Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu
Home Blog ISO27001 Roles and Training

This article from CertiKit’s principal consultant Ken Holmes, discusses some of the common roles involved in an information security management system, or ISMS, and some of the training and qualification options available.

The first point to make is that the ISO27001 standard doesn’t specify any particular training or qualifications needed to be part of the ISMS, it’s really based on the judgement of the organization as to what’s appropriate, based largely on an understanding of the risks it faces.

There are a number of roles for which no more than a general knowledge of information security is often needed, such as within the steering group, asset and risk owners, business team leaders and employees. Usually the requirements of the standard for awareness training are sufficient to cover these roles, although of course more specific training in areas such as risk management never does any harm.

CISO Qualifications

It’s almost certainly around the role of the information security manager, or Chief Information Security Officer, or similar title, that we have most discussion about training and qualifications. This role often acts as the co-ordinator of the ISMS and bridges the gap between the business and the technical.

So what qualifications, and by implication training, could this role reasonably aspire to? Well in information security terms there are probably three main bodies offering qualifications that are generally well thought of within the industry.

The first is called ISC2 which offers the Certified Information Security Systems Professional, or CISSP, qualification. This is often taken as the “gold standard” of information security badges. The syllabus covers a number of domains and requires that you pass a lengthy multiple-choice exam and have a certain number of years of relevant experience. If you’re not quite ready for that, ISC2 also offers the SSCP – the Systems Security Certified Practitioner which has a smaller syllabus, a shorter exam and lower experience requirements.

The second body worth mentioning is ISACA, which provides the Certified Information Security Manager qualification, or CISM. This has a similar format to CISSP in that it has domains, but is less technical in content. Again there is an exam and experience requirements.

Thirdly, there is a range of training options from various bodies specifically aimed at the ISO27001 standard, including Lead Implementer, which usually consists of a five day classroom course with an exam at the end.

Don’t Forget the CPEs

All of these options have ongoing Continual Professional Education, or CPE requirements which means that you will need to keep up to date with webinars and other educational and professional activities in order to keep your qualification in good standing. And of course you’ll need to pay the membership fee too.

Internal Auditors

For the internal auditor role, ISACA has the Certified Information Systems Auditor qualification which is well-regarded, and, available from a number of organizations, there is an ISO27001 Internal Auditor and ISO27001 Lead Auditor options to choose from too.

So these are some of your choices; but remember from an ISO27001 viewpoint none of them are essential, and relevant experience counts for a lot also.

 

More ISO27001 resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 4000 businesses with their compliance

Testimonials

I really love the introductions and guidance in each document. This makes it so easy to use for my team and the uninitiated to quality management.

Chauncery Ventures
UK

View all Testimonials

Cookie Control

CertiKit uses cookies to improve your user experience. Some are essential for our website to work, but for others you have a choice over which ones you’re happy for us to use.

Please set the controls below to enable or disable the types of cookies shown.

Nice to have cookies
What are these?

Advertising Cookies
What are these?

Cookie Policy