy. - Big Four auditors covering cyber controls within broader assurance engagements. **NOT for (when you should not take this certification):** - Hands-on SOC operators. CCOA fits better. --- ## IT Audit Fundamentals (ISACA) **URL:** https://cyberacademy.net/courses/it-audit-fundamentals **Issuer:** ISACA **Level:** foundation **Duration:** 2 days **Price:** Live €1100 The entry-level ISACA certificate on IT audit. Two-day cohort covering audit planning, fieldwork, evidence and reporting through the ISACA vocabulary. A clean on-ramp before CISA. **You will learn how to:** - Apply an audit lifecycle to IT-domain controls. - Plan engagements, gather evidence and draft findings that survive review. - Distinguish first-, second- and third-line activities in a typical enterprise. - Position IT audit inside the broader assurance programme. **For:** - IT professionals exploring an audit career path. - GRC analysts at the start of their audit specialisation. - Consultants preparing for CISA who want a structured warm-up. **NOT for (when you should not take this certification):** - Practitioners already operating audit programmes. Move to CISA directly. --- ## IT Risk Fundamentals (ISACA) **URL:** https://cyberacademy.net/courses/it-risk-fundamentals **Issuer:** ISACA **Level:** foundation **Duration:** 2 days **Price:** Live €1100 The entry-level ISACA certificate on IT risk. Two-day cohort introducing risk identification, assessment, response and monitoring through the ISACA vocabulary. A clean on-ramp before CRISC. **You will learn how to:** - Apply a risk-management lifecycle to IT-domain risks. - Build a risk register that maps to business impact, not just technical findings. - Distinguish risk identification, assessment, response and monitoring activities. - Position IT risk inside the broader enterprise risk programme. **For:** - IT professionals new to risk management. - GRC analysts at the start of their risk-specialisation track. - Auditors preparing for CRISC who want a structured warm-up. **NOT for (when you should not take this certification):** - Practitioners already operating an enterprise risk programme. Move to CRISC directly. --- ## ISO27001 - Foundation **URL:** https://cyberacademy.net/courses/iso27001-foundation **Issuer:** PECB **Level:** foundation **Duration:** 2 days **Price:** Live €1099 · Self-paced €499 Official PECB-accredited ISO27001 - Foundation certification training. Live online course with expert instructors and certified-or-refunded guarantee. Enroll... --- ## AI Risk Manager **URL:** https://cyberacademy.net/courses/ai-risk-manager **Issuer:** PECB **Level:** risk-manager **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited AI Risk Manager certification. Live online training with certified-or-refunded guarantee. --- ## Certified Artificial Intelligence Professional (CAIP) **URL:** https://cyberacademy.net/courses/certified-artificial-intelligence-professional-caip **Issuer:** PECB **Level:** expert **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited Certified Artificial Intelligence Professional (CAIP) certification. Live online training with certified-or-refunded guarantee. --- ## Certified CISO by PECB **URL:** https://cyberacademy.net/courses/certified-ciso-by-pecb **Issuer:** PECB **Level:** expert **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 Official PECB-accredited Certified CISO by PECB certification training. Live online course with expert instructors and certified-or-refunded guarantee. Enrol... --- ## Certified Lead Crisis Manager **URL:** https://cyberacademy.net/courses/certified-lead-crisis-manager **Issuer:** PECB **Level:** lead **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited Certified Lead Crisis Manager certification. Live online training with certified-or-refunded guarantee. --- ## PECB CMMC Foundations **URL:** https://cyberacademy.net/courses/cmmc-foundations **Issuer:** PECB **Level:** foundation **Duration:** 2 days **Price:** Live €1099 · Self-paced €499 Official PECB-accredited PECB CMMC Foundations certification training. Live online course with expert instructors and certified-or-refunded guarantee. Enroll... --- ## Cyber Threat Analyst **URL:** https://cyberacademy.net/courses/cyber-threat-analyst **Issuer:** PECB **Level:** lead **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited Cyber Threat Analyst certification. Live online training with certified-or-refunded guarantee. --- ## Cybersecurity Foundation **URL:** https://cyberacademy.net/courses/cybersecurity-foundation **Issuer:** PECB **Level:** foundation **Duration:** 2 days **Price:** Live €1099 · Self-paced €499 PECB-accredited Cybersecurity Foundation certification. Live online training with certified-or-refunded guarantee. --- ## DORA Foundation **URL:** https://cyberacademy.net/courses/dora-foundation **Issuer:** PECB **Level:** foundation **Duration:** 2 days **Price:** Live €1099 · Self-paced €499 DORA Foundation for financial sector. ICT risk management and incident reporting. PECB-accredited. --- ## DORA Lead Manager **URL:** https://cyberacademy.net/courses/dora-lead-manager **Issuer:** PECB **Level:** manager **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 Become a certified DORA Lead Manager. Implement digital operational resilience for financial institutions. PECB-accredited course with exam included. --- ## EBIOS Risk Manager **URL:** https://cyberacademy.net/courses/ebios-risk-manager **Issuer:** PECB **Level:** risk-manager **Duration:** 3 days **Price:** Live €1699 · Self-paced €599 Official EBIOS RM certification training. Learn the ANSSI 5-workshop risk assessment methodology. PECB-accredited course with practical exercises and exam. --- ## GDPR - Certified Data Protection Officer **URL:** https://cyberacademy.net/courses/gdpr-certified-data-protection-officer **Issuer:** PECB **Level:** expert **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited GDPR - Certified Data Protection Officer certification. Live online training with certified-or-refunded guarantee. --- ## GDPR Foundation **URL:** https://cyberacademy.net/courses/gdpr-foundation **Issuer:** PECB **Level:** foundation **Duration:** 2 days **Price:** Live €1099 · Self-paced €499 PECB-accredited GDPR Foundation certification. Live online training with certified-or-refunded guarantee. --- ## ISO 22301 Foundation **URL:** https://cyberacademy.net/courses/iso-22301-foundation **Issuer:** PECB **Level:** foundation **Duration:** 2 days **Price:** Live €1099 · Self-paced €499 PECB-accredited ISO 22301 Foundation certification. Live online training with certified-or-refunded guarantee. --- ## ISO 22301 Lead Auditor **URL:** https://cyberacademy.net/courses/iso-22301-lead-auditor **Issuer:** PECB **Level:** lead-auditor **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited ISO 22301 Lead Auditor certification. Live online training with certified-or-refunded guarantee. --- ## ISO 22301 Lead Implementer **URL:** https://cyberacademy.net/courses/iso-22301-lead-implementer **Issuer:** PECB **Level:** lead-implementer **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited ISO 22301 Lead Implementer certification. Live online training with certified-or-refunded guarantee. --- ## ISO 27005 Foundation **URL:** https://cyberacademy.net/courses/iso-27005-foundation **Issuer:** PECB **Level:** foundation **Duration:** 2 days **Price:** Live €1099 · Self-paced €499 Official PECB-accredited ISO 27005 Foundation certification training. Live online course with expert instructors and certified-or-refunded guarantee. Enroll ... --- ## ISO 27005 Lead Risk Manager **URL:** https://cyberacademy.net/courses/iso-27005-lead-risk-manager **Issuer:** PECB **Level:** lead-risk-manager **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 Official PECB-accredited ISO 27005 Lead Risk Manager certification training. Live online course with expert instructors and certified-or-refunded guarantee. ... --- ## ISO 27005 Risk Manager **URL:** https://cyberacademy.net/courses/iso-27005-risk-manager **Issuer:** PECB **Level:** risk-manager **Duration:** 3 days **Price:** Live €1699 · Self-paced €599 PECB-certified ISO 27005 Risk Manager training. Master information security risk assessment, treatment, and monitoring. Practical methodology with exam inclu... --- ## ISO 27033 Lead Network Security Manager **URL:** https://cyberacademy.net/courses/iso-27033-lead-network-security-manager **Issuer:** PECB **Level:** lead **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited ISO 27033 Lead Network Security Manager certification. Live online training with certified-or-refunded guarantee. --- ## ISO 27034 Lead Application Security Auditor **URL:** https://cyberacademy.net/courses/iso-27034-lead-application-security-auditor **Issuer:** PECB **Level:** lead **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited ISO 27034 Lead Application Security Auditor certification. Live online training with certified-or-refunded guarantee. --- ## ISO 27034 Lead Application Security Implementer **URL:** https://cyberacademy.net/courses/iso-27034-lead-application-security-implementer **Issuer:** PECB **Level:** lead **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited ISO 27034 Lead Application Security Implementer certification. Live online training with certified-or-refunded guarantee. --- ## ISO 27035 Foundation **URL:** https://cyberacademy.net/courses/iso-27035-foundation **Issuer:** PECB **Level:** foundation **Duration:** 2 days **Price:** Live €1099 · Self-paced €499 Official PECB-accredited ISO 27035 Foundation certification training. Live online course with expert instructors and certified-or-refunded guarantee. Enroll ... --- ## ISO 27035 Lead Incident Manager **URL:** https://cyberacademy.net/courses/iso-27035-lead-incident-manager **Issuer:** PECB **Level:** lead **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited ISO 27035 Lead Incident Manager certification. Live online training with certified-or-refunded guarantee. --- ## ISO 27701 Foundation **URL:** https://cyberacademy.net/courses/iso-27701-foundation **Issuer:** PECB **Level:** foundation **Duration:** 2 days **Price:** Live €1099 · Self-paced €499 PECB-accredited ISO 27701 Foundation certification. Live online training with certified-or-refunded guarantee. --- ## ISO 27701 Lead Auditor **URL:** https://cyberacademy.net/courses/iso-27701-lead-auditor **Issuer:** PECB **Level:** lead-auditor **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited ISO 27701 Lead Auditor certification. Live online training with certified-or-refunded guarantee. --- ## ISO 27701 Lead Implementer **URL:** https://cyberacademy.net/courses/iso-27701-lead-implementer **Issuer:** PECB **Level:** lead-implementer **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited ISO 27701 Lead Implementer certification. Live online training with certified-or-refunded guarantee. --- ## ISO 31000 Foundation **URL:** https://cyberacademy.net/courses/iso-31000-foundation **Issuer:** PECB **Level:** foundation **Duration:** 2 days **Price:** Live €1099 · Self-paced €499 PECB-accredited ISO 31000 Foundation certification. Live online training with certified-or-refunded guarantee. --- ## ISO 31000 Lead Risk Manager **URL:** https://cyberacademy.net/courses/iso-31000-lead-risk-manager **Issuer:** PECB **Level:** lead-risk-manager **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited ISO 31000 Lead Risk Manager certification. Live online training with certified-or-refunded guarantee. --- ## ISO 31000 Risk Manager **URL:** https://cyberacademy.net/courses/iso-31000-risk-manager **Issuer:** PECB **Level:** risk-manager **Duration:** 3 days **Price:** Live €1699 · Self-paced €599 PECB-accredited ISO 31000 Risk Manager certification. Live online training with certified-or-refunded guarantee. --- ## ISO 42001 Foundation **URL:** https://cyberacademy.net/courses/iso-42001-foundation **Issuer:** PECB **Level:** foundation **Duration:** 2 days **Price:** Live €1099 · Self-paced €499 PECB-accredited ISO 42001 Foundation certification. Live online training with certified-or-refunded guarantee. --- ## ISO 42001 Lead Auditor **URL:** https://cyberacademy.net/courses/iso-42001-lead-auditor **Issuer:** PECB **Level:** lead-auditor **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited ISO 42001 Lead Auditor certification. Live online training with certified-or-refunded guarantee. --- ## ISO 42001 Lead Implementer **URL:** https://cyberacademy.net/courses/iso-42001-lead-implementer **Issuer:** PECB **Level:** lead-implementer **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited ISO 42001 Lead Implementer certification. Live online training with certified-or-refunded guarantee. --- ## ISO 9001 Foundation **URL:** https://cyberacademy.net/courses/iso-9001-foundation **Issuer:** PECB **Level:** foundation **Duration:** 2 days **Price:** Live €1099 · Self-paced €499 PECB-accredited ISO 9001 Foundation certification. Live online training with certified-or-refunded guarantee. --- ## ISO 9001 Lead Auditor **URL:** https://cyberacademy.net/courses/iso-9001-lead-auditor **Issuer:** PECB **Level:** lead-auditor **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited ISO 9001 Lead Auditor certification. Live online training with certified-or-refunded guarantee. --- ## ISO 9001 Lead Implementer **URL:** https://cyberacademy.net/courses/iso-9001-lead-implementer **Issuer:** PECB **Level:** lead-implementer **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited ISO 9001 Lead Implementer certification. Live online training with