ISO27k-aligned security awareness service
ISO/IEC 27021
Creative security awareness materials

Creative security awareness materials for your ISMS

Copyright © 2017 IsecT Ltd.

ISO/IEC 27021 Information technology — Security techniques — Competence requirements for information security management system professionals (draft)


In order to stabilize the market for training and certifying professionals for ISO27k implementation and audits, a standard is planned that will lay out the competence requirements for ISMS professionals.


The standard concerns the knowledge, skills and competencies required in respect of ISO/IEC 27001, 27002, 27005 and 27007 i.e. the management of information security.

The standard does NOT specify a personal certification or qualification scheme as such, but in effect serves as a reference for the bodies that run such schemes.

The standard does NOT cover auditor competence.

Purpose and justification

Various training and certification organizations are already active in the information security field, several of which offer ISO27k-related courses and qualifications such as the ISO/IEC 27001 Lead Auditor and Lead Implementer designations. At present, they make up their own curricula and assessment criteria with no guidance from ISO/IEC except the other ISO27k standards. ISO/IEC 27021 should provide a degree of commonality between the various qualifications, giving recruiters and employers greater confidence in the quality, competence and suitability of qualified candidates and employees.

Status of the standard

The standard is at FDIS stage and should surface by the end of 2017.

A related New Work Item concerns competence requirements for information security testers and evaluators (e.g. pentesters).

Personal comments

The NWIP noted that the curriculum will need to be updated frequently, creating a problem for SC 27, hardly the most dynamic and responsive of bodies - not so much speed boat or even supertanker, as tectonic plate :-)

The four standards listed in the scope section above may be the ‘core standards’ but they represent just one tenth of the growing ISO27k suite. It could be argued that several others are nearly as important - ISO/IEC 27003 and 27004 for examples - which begs questions about the breadth and depth of knowledge and competencies expected of information security managers.

Another aspect is that (ISO27k notwithstanding) information security management is materially different in different types/sizes of organization, so perhaps there is a need for different levels or tiers of qualification (or practitioner maturity, you could say), from entry-level basics up to subject matter experts? A tiered scheme would also encourage career development and lifelong learning. Since the standard is intended to guide those developing courses and qualifications, it might make sense to incorporate or build the standard around a matrix listing the skills and competencies on one axis and the levels or tiers on another, indicating in the body of the matrix which items people at that level/tier are expected to know about and be competent to perform ... something like this perhaps:


Knowledge, skill or competency area

Entry level



Familiarity with the core ISO27k standards 27000, 27001, 27002 and 27005




Familiarity with other ISO27k standards
e.g. 27003, 27004, 27007 ...




Information security and information risk management principles




Information security and risk management methods, frameworks etc.









The idea of a tiered scheme has been agreed in principle by the project team, with e-CF and e-QF schemes (whatever they are!) being mentioned in comments: I will be fascinated to see how it pans-out in practice.

The standard now incorporates the idea of a BOK (body of knowledge) defined in the standard to cover the core aspects of governing and managing an ISMS, but extendable by organizations to address their specific additional requirements in this area.