This article from CertiKit’s principal consultant Ken Holmes, discusses some of the common roles involved in an information security management system, or ISMS, and some of the training and qualification options available.
The first point to make is that the ISO27001 standard doesn’t specify any particular training or qualifications needed to be part of the ISMS, it’s really based on the judgement of the organization as to what’s appropriate, based largely on an understanding of the risks it faces.
There are a number of roles for which no more than a general knowledge of information security is often needed, such as within the steering group, asset and risk owners, business team leaders and employees. Usually the requirements of the standard for awareness training are sufficient to cover these roles, although of course more specific training in areas such as risk management never does any harm.
It’s almost certainly around the role of the information security manager, or Chief Information Security Officer, or similar title, that we have most discussion about training and qualifications. This role often acts as the co-ordinator of the ISMS and bridges the gap between the business and the technical.
So what qualifications, and by implication training, could this role reasonably aspire to? Well in information security terms there are probably three main bodies offering qualifications that are generally well thought of within the industry.
The first is called ISC2 which offers the Certified Information Security Systems Professional, or CISSP, qualification. This is often taken as the “gold standard” of information security badges. The syllabus covers a number of domains and requires that you pass a lengthy multiple-choice exam and have a certain number of years of relevant experience. If you’re not quite ready for that, ISC2 also offers the SSCP – the Systems Security Certified Practitioner which has a smaller syllabus, a shorter exam and lower experience requirements.
The second body worth mentioning is ISACA, which provides the Certified Information Security Manager qualification, or CISM. This has a similar format to CISSP in that it has domains, but is less technical in content. Again there is an exam and experience requirements.
Thirdly, there is a range of training options from various bodies specifically aimed at the ISO27001 standard, including Lead Implementer, which usually consists of a five day classroom course with an exam at the end.
All of these options have ongoing Continual Professional Education, or CPE requirements which means that you will need to keep up to date with webinars and other educational and professional activities in order to keep your qualification in good standing. And of course you’ll need to pay the membership fee too.
For the internal auditor role, ISACA has the Certified Information Systems Auditor qualification which is well-regarded, and, available from a number of organizations, there is an ISO27001 Internal Auditor and ISO27001 Lead Auditor options to choose from too.
So these are some of your choices; but remember from an ISO27001 viewpoint none of them are essential, and relevant experience counts for a lot also.