01.02.07
Information security qualifications and ISO 27001
There is increasing pressure in the public sector for organizations to develop information security systems in line with ISO/IEC 27001:2005, the information security management system (ISMS) standard supported and endorsed by the Cabinet Office and the DTI.
What is not so readily understood, however, is the critical role played by training in any project to implement such a standard in any organization.
ISO 27001 has two critical requirements where staff training is concerned. The first is that the development, deployment and management of the ISMS must be entrusted to appropriately qualified people, and the second is that the information security controls that an organization implements as part of its ISO 27001 project will contain an essential element of staff training. The organizational HR and training function does, therefore, have a critical role to play in any ISO 27001 project.
This training requirement is met through five different categories of training:
• training for the project manager and the information security management specialist
• training for upper management and project team members
• technical training for information security specialists
• general training and awareness for all IT users within the organization, and
• training for the internal lead auditor and for other internal auditing resources
The first type of training should focus on all aspects of developing, implementing and managing an ISMS and includes classes known as ISMS implementation master classes and the BCS qualification, the CISMP. Such courses will run over 3-5 days, and should include a major focus on conducting the information security risk assessment. The ISO 27001 (what was BS7799) lead auditor qualification is unsuitable training for implementation management.
The second type of training is a more generalised, basic introduction to the concepts of information security management and ISO 27001. One day introductory courses on this subject are ideal for all project team members and various suppliers can provide both public and tailored, inhouse courses that meet this need.
Information security specialists should all have at least one qualification – either the CISSP or the CISM qualification – as this indicates a level of proficiency in the fundamental technical and technological components of securing information.
HR should be responsible for sourcing and delivering a comprehensive staff briefing, awareness and ongoing training programme which ensures that all users of corporate IT facilities are able to recognize and deal appropriately with risks to information security.
Finally, whoever is going to be in charge of the organization’s efforts to monitor compliance with the ISMS should be ISO 27001-lead auditor qualified, and all staff who are contributing to the overall audit effort should have a basic level of necessary audit skills training.
Organizations which recognize from the outset the importance to their project of effective training are those which succeed quickly and cost effectively with their ISO 27001-project.
Tell us what you think – have your say below, or email us directly at [email protected]