Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

This article from CertiKit’s principal consultant Ken Holmes, discusses some of the common roles involved in an information security management system, or ISMS, and some of the training and qualification options available.

The first point to make is that the ISO27001 standard doesn’t specify any particular training or qualifications needed to be part of the ISMS, it’s really based on the judgement of the organization as to what’s appropriate, based largely on an understanding of the risks it faces.

There are a number of roles for which no more than a general knowledge of information security is often needed, such as within the steering group, asset and risk owners, business team leaders and employees. Usually the requirements of the standard for awareness training are sufficient to cover these roles, although of course more specific training in areas such as risk management never does any harm.

CISO Qualifications

It’s almost certainly around the role of the information security manager, or Chief Information Security Officer, or similar title, that we have most discussion about training and qualifications. This role often acts as the co-ordinator of the ISMS and bridges the gap between the business and the technical.

So what qualifications, and by implication training, could this role reasonably aspire to? Well in information security terms there are probably three main bodies offering qualifications that are generally well thought of within the industry.

The first is called ISC2 which offers the Certified Information Security Systems Professional, or CISSP, qualification. This is often taken as the “gold standard” of information security badges. The syllabus covers a number of domains and requires that you pass a lengthy multiple-choice exam and have a certain number of years of relevant experience. If you’re not quite ready for that, ISC2 also offers the SSCP – the Systems Security Certified Practitioner which has a smaller syllabus, a shorter exam and lower experience requirements.

The second body worth mentioning is ISACA, which provides the Certified Information Security Manager qualification, or CISM. This has a similar format to CISSP in that it has domains, but is less technical in content. Again there is an exam and experience requirements.

Thirdly, there is a range of training options from various bodies specifically aimed at the ISO27001 standard, including Lead Implementer, which usually consists of a five day classroom course with an exam at the end.

Don’t Forget the CPEs

All of these options have ongoing Continual Professional Education, or CPE requirements which means that you will need to keep up to date with webinars and other educational and professional activities in order to keep your qualification in good standing. And of course you’ll need to pay the membership fee too.

Internal Auditors

For the internal auditor role, ISACA has the Certified Information Systems Auditor qualification which is well-regarded, and, available from a number of organizations, there is an ISO27001 Internal Auditor and ISO27001 Lead Auditor options to choose from too.

So these are some of your choices; but remember from an ISO27001 viewpoint none of them are essential, and relevant experience counts for a lot also.

We’ve helped more than 4000 businesses with their compliance


The kit did 90% of the work for me.


View all Testimonials