Choose your path (PECB or IBITGQ), build a real ISMS portfolio, pass your exam, and turn the credential into career-defining cybersecurity impact.
ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). The current edition โ ISO/IEC 27001:2022 โ is the one that matters in 2026. ISO publishes the standard but does not certify people; personnel certifications are issued by accredited bodies. The Lead Implementer credential proves you can plan, build, operate, and improve an ISMS and guide an organisation through third-party certification.
Master ISO 27001:2022 clauses 4โ10, Annex A controls, ISO 27005 risk management, and ISO 19011 audit guidance.
Define scope, context, risk methodology, Statement of Applicability, policies, processes, and measurement frameworks.
PECB: 80 MCQ, open-book, 70% pass. IBITGQ: 40 MCQ, 90 min, 75% pass. Both are internationally accredited (ISO 17024).
Coach organisations through Stage 1 and Stage 2 audits, corrective actions, and continual improvement cycles.
Click each step to mark it done. This checklist takes you from "I just heard about ISO 27001" all the way to a certified Lead Implementer with a portfolio employers can evaluate.
0 of 9 steps completed
Get a copy of the standard (or a free summary) and read clauses 4โ10 plus the Annex A control list in full. This orientation ensures the 8-week study plan is reinforcement, not first exposure. Pay attention to clause 6.1 (risk treatment) and 6.1.3 (Statement of Applicability) โ these are the exam's most tested areas.
Use the PECB vs IBITGQ tab to compare exam format, maintenance model, and credential tiers. Key question: Do you want an open-book exam that scales with experience (PECB), or exam-only flexibility with a clean 3-year recert cycle (IBITGQ)? Your answer determines which course to book and how to structure your notes.
ISO 27002 provides guidance on implementing each Annex A control โ it explains the purpose, implementation guidance, and "other information" for all 93 controls. You don't need to memorise it, but knowing the intent and attributes of controls in each theme (Organisational, People, Physical, Technological) makes SoA decisions and exam scenarios much clearer.
Study ISO 27005:2022 and draft a risk methodology for a sample organisation โ define risk criteria, likelihood and consequence scales, and risk appetite thresholds. Then build a 10โ20 item risk register with threats, vulnerabilities, assets, likelihood/impact scores, risk levels, and treatment decisions. This is the most exam-tested area and your most valuable portfolio artefact.
Using your risk register, map each identified risk to relevant Annex A controls. For each control, document: included/excluded, justification (risk linkage), and implementation status. This forces you to understand the logic behind every control. Even a simplified 15-control SoA for a fictional SaaS startup is highly valuable exam prep and portfolio evidence.
Attend the PECB 5-day Lead Implementer course, BSI's instructor-led class, or an IBITGQ-accredited provider course. Engage actively with case studies โ they mirror the scenario logic of both exam types. For PECB, start organising your open-book kit during training (tabbed notes, clause/control reference maps). For IBITGQ, drill MCQ pacing.
Assemble a mini-ISMS portfolio: ISMS scope and context document, ISMS policy, risk register, risk treatment plan, SoA, security KPIs/metrics (clause 9.1), internal audit plan, and a management review pack template. Even if created for a fictional organisation, this portfolio gives you concrete things to discuss in interviews and evidence to submit for PECB credential tiers.
Attempt a timed mock (80 Q / 2h for PECB; 40 Q / 90min for IBITGQ). Identify weak domains and close gaps. For PECB: assemble your open-book kit โ printed standard with sticky tabs on each clause, a domain map with clause/control references, and scannable one-pagers per domain. Quick navigation is a skill that saves 15+ minutes on exam day.
Book and sit your exam. For PECB, plan CPD/AMF maintenance from day one. Start a project log (scope, your role, hours, deliverables) โ it's essential evidence for PECB credential tier progression and a great interview asset. If you're aiming for PECB Lead Implementer tier, you'll need 5 years' total experience (2 in IS management) and 300 ISMS project hours documented.
Both routes are internationally recognised and ISO/IEC 17024โaccredited. The right choice depends on your career goals, study style, and maintenance preference. Select a path below for detailed information.
