Topic-specific policies
ISO/IEC 27021

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27021:2017 — Information technology — Security techniques — Competence requirements for information security management systems professionals



“This document specifies the requirements of competence for ISMS professionals leading or involved in establishing, implementing, maintaining and continually improving an information security management system that to ISO/IEC 27001.” [sic]
[Source: SC27 Standing Document 11 (2021)]


In order to stabilize the market for training and certifying professionals for ISO27k implementation and audits, this standard lays out the competence expected of ISMS professionals.



The standard concerns the competences (meaning the combination of knowledge and skills) required or expected of professionals managing an ISMS in accordance with ISO/IEC 27001, 27002, 27005 and 27007.

The standard does NOT specify a personal certification or qualification scheme as such, but in effect serves as a reference for the bodies that run such schemes.

The standard does NOT cover auditor competence.


Purpose and justification

Various training and certification organizations are already active in the field, several of which offer ISO27k-related courses and qualifications such as the ISO/IEC 27001 Lead Auditor and Lead Implementer designations. Prior to the release of this standard, they made up their own curricula and assessment criteria with no guidance from ISO/IEC except the other ISO27k standards.

ISO/IEC 27021 provides a degree of commonality and comparability between the various qualifications, giving recruiters and employers greater confidence in the quality, competence and suitability of qualified candidates and employees for ISMS roles.


Structure and content

The standard starts by explaining that an ISMS is just one form of Management System, requiring a combination of competences in general business management (e.g. leadership and communication, planning and budgeting) plus information security/ISMS management (e.g. scoping the ISMS).

The competences roughly mirror the clauses in the main body of ISO/IEC 27001, except that most of the general management competences are not directly related to specific clauses.

Each competence is described quite succinctly in four ways:

  • Relevant ISO/IEC 27001 clause (where applicable)
  • Intended outcome: what this part of the role entails and is expected to achieve
  • Knowledge required: things the ISMS professional should know about
  • Skills required: things the ISMS professional should be able to do



The standard was published in 2017.

July update Additional references to ISO/IEC 27001 clauses are to be added to plug gaps in the competencies table.  An amendment is nearing publication.

A related New Work Item concerned competence requirements for information security testers and evaluators (e.g. pentesters).


Personal comments

The New Work Item Proposal noted that the curriculum will need to be updated frequently, creating a problem for SC 27, hardly the most dynamic and responsive of bodies - not so much speed boat or even supertanker, as tectonic plate :-)

The four standards listed in the scope section above may be the ‘core standards’ but they represent just one tenth of the growing ISO27k suite. It could be argued that several others are nearly as important - ISO/IEC 27003 and 27004 for examples - which begs questions about the breadth and depth of knowledge and competencies truly expected of information security managers. This is in addition to omissions in the competencies table that are to be plugged soon through an amendment.

Another aspect is that (ISO27k notwithstanding) information security management is materially different in different types/sizes of organization, so perhaps there is a need for different levels or tiers of qualification (or practitioner maturity, you could say), from entry-level basics up to subject matter experts? A tiered scheme would also encourage career development and lifelong learning. Since the standard is intended to guide those developing courses and qualifications, it might make sense to incorporate or build the standard around a matrix listing the skills and competencies on one axis and the levels or tiers on another, indicating in the body of the matrix which items people at that level/tier are expected to know about and be competent to perform ... something like this perhaps:


Knowledge, skill or competency area

Entry level



Familiarity with the core ISO27k standards 27000, 27001, 27002 and 27005




Familiarity with other ISO27k standards
e.g. 27003, 27004, 27007 ...




Information risk and security management principles




Information risk and security management methods, frameworks etc.









The idea of a tiered scheme was agreed in principle by the project team, with e-CF and e-QF schemes (whatever they are!) being mentioned in comments: maybe this suggestion will be revisited when the standard is revised.

The standard incorporates the idea of a Body of Knowledge defined in the standard to cover the core aspects of governing and managing an ISMS, but extendable by organizations to address their specific additional requirements in this area.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2021 IsecT Ltd.