Implementing an ISO 27001-compliant ISMS (information security management system) can seem complex, and it’s often difficult to know how the Standard’s specifications should be applied to your organisation.
Failure to understand or comply with the requirements of the Standard could jeopardise your implementation project. This will likely mean you fail the certification audit, potentially costing your organisation dearly.
Your implementation team must be appropriately trained to ensure the success of your ISO 27001 project.
Leadership is key
The ISO 27001 lead implementer role is demanding. It requires in-depth knowledge of the Standard and the skills to develop a management framework that meets the requirements of an external audit by a certification body.
The lead implementer’s responsibilities include determining the scope of the ISMS, allocating roles and responsibilities, risk management, creating policies and ensuring continual improvement.
They are also usually responsible for selecting and training an implementation team that includes risk management, information security, audit and compliance specialists.
Risk management skills are essential
ISO 27001 requires organisations to demonstrate evidence of information security risk management, risk actions taken and how relevant controls from Annex A are applied. The ISO 27005 risk management standard describes how to conduct an information security risk assessment to achieve certification to and maintain compliance with ISO 27001.
The ability to deliver practical risk management is therefore an essential skill for your ISO 27001 implementation team.
The role of the internal auditor
An internal auditor is crucial to ensuring continual compliance with ISO 27001. Clause 9.2 of the Standard states that the purpose of an internal audit is to determine whether an organisation’s ISMS conforms to ISO 27001 and is implemented and maintained effectively.
Smaller organisations may only need one internal auditor, but larger organisations usually require several to cover all departments.
Prepare for your ISO 27001 audit
ISO 27001 certification is achieved by satisfying the requirements of an external audit delivered by a certification body such as BSI, LRQA or DNV.
This audit is performed by an independent ISO 27001 lead auditor. To support the preparation for and successful outcome of this audit, we always recommend that a member of the organisation’s implementation team also has the skills and knowledge of an ISO 27001 lead auditor.
Don’t forget the rest of the team
A typical ISO 27001 implementation team will include senior-level IT staff such as IT directors, IT managers and information (or cyber) security managers. Others include GDPR managers, compliance officers and HR managers. All team members need to be aware of the basic requirements of ISO 27001 and educated to at least an introductory (foundation) level.
IT Governance created the world’s first certificated ISO 27001 education programme, which offers training courses from foundation to advanced level. All courses offer participants the opportunity to enhance their career by attaining industry-standard ISO 17024-certificated qualifications awarded by IBITGQ.
Our ISO 27001 Roles Learning Path provides a unique guide to help you decide which training courses and qualifications will help develop the skills of your ISO 27001 implementation team.
