What Qualifies an Information Security Professional as ISO 27001 ‘Competent’?

March 11, 2014

Last Updated on January 13, 2024

As an ISO 27001 consulting firm, knowing what qualifies an information security professional as ‘competent’ according to the standard is important. A unique approach that combines education and experience can lead to ISO 27001 competence and make an information security professional qualified to help organizations get certified and keep them that way.
In a recent article from the Information Systems Audit and Control Association (ISACA) Journal, Jason Andres describes what it takes to make a good information security professional. It is valuable guidance for those seeking an entry point into the field. Andres outlines three separate paths for professional development in the information security industry: education, experience, and a hybrid of both. At Pivot Point Security, we take the hybrid approach. Our ISO 27001 consultants come to us with a wide range of experience in information technology. They are then trained as Certified Lead Implementers, ensuring that our clients are well prepared for ISO 27001 certification and that their information security management systems (ISMSs) comply with the standard.
My own IT career began with training to support Windows 2000 systems and networks and manage Oracle databases and applications. A few years into my career I got involved with IT auditing and information security auditing. At one point I took a prep course for the Certified Information Systems Auditor exam. Many people in my class had no experience in IT. They were financial auditors looking to advance their careers during the IT and information security boom. Some of them passed the exam, some didn’t. But even the ones that passed were essentially paper tigers, because they had some “book learning” but no first-hand experience.

ISO 27001 is manageable and not out of reach for anyone!
It’s a process made up of things you already know – and things you may already be doing.
Download our ISO 27001 Roadmap now!

A similar problem exists in the realm ISO 27001 certification: the consultants that organizations use to implement an information security management system for ISO 27001 certification may be paper tigers who build security around the idea of compliance—while ignoring the realities of operations. The problem is that gaps between security ideals and actual operations always lead to noncompliance eventually. Consultants with a hybrid background of professional development that combines education with experience are in a much better position to provide organizations with “the best of both worlds” when it comes to preparing them for ISO 27001 certification.
Competence on the part of security professionals is one of the requirements of ISO 27001 certification. Clause 7.2 from the 2013 version of the standard states:
The organization shall:
a) determine the necessary competence of person(s) doing work under its control that affects its information security performance;
b) ensure that these persons are competent on the basis of appropriate education, training, or experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
d) retain appropriate documented information as evidence of competence.
Achieving certification is just one part of ISO 27001. Maintaining certification is the other part. A consultant can help implement an ISMS for certification purposes, but they can only do so much to keep it certified. Inevitably, that burden will largely fall on internal resources.
When it comes to developing its own information security resources to maintain ISO 27001 certification, a company must determine how it will develop its own staff—by relying on their experience with the organization’s operations, by providing them with education on the ISO 27001 standard, or by ensuring they are exposed to both approaches? The ISO 27001 standard says either method is fine, as long as the professionals involved are “competent.” But at Pivot Point Security, we recommend the hybrid approach.

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Blog

What Qualifies an Information Security Professional as ISO 27001 ‘Competent’?

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How to Measure the Value of Information Security

2 Principles to Revolutionize Security Awareness Training

What is Cyversity and How Can It Improve Diversity on My Cybersecurity Team?

How can we help you?

Services

Compliance

Insights

Pivot Point Security