Who it's for: Consultants and in-house leads who want a credential tier that reflects actual implementation experience. PECB is accredited under ISO/IEC 17024 and recognised globally. The open-book exam mirrors real implementation decisions โ you use the actual ISO 27001 standard, official course materials, and personal notes during the exam.
Credential tiers (after passing the exam):
Maintenance: Annual CPD reporting and an Annual Maintenance Fee (AMF) to keep your credential active. PECB also offers a "Master" pathway for those who hold both Lead Implementer and Lead Auditor credentials.
Who it's for: Students and early-career professionals who value exam-only flexibility and a clear three-year recertification timeline. IBITGQ is ISO/IEC 17024โaccredited by IAS (International Accreditation Service). The closed-book MCQ format suits candidates who have studied thoroughly and want a straightforward assessment.
Exam logistics: Typically 40 multiple-choice questions in 90 minutes. Pass mark is commonly 75% but verify with your provider at booking โ some scheme variants specify 65%. No formal prerequisite to sit the exam, though foundational knowledge of ISO 27001 is strongly recommended.
Maintenance: Recertification exam required every three years. IBITGQ provides a convenient "months 35โ38" window for renewal. No annual fee between recertification cycles.
BSI (British Standards Institution) offers instructor-led Lead Implementer training globally, with country-specific calendars and pricing. BSI is an authoritative source โ it was the national body that originally developed BS 7799, the precursor to ISO 27001. Their trainers typically have deep audit and implementation experience.
BSI courses may be tied to PECB or their own examination scheme depending on the country. Always confirm which examination and certification body applies to your specific course when booking, and whether the exam is included or priced separately.
Understanding what's tested and how the exam is structured is the fastest path to exam-day confidence. Below covers both PECB and IBITGQ formats, domain breakdowns, and what the ISO 27001:2022 update means for your preparation.
The 2022 update replaced the 2013 edition's 14 domains and 114 controls with 4 themes (Organisational, People, Physical, Technological) and 93 controls. The 11 new controls address modern threats: 5.7 Threat intelligence, 5.23 Information security for use of cloud services, 5.30 ICT readiness for business continuity, 7.4 Physical security monitoring, 8.9 Configuration management, 8.10 Information deletion, 8.11 Data masking, 8.12 Data leakage prevention, 8.16 Monitoring activities, 8.23 Web filtering, 8.28 Secure coding.
Exam implication: Expect scenario questions built around these new controls โ particularly cloud security, threat intelligence integration, and data leakage prevention. If you studied the 2013 edition, you need to update your knowledge of Annex A before sitting either exam.
Answer 5 questions to get a personalised recommendation based on where you are in your ISO 27001 Lead Implementer journey.
Question 1 of 5
This plan assumes you're starting from a general IT or GRC background. Adjust pacing based on your prior ISO 27001 exposure โ students new to the standard may want 10โ12 weeks; practitioners with IS management experience may compress to 5โ6 weeks.
All costs below are indicative โ prices vary by region, format, and provider. Always verify current pricing before booking. The "total cost of ownership" comparison between PECB (ongoing AMF) and IBITGQ (3-year recert exam) is important for long-term budgeting.
| Item | PECB | IBITGQ / Other |
|---|---|---|
| 5-day instructor-led course (Asia) | ~THB 51,500โ54,900 (Thailand) | ~PHP 42,000 BSI Philippines |
| Course (Europe/Online) | Varies by partner; confirm with provider | Varies by accredited provider |
| Exam (included in most courses?) | Usually included โ confirm before booking | Exam-only routes available |
| Retake fee | 1 free retake within 12 months | Verify with provider at booking |
| ISO 27001:2022 standard | ~$180โ$250 (purchase from ISO) | ~$180โ$250 |
| Annual maintenance / AMF | Annual CPD + AMF (verify current rate at pecb.com) | No annual fee |
| Recertification | Ongoing CPD / AMF per year | ~Recert exam every 3 years |
| Year 1 indicative total | Course + standard + AMF | Course (or exam-only) + standard |
| Ongoing annual cost | AMF + CPD (PECB) | $0 (until recert year) |
โ ๏ธ Prices fluctuate significantly by region, format (virtual vs. in-person), and provider. Verify all fees directly with PECB (pecb.com), your national BSI office, or your chosen IBITGQ-accredited provider before committing. The ISO standard must be purchased separately unless your provider includes it.