certified-or-refunded guarantee. --- ## ISO27001 - Lead Auditor **URL:** https://cyberacademy.net/courses/iso27001-lead-auditor **Issuer:** PECB **Level:** lead-auditor **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 Official PECB-accredited ISO27001 - Lead Auditor certification training. Live online course with expert instructors and certified-or-refunded guarantee. Enro... --- ## ISO27001 - Lead Implementer **URL:** https://cyberacademy.net/courses/iso27001-lead-implementer **Issuer:** PECB **Level:** lead-implementer **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 Official PECB-accredited ISO27001 - Lead Implementer certification training. Live online course with expert instructors and certified-or-refunded guarantee. ... --- ## ISO27002 Foundation **URL:** https://cyberacademy.net/courses/iso27002-foundation **Issuer:** PECB **Level:** foundation **Duration:** 2 days **Price:** Live €1099 · Self-paced €499 Official PECB-accredited ISO27002 Foundation certification training. Live online course with expert instructors and certified-or-refunded guarantee. Enroll t... --- ## ISO27002 Lead Manager **URL:** https://cyberacademy.net/courses/iso27002-lead-manager **Issuer:** PECB **Level:** manager **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 Official PECB-accredited ISO27002 Lead Manager certification training. Live online course with expert instructors and certified-or-refunded guarantee. Enroll... --- ## ISO27002 Manager **URL:** https://cyberacademy.net/courses/iso27002-manager **Issuer:** PECB **Level:** manager **Duration:** 3 days **Price:** Live €1699 · Self-paced €599 Official PECB-accredited ISO27002 Manager certification training. Live online course with expert instructors and certified-or-refunded guarantee. Enroll today. --- ## Lead Cloud Security Manager **URL:** https://cyberacademy.net/courses/lead-cloud-security-manager **Issuer:** PECB **Level:** lead **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited Lead Cloud Security Manager certification. Live online training with certified-or-refunded guarantee. --- ## Lead Cybersecurity Manager **URL:** https://cyberacademy.net/courses/lead-cybersecurity-manager **Issuer:** PECB **Level:** manager **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited Lead Cybersecurity Manager certification. Live online training with certified-or-refunded guarantee. --- ## Lead Disaster Recovery Manager **URL:** https://cyberacademy.net/courses/lead-disaster-recovery-manager **Issuer:** PECB **Level:** lead **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited Lead Disaster Recovery Manager certification. Live online training with certified-or-refunded guarantee. --- ## Lead Ethical Hacker **URL:** https://cyberacademy.net/courses/lead-ethical-hacker **Issuer:** PECB **Level:** lead **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited Lead Ethical Hacker certification. Live online training with certified-or-refunded guarantee. --- ## Lead Operational Resilience Manager **URL:** https://cyberacademy.net/courses/lead-operational-resilience-manager **Issuer:** PECB **Level:** lead **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited Lead Operational Resilience Manager certification. Live online training with certified-or-refunded guarantee. --- ## Lead SOC 2 Analyst **URL:** https://cyberacademy.net/courses/lead-soc-2-analyst **Issuer:** PECB **Level:** lead **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited Lead SOC 2 Analyst certification. Live online training with certified-or-refunded guarantee. --- ## NIS 2 Directive Foundation **URL:** https://cyberacademy.net/courses/nis-2-directive-foundation **Issuer:** PECB **Level:** foundation **Duration:** 2 days **Price:** Live €1099 · Self-paced €499 PECB-accredited NIS 2 Directive Foundation certification. Live online training with certified-or-refunded guarantee. --- ## NIS 2 Directive Lead Implementer **URL:** https://cyberacademy.net/courses/nis-2-directive-lead-implementer **Issuer:** PECB **Level:** lead-implementer **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited NIS 2 Directive Lead Implementer certification. Live online training with certified-or-refunded guarantee. --- ## NIST Cybersecurity Consultant **URL:** https://cyberacademy.net/courses/nist-cybersecurity-consultant **Issuer:** PECB **Level:** lead **Duration:** 5 days **Price:** Live €2499 · Self-paced €899 PECB-accredited NIST Cybersecurity Consultant certification. Live online training with certified-or-refunded guarantee. ---