ISO27k-aligned security awareness service
ISO/IEC 27021
Creative security awareness materials

Creative security awareness materials for your ISMS

Copyright © 2018 IsecT Ltd.

ISO/IEC 27021:2017 — Information technology — Security techniques — Competence requirements for information security management systems professionals

Introduction

In order to stabilize the market for training and certifying professionals for ISO27k implementation and audits, this standard lays out the competence requirements for ISMS professionals.

Scope

The standard concerns the competences (meaning the combination of knowledge and skills) required or expected of professionals managing an ISMS in accordance with ISO/IEC 27001, 27002, 27005 and 27007.

The standard does NOT specify a personal certification or qualification scheme as such, but in effect serves as a reference for the bodies that run such schemes.

The standard does NOT cover auditor competence.

Purpose and justification

Various training and certification organizations are already active in the field, several of which offer ISO27k-related courses and qualifications such as the ISO/IEC 27001 Lead Auditor and Lead Implementer designations. Prior to the release of this standard, they made up their own curricula and assessment criteria with no guidance from ISO/IEC except the other ISO27k standards.

ISO/IEC 27021 provides a degree of commonality and comparability between the various qualifications, giving recruiters and employers greater confidence in the quality, competence and suitability of qualified candidates and employees for ISMS roles.

Structure and content

The standard starts by explaining that an ISMS is just one form of Management System, requiring a combination of competences in general business management (e.g. leadership and communication, planning and budgeting) plus information security/ISMS management (e.g. scoping the ISMS).

The competences roughly mirror the clauses in the main body of ISO/IEC 27001, except that most of the general management competences are not directly related to specific clauses.

Each competence is described quite succinctly in four ways:

  • Relevant ISO/IEC 27001 clause (where applicable)
  • Intended outcome: what this part of the role entails and is expected to achieve
  • Knowledge required: things the ISMS professional should know about
  • Skills required: things the ISMS professional should be able to do

Status

The standard was published in October 2017.

A related New Work Item concerns competence requirements for information security testers and evaluators (e.g. pentesters).

Personal comments

The NWIP noted that the curriculum will need to be updated frequently, creating a problem for SC 27, hardly the most dynamic and responsive of bodies - not so much speed boat or even supertanker, as tectonic plate :-)

The four standards listed in the scope section above may be the ‘core standards’ but they represent just one tenth of the growing ISO27k suite. It could be argued that several others are nearly as important - ISO/IEC 27003 and 27004 for examples - which begs questions about the breadth and depth of knowledge and competencies truly expected of information security managers.

Another aspect is that (ISO27k notwithstanding) information security management is materially different in different types/sizes of organization, so perhaps there is a need for different levels or tiers of qualification (or practitioner maturity, you could say), from entry-level basics up to subject matter experts? A tiered scheme would also encourage career development and lifelong learning. Since the standard is intended to guide those developing courses and qualifications, it might make sense to incorporate or build the standard around a matrix listing the skills and competencies on one axis and the levels or tiers on another, indicating in the body of the matrix which items people at that level/tier are expected to know about and be competent to perform ... something like this perhaps:

 

Knowledge, skill or competency area

Entry level

Practitioner

Expert

Familiarity with the core ISO27k standards 27000, 27001, 27002 and 27005

Required

Required

Required

Familiarity with other ISO27k standards
e.g. 27003, 27004, 27007 ...

 

Suggested

Required

Information risk and security management principles

Required

Required

Required

Information risk and security management methods, frameworks etc.

 

Suggested

Required

etc.

 

 

 

 

The idea of a tiered scheme has been agreed in principle by the project team, with e-CF and e-QF schemes (whatever they are!) being mentioned in comments: I will be fascinated to see how it pans-out in practice.

The standard incorporates the idea of a BOK (body of knowledge) defined in the standard to cover the core aspects of governing and managing an ISMS, but extendable by organizations to address their specific additional requirements in this area.

 

< Previous standard      ^ Up a level ^      Next standard >