Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you request to download our free implementation guide, we use your name, company name (which is optional) and your email address to email you a link to download the requested document. We may also email you after your download in order to follow up on your interest in our products and services. We will do this based on our legitimate interest in marketing to prospects for our products and services. Your name and email address are stored on our website which is hosted with Digital Ocean. Your personal data is stored for one year after you requested your download, after which it is deleted.

Reveal Menu

This article from CertiKit’s principal consultant Ken Holmes, discusses some of the common roles involved in an information security management system, or ISMS, and some of the training and qualification options available.

The first point to make is that the ISO27001 standard doesn’t specify any particular training or qualifications needed to be part of the ISMS, it’s really based on the judgement of the organization as to what’s appropriate, based largely on an understanding of the risks it faces.

There are a number of roles for which no more than a general knowledge of information security is often needed, such as within the steering group, asset and risk owners, business team leaders and employees. Usually the requirements of the standard for awareness training are sufficient to cover these roles, although of course more specific training in areas such as risk management never does any harm.

CISO Qualifications

It’s almost certainly around the role of the information security manager, or Chief Information Security Officer, or similar title, that we have most discussion about training and qualifications. This role often acts as the co-ordinator of the ISMS and bridges the gap between the business and the technical.

So what qualifications, and by implication training, could this role reasonably aspire to? Well in information security terms there are probably three main bodies offering qualifications that are generally well thought of within the industry.

The first is called ISC2 which offers the Certified Information Security Systems Professional, or CISSP, qualification. This is often taken as the “gold standard” of information security badges. The syllabus covers a number of domains and requires that you pass a lengthy multiple-choice exam and have a certain number of years of relevant experience. If you’re not quite ready for that, ISC2 also offers the SSCP – the Systems Security Certified Practitioner which has a smaller syllabus, a shorter exam and lower experience requirements.

The second body worth mentioning is ISACA, which provides the Certified Information Security Manager qualification, or CISM. This has a similar format to CISSP in that it has domains, but is less technical in content. Again there is an exam and experience requirements.

Thirdly, there is a range of training options from various bodies specifically aimed at the ISO27001 standard, including Lead Implementer, which usually consists of a five day classroom course with an exam at the end.

Don’t Forget the CPEs

All of these options have ongoing Continual Professional Education, or CPE requirements which means that you will need to keep up to date with webinars and other educational and professional activities in order to keep your qualification in good standing. And of course you’ll need to pay the membership fee too.

Internal Auditors

For the internal auditor role, ISACA has the Certified Information Systems Auditor qualification which is well-regarded, and, available from a number of organizations, there is an ISO27001 Internal Auditor and ISO27001 Lead Auditor options to choose from too.

So these are some of your choices; but remember from an ISO27001 viewpoint none of them are essential, and relevant experience counts for a lot also.

Over 3000 businesses have purchased our toolkits

Testimonials

The tool is excellent and saved me a lot of work in writing documents, designing forms and spread sheets, etc. It was also very useful in tracking where I was in relation to my compliance.


Robin Hood Energy Limited

View all Testimonials