Certified Information Security Management System Auditor (CISMSA)

This course explores the objectives of ISMS Audit and explains the roles and responsibilities of an Auditor to ensure the effectiveness of controls; and improvement of the management system in ISO/IEC 27001:2013.

This course is designed to develop practical skills and knowledge to conduct audits and improve the implementation of information management system in accordance of ISO/IEC 27001:2013.


  1. Information Security practitioner
  2. Auditors of any discipline
  3. ISMS Developers and Management

Module 1: Introduction

  1. Audit Origins
  2. ISO/IEC 27001:2013 – 9.2: Internal Audit
Module 2: Control Objectives & Control

Group Activity 1: Control Objectives & Control
  1. Assignment
  2. In-group discussion
  3. Groups presentation
Module 3: Audit Cycle
  1. Plan
  2. Execute
  3. Report
  4. Follow-up
Module 4: Audit Cycle (Plan)
  1. ISMS Audit Programme
  2. ISMS Audit Parameters
  3. Resources
  4. Audit Plan
Group Activity 2: Audit Plan
  1. Assignment
  2. In-group discussion
  3. Groups presentations
Module 5: Audit Cycle: Execute
  1. Opening Meeting
  2. Conduct the Audit
  3. Audit Findings
  4. Closing Meetings
Group Activity 3 (a): Nonconformity Statement
  1. Assignment
  2. In-group discussions
  3. Groups presentations
  4. Closing Meetings
Group Activity 3 (b): Conduct the Audit Role-play
  1. Assignment
  2. In-groups discussions
  3. Groups presentations
Module 6: Audit Cycle: Follow-up
  1. Conducting Audit Follow-up
Module 7: ISMS Certification
  1. Certification Process
  2. Engagement with Certification Body
  3. Preparation for Certification Audit
    • 'To Do' Lists

Ts. Sabariah Binti Ahmad
Head of Department
Information Security Management & Assurance
CyberSecurity Malaysia

Sabariah Ahmad has 27 years of working experience in Information Security. She is currently with CyberSecurity Malaysia, who is responsible in implementing Information Security Management System (ISMS), maintaining ISO/IEC 27001 ISMS certification for CyberSecurity Malaysia, ensuring CyberSecurity Malaysia survivability and resiliency through business preparedness and continuity management as well as delivering services related to information security governance, risk management and compliance (GRC).

She is currently in the working group for WG/G/5-1 information security management system (ISMS). This working group is under Industry Standards Committee on Information Technology, Communications and Multimedia (ISC G) – national mirror committee overseeing national and international standardisation activities in the field of IT, communications and multimedia.

Sabariah Ahmad holds a Bachelor’s Degree in Computer Science from Utah State University, Logan, Utah, USA in 1993. She is a certified ISO/IEC 27001 Information Security Management Systems (ISMS) and ISO/IEC 22301 Business Continuity Management Systems (BCMS) Lead Auditor, Associate Business Continuity Professional (ABCP), Governance, Risk and Compliance (CGRC) and GIAC Security Essential Certification (GSEC). She is also a member of the Malaysia Board of Technologists (MBOT) and ISACA.


En. Abd Rouf Bin Mohammed Sayuti
Head of Department
Corporate Audit, Governance & Integrity
CyberSecurity Malaysia

Abd Rouf is a profound internal auditor and trainer based in CyberSecurity Malaysia. He is CyberSecurity Malaysia’s head of Internal Audit Department – a position that he holds since 2007. As the internal audit chief, he is responsible for the provision of independent and objective assurance to CyberSecurity Malaysia’s Board of Directors and Management on effective internal control systems and risk management activities. Additionally, he is responsible for advisory services on quality assurance for certification and accreditation audits, as well as advisory and consultation for operational and fund audits.

Abd Rouf graduated from Western Michigan University, USA with degree of Bachelor of Business Administration (Finance), and Universiti Teknologi MARA with diploma in Business Studies. He holds the certificates of ISMS Lead Auditor (BS ISO/IEC 27001:2005), Quality Management Systems Auditor (ISO/IEC 9001:1994), and Chartered Member of the Institute of Internal Auditors Malaysia (CMIIA). Prior to joining CyberSecurity Malaysia in 2007, Abd Rouf held a variety of internal audit management and staff positions in Malaysia’s leading ICT Solutions Provider that is listed on the main board of the Bursa Malaysia. In CyberSecurity Malaysia, he has lead and conducted operational audits, as well as certification/accreditation audits namely MS ISO/IEC 27001 (ISMS), MS ISO/IEC 17025, MS ISO/IEC 27006, ISO/IEC 17021, ASCLD/LAB-International and Common Criteria Recognition Arrangement (CCRA) on annual basis for a wide variety of internal and external clients such as CyberSecurity Malaysia’s Security Management & Best Practices Department, Digital Forensics Lab, MySEF Lab, Information Security Certification Body (ISCB), and a renowned financial services organisation in Malaysia.

Abd Rouf’s extensive experience, skills and knowledge in internal audit has brought him to conduct many internal audit training programs for management and non-management staffs from Government entities to various business industries.

The CISMSA examination is certified by the Global ACE Certification. The examination framework is designed to align with a set of relevant Knowledge, Skills and Attitudes (KSA) that are necessary for an Information Security Awareness Manager. Candidates will be tested via a combination of either continual assessment (CA), multiple choice (MC), theory/underpinning knowledge assessment (UK), practical assessment (PA), assignments (AS) and case studies (CS) as required.

Candidates can take the examination at authorized examination centres in participating member countries. Candidates who have successfully passed the CISMSA examination will be eligible to apply as an associate or professional member by fulfilling the membership criteria defined under the Global ACE Certification.

Click here to register for certified examination


  • 29 - 31 May 2023
  • 25 - 27 September 2023
  • 17 - 19 October 2023
*dates are tentative, unless specified

Training Fee: MYR3,780.00
Exam Fee: MYR1,255.80

(subject to 8% SST)

Please click here to register

Contact us to request for a quotation

18 CPD Point

Please submit the Certificate of Completion to Global ACE Certification at


Have any inquiries? Check out the FAQ