These are the patterns that trip up both exam candidates and real-world implementers. Click each card to see the consequence and the fix.
This is the most common and most damaging mistake. Organisations copy Annex A into a spreadsheet and tick "Yes / No / N/A" for each control โ without ever asking "which specific risk does this control address?" The result is a voluminous SoA that satisfies no auditor and protects nothing.
The SoA cannot be justified during Stage 2 audit. Auditors ask "what risk does control 8.28 address?" and the implementer has no answer. Major nonconformities delay certification by months and require rework of the entire control selection process.
Start with ISO 27005-aligned risk assessment. Build your risk register first, complete risk treatment decisions, then select Annex A controls that address identified risks. Every included control in the SoA should map to at least one risk entry.
Many first-time implementers produce beautifully formatted policies โ an ISMS policy, an access control policy, a clear desk policy, a password policy โ and then have no measurement system to determine whether any of them are being followed or effective. Clause 9.1 requires you to actually evaluate the performance of the ISMS.
During internal audit, auditors find that policies exist but KPIs are undefined, metrics are not collected, and there is no evidence that management has reviewed security performance. This is a systemic nonconformity against clause 9.1 and 9.3.
Define 5โ10 meaningful security KPIs before implementing any control. Examples: % of staff who completed awareness training, mean time to detect/respond to incidents, % of systems with up-to-date patches, number of open high-risk items. Review them quarterly.
Annex A controls 5.19โ5.22 cover supplier relationships, agreements, service delivery management, and changes. The 2022 standard significantly strengthened these requirements. Yet many organisations have a generic supplier questionnaire from 2015 and no ongoing monitoring programme โ leaving a critical gap that real-world attackers routinely exploit.
A breach via a third-party supplier exposes sensitive data. During forensics, it emerges there was no due diligence, no contractual security requirements, and no monitoring. This triggers regulatory and certification consequences simultaneously โ and auditors will find it at Stage 2.
Build a tiered supplier classification (critical / significant / standard). For critical suppliers: due diligence questionnaires, contractual security clauses, and annual review meetings. For significant: questionnaire + right-to-audit clause. Monitor all critical suppliers at least annually.
Clause 9.2 requires a programme of internal audits that covers all ISMS scope areas over an appropriate cycle. Many organisations run a single rushed audit one week before the Stage 2 certification audit โ with an auditor who has never read ISO 19011 and has a vested interest in finding nothing wrong.
The internal audit finds no nonconformities. The Stage 2 auditor finds 7. The certification body questions the validity of the internal audit programme and raises a nonconformity against clause 9.2 itself โ delaying certification and requiring a root cause response.
Plan an internal audit programme that audits all scope areas at least annually, uses competent auditors with ISO 19011 awareness, and follows a structured approach (plan, checklist, observation, finding, report). Run a pilot audit 8โ10 weeks before Stage 2 to give time to address findings.
The transition deadline from ISO 27001:2013 to 2022 was October 31, 2025. All new certifications and exams now reference the 2022 edition. Yet plenty of free study materials online still reference the old 14-domain, 114-control structure โ confusing candidates and leading to exam-day surprises.
Exam scenarios reference the 11 new 2022 controls (especially 5.7, 5.23, 8.12, 8.28) and the 4-theme Annex A structure. Candidates who studied the 2013 edition can't map questions to the correct controls and score poorly in Domain 4 (implementation) and Domain 7 (audit readiness).
Verify your study materials explicitly reference ISO 27001:2022 and ISO 27002:2022. Cross-check: does your material list 93 controls in 4 themes? Does it include the 11 new 2022 controls? If not, supplement or replace your materials before sitting the exam.
The questions candidates and early-career professionals ask most frequently about the ISO 27001 Lead Implementer certification.