Abstract
�“ISO/IEC 27021:2017 specifies the requirements of competence for ISMS professionals leading or involved in establishing, implementing, maintaining and continually improving one or more information security management system processes that conforms to ISO/IEC 27001.”
[Source: ISO/IEC 27021:2017]
Introduction
To help stabilise and standardise the global market for training and certifying professionals for ISO27k implementation and audit work, this standard lays out the competence expected of ISMS professionals.
Scope
The standard concerns the competences (meaning the combination of knowledge and skills) required or expected of professionals managing an ISMS in accordance with ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005 and ISO/IEC 27007.
Note: the standard does not specify a qualification scheme as such, but in effect serves as a reference for the organisations that offer such schemes.
Note: the standard does not cover auditor competence.
Structure
Main clauses:
4: Concept and structure
5: Business management competence for ISMS professionals
6: Information security competence for ISMS professionals
Annex A: Including knowledge for ISMS professionals as parr of a body of knowledge
The standard starts by explaining that an ISMS is just one form of Management System, requiring a combination of competences in general business management (e.g. leadership and communication, planning and budgeting) plus information security/ISMS management (e.g. scoping the ISMS).
The competences roughly mirror the main body clauses of ISO/IEC 27001, except that most of the general management competences are not directly related to specific clauses.
Each competence is described quite succinctly in four ways:
Relevant ISO/IEC 27001 clause (where applicable)
Intended outcome: what this part of the role entails and is expected to achieve
Knowledge required: things the ISMS professional should know about
Skills required: things the ISMS professional should be able to do
Status
The first edition was published in 2017.
Additional references to ISO/IEC 27001 clauses were added to plug gaps in the competencies table through an amendment in 2021: ISO/IEC 27021:2017/Amd1:2021 Information technology - Security techniques - Competence requirements for information security management systems professionals - Amendment 1: Addition of ISO/IEC 27001:2013 clauses or subclauses to competence requirements.
Commentary
Although the title of this standard includes the reserved word ‘requirements’, that should not be taken to imply this is a certifiable standard.
The four standards listed in the scope section above may be the ‘core standards’ but they represent just a fraction of the growing ISO27k suite. It could be argued that several others are nearly as important - ISO/IEC 27003 and ISO/IEC 27004 for examples - which begs questions about the breadth and depth of knowledge and competencies truly expected of information security managers.
Another aspect is that (ISO27k notwithstanding) information security management is materially different in different types/sizes of organisation, so perhaps there is a need for different levels or tiers of qualification (or practitioner maturity, you could say), from entry-level basics up to subject matter experts? A tiered scheme would also encourage career development and lifelong learning. Since the standard is intended to guide those developing courses and qualifications, it might make sense to incorporate or build the standard around a matrix listing the skills and competencies on one axis and the levels or tiers on another, indicating in the body of the matrix which items people at that level/tier are expected to know about and be competent to perform.
The idea of a tiered scheme was agreed in principle by the project team, with e-CF and e-QF schemes (whatever they are!) being mentioned during drafting: maybe this suggestion will be revisited when the standard is next revised.
The standard incorporates the idea of a Body of Knowledge defined in the standard to cover the core aspects of governing and managing an ISMS, but extendable by organisations to address their specific additional requirements in this area.