ISO/IEC 27021

ISO/IEC 27021:2017 – Information technology — Security techniques — Competence requirements for information security management systems professionals

Introduction

This standard aims to establish a framework for training and certification of ISO27k implementation and audit professionals because it outlines the competence that ISMS professionals should possess.

Scope

The standard specifies the knowledge and skills essential for professionals managing ISMSs that are compliant with ISO/IEC 27001, 27002, 27005, and 27007.

Although the standard does not specify a personal certification scheme as such, it serves as a guide for certification schemes being run by other organizations.

No provisions are made in the standard for auditor competence.

Objectives and justification

It is well known that some training and certification organizations are already operational in this area, some of which offer ISO27k-related qualifications, such as one for Lead Auditor and Lead Implementer. Before the release of this standard, they developed their curriculum and assessment criteria based on ISO/IEC standards other than ISO27k.

There is a degree of comparability and commonality between the various qualifications provided by ISO/IEC 27021, which makes it easier for employers and recruiters to ascertain the qualifications, skill sets, and qualifications of prospective ISMS employees and candidates.

The structure and content

Specifically, the standard defines ISMS as one form of Management System that requires a combination of competencies in both general business management (such as leadership, communication, planning, and budgeting) and information security/ISMS management (for example, defining the ISMS).

Competencies roughly conform to clauses in the main body of ISO/IEC 27001, with the exception that most of the general management competencies are not directly tied to specific clauses.

A competency can be described in one of four ways:

– Applicable ISO/IEC 27001 clause
– Outcome expected: responsibilities and results of this part of the role
– Knowledge needed: what ISMS professionals need to know
– Required skills: skills the ISMS professional should possess

The standard’s status

This standard was published in 2017.

To fill gaps in the competencies table, ISO/IEC 27001 clauses need to be added: an amendment has been proposed.

As part of a related New Work Item, there will be a requirement for the competence of security testers and evaluators (such as pentesters).

Commentary

As noted in the NWIP, the curriculum will need to be updated frequently, which presents a problem for SC 27, which is not the most dynamic and responsive body.
Even though the four standards listed in the scope section above are the ‘core standards’, they only represent one-tenth of the ISO27k standard suite. Some might argue that several others are just as critical – for example, the ISO/IEC 27003 and 27004 standards – which might raise questions about information security professionals’ understanding and advanced skills. Besides this, there are some gaps in the competencies table which should be resolved soon through an amendment.

Additionally, information security management differs significantly among different types and sizes of organizations (regardless of ISO27k), and therefore perhaps different levels or levels of qualification are required (or, to put it differently, the level of practitioner maturity is required), ranging from basics up to subject matter expertise? A tier-based system would also promote career development and continuous learning. Considering the standard is intended to guide the development of courses and qualifications, it may be useful to integrate the skill and competency matrix with the level or tier axis, specifying which items people at each level or tier should be aware of and be able to achieve.

Tiered schemes were agreed in principle by the project team, with e-CFs and e-QFs (whatever those might be!) mentioned in the comments. It will be fascinating to see how it plays out in practice.

The standard incorporates the idea of defining a Body of Knowledge to address all the core aspects of governance and management in ISMSs, which can be extended by organizations to address any additional requirements they have in this area.