Introduction
In this tutorial we are going to cover ISO 27001 Competence. We’re looking at competence here as part of the overall ISO 27001 Clause 7 and it follows from the previous blog and video – ISO 27001 Resources.
You will learn
- What it is ISO 27001 Competence
- How to implement Competence
Watch
If you prefer to watch rather than read you can watch: How to implement ISO 27001 Clause 7.2 Competence | Step-by-Step Guide
Definition
Let’s have a look at what the definition says so that we know what we’re dealing with and then we’ll do a little bit of a deep dive and we’ll do some investigation and I’ll show you how you can go about satisfying that.
So, ISO 27001 Clause 7.2 Competence – the organisation shall
- determine the necessary competence of person or person’s doing work under its control that affects its information security performance,
- ensure that these persons are competent on the basis of appropriate education training or experience,
- where applicable take actions to acquire the necessary competence and evaluate the effectiveness of those actions and
- retain the appropriate documented information of evidence of competence.
Now, there is a note on here that says – applicable actions can include for example the provision of training, mentoring or the reassignment of current employees or hiring or contracting of competent persons. Okay, so, that’s what the standard says. What is it looking for?
Implementation Guide
What does it actually want? Well, the way we’re going to satisfy this is we’re going to take one of the High Table ISO 27001 Templates, we’re going to take the ISO 27001 Competency Matrix Template, which is available to download individually or as part of the ultimate ISO 27001 Toolkit and we’re going to go through and we’re going to populate that and let me explain to you how we satisfy the Clause by using it.
What is does it mean? It means we’ve got people on the team when we’re running our information security management system (ISMS) that have the competence, that know how to run the management system. We cannot have ISO 27001 and go for certification if nobody knows any anything about it, they’ve got no experience in it, they’ve got no knowledge in it.
What we have to do is we have to make sure that people are competent, and we have to document that, we need documented evidence for that.
You will hear me say time and time again when it comes the audit, we play the auditor not the standard. Every single auditor is different, every auditor will have a different opinion. Some are a little bit more pedantic than others. So, what we’re doing is we’re covering every eventuality and I’m going to give you every use case, every scenario that could come up.
DO IT YOURSELF
ISO 27001
ISO 27001 Competency Matrix
What I want to do is I want to put together a Competence Matrix.
What I want to do within that Competence Matrix is I want to list down the left-hand side the employees.
Assign People
What I’m looking for here are employees but people that are referenced in the ISO 27001 assigned roles and responsibilities document which we saw in ISO 27001 Clause 7.1, or that are assigned to a role within the ISO 27001 accountability RASCI table.
So, what that means is that everybody that is assigned one of the ISO 27001 Clauses, everybody that is assigned to one of the ISO 27001 Annex A controls, everybody that has a role documented in the roles and responsibilities document, in terms of the CEO, the leadership team, the management review team, information security manager, Etc, reference back to ISO 27001 Resources if you want to go through that in more detail, every single single one of those is going to be listed down the left-hand side.
The question that comes up is – do I need every employee? Technically no you don’t.
What I am doing, what we are doing here, is focusing on the performance of information security management system (ISMS). We’re focusing on resources specific to the information security management system (ISMS) and its operation. You are going to have other tools in your arsenal for the management of employees, for their competences in role, for your training, for your awareness of them. This is very, very specific to target in this particular Clause.
Information Security Skills
What you can see in the example are the Information Security Skills to Include in the Competence Matrix. These are a series of columns which are provided by default, but that you can change, that are in green. These are the information security relevant skills. What we need to do is determine the skills and the knowledge and the experience that we need and we need to list it. So, based on good practice, what I have provided for you within the template is industry normal qualification, industry normal things that you would expect people to have. Things like CISSP, CISA, CISM. Potentially PCI DSS. Potentially GDPR that has, or data protection that has, relevance and then ISO 27001 Lead Auditor and ISO 27001 Lead Implementer. If I was going to do the bare minimum I would just have the 27001 Lead Auditor / ISO 27001 Lead Implementor column because that is specific but the other ones if you have them or they’re aspirational or they’re relevant to you then, then you would include them in there.
So, every single one of those is something that clearly, that the information security professionals that do what I do for a living would have by default. If there are other information security relevant skills that you either have in your company or that you aspire to, or you are working towards, then clearly you can list them in there as well. It is going to be very dependent on who you are. You know, you might have network security skills, AWS security qualification or skills or experience. So, there are a host of other things that you may have that you can list in here and by all means do so.
Education
What you can see in here is that there is a column for Education. Now you don’t have to put that but it can be useful just to record in there – degree – like yes or no, does the person have a degree, are they degree level educated? You can argue is that relevant or isn’t it. It’s a nice to have.
If you don’t want it just remove it from there but what you can then see to the right of that are Business Technologies.
Business Technologies
Now what I like to do with my clients and on my client engagements is to list out the most significant Business Technologies that the business has and then what I am looking at doing is then recording the competence against that. Now, there is an argument that it isn’t necessarily specific to the information security management system but for me it is and I have seen pedantic auditors pick up on this, so, what I would like to do is, I would like for employees that have security related skills or experience in Business Technologies and business related Technologies, I want to list them and I want to record them within this spreadsheet.
Competence Key
The overall spreadsheet itself when we’re recording our competence has a key. You can read the key but for me what I’m doing is I am recording whether or not an individual is trained, whether or not they are experienced, whether or not training is planned for them, whether or not there is a gap, i.e. they need the training and the training isn’t currently planned so we have a gap, or I’m leaving it blank because it’s not applicable. What this is allowing me to do is to have a very visual representation of the level of competence that I have within my team, where my gaps are, to plan and structure in my training, my training and awareness for the team going forward.
Evidence of Competence
For a belts and braces again I have seen this, it does say to record evidence of the competence, so, it may well be that in conjunction with the HR what you want to be doing is you want to be keeping copies of any courses online, courses online quizzes, that you’ve done that can demonstrate that level of competence.
External Employees
Within here, this particular competency spreadsheet looks like it’s heavily focused on internal employees but it can include external third parties. It can include that. Now, when it comes to doing the certification if you are engaged with a consultant it is usual that you would put the consultant’s name within the Competency Matrix, that they would in theory tick the boxes for you for the skills and experiences that you need and that the evidence of their competence will either come from them issuing you with their training certificate but most likely it will be the provision of the contract that you have with them that sets out the products and services that they are offering to you and you would be relying on the experience part of the requirement for this particular Clause. So again, if challenged on it or I can see that you’ve used these people but they’re not trained, experience in terms of the standard, technically is a very valid approach to competence and you can argue that experience over training is valid for you. Okay, so, just be aware of the nuance is.
Implementation Summary
So that is how I would record competence, that is how I would, implement competence and again, yes, the top tip would be engagement with a professional and then the use of the professional because you need their knowledge, you need their experience. Again especially at the implementation, the kick-off phase, the implementation phase, probably up to the first certification, you do need theirexperience and you do need their knowledge.
Conclusion
So that is ISO 27001 Competence.I am Stuart Barker. I am the ISO 27001 Ninja and until the next tutorial and deep dive, peas out.