Last Updated on March 11, 2014
As an ISO 27001 consulting firm, knowing what qualifies an information security professional as ‘competent’ according to the standard is important. A unique approach that combines education and experience can lead to ISO 27001 competence and make an information security professional qualified to help organizations get certified and keep them that way.
In a recent article from the Information Systems Audit and Control Association (ISACA) Journal, Jason Andres describes what it takes to make a good information security professional. It is valuable guidance for those seeking an entry point into the field. Andres outlines three separate paths for professional development in the information security industry: education, experience, and a hybrid of both. At Pivot Point Security, we take the hybrid approach. Our ISO 27001 consultants come to us with a wide range of experience in information technology. They are then trained as Certified Lead Implementers, ensuring that our clients are well prepared for ISO 27001 certification and that their information security management systems (ISMSs) comply with the standard.
My own IT career began with training to support Windows 2000 systems and networks and manage Oracle databases and applications. A few years into my career I got involved with IT auditing and information security auditing. At one point I took a prep course for the Certified Information Systems Auditor exam. Many people in my class had no experience in IT. They were financial auditors looking to advance their careers during the IT and information security boom. Some of them passed the exam, some didn’t. But even the ones that passed were essentially paper tigers, because they had some “book learning” but no first-hand experience.
A similar problem exists in the realm ISO 27001 certification: the consultants that organizations use to implement an information security management system for ISO 27001 certification may be paper tigers who build security around the idea of compliance—while ignoring the realities of operations. The problem is that gaps between security ideals and actual operations always lead to noncompliance eventually. Consultants with a hybrid background of professional development that combines education with experience are in a much better position to provide organizations with “the best of both worlds” when it comes to preparing them for ISO 27001 certification.
Competence on the part of security professionals is one of the requirements of ISO 27001 certification. Clause 7.2 from the 2013 version of the standard states:
The organization shall:
a) determine the necessary competence of person(s) doing work under its control that affects its information security performance;
b) ensure that these persons are competent on the basis of appropriate education, training, or experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
d) retain appropriate documented information as evidence of competence.
Achieving certification is just one part of ISO 27001. Maintaining certification is the other part. A consultant can help implement an ISMS for certification purposes, but they can only do so much to keep it certified. Inevitably, that burden will largely fall on internal resources.
When it comes to developing its own information security resources to maintain ISO 27001 certification, a company must determine how it will develop its own staff—by relying on their experience with the organization’s operations, by providing them with education on the ISO 27001 standard, or by ensuring they are exposed to both approaches? The ISO 27001 standard says either method is fine, as long as the professionals involved are “competent.” But at Pivot Point Security, we recommend the hybrid approach.