ISO 27001 Competence

Home / ISO 27001 / ISO 27001 Competence

Introduction

In this tutorial we are going to cover ISO 27001 Competence. We’re looking at competence here as part of the overall ISO 27001 Clause 7 and it follows from the previous blog and video – ISO 27001 Resources.

You will learn

  • What it is ISO 27001 Competence
  • How to implement Competence

Watch

If you prefer to watch rather than read you can watch: How to implement ISO 27001 Clause 7.2 Competence | Step-by-Step Guide

Definition

Let’s have a look at what the definition says so that we know what we’re dealing with and then we’ll do a little bit of a deep dive and we’ll do some investigation and I’ll show you how you can go about satisfying that.

So, ISO 27001 Clause 7.2 Competence – the organisation shall

  • determine the necessary competence of person or person’s doing work under its control that affects its information security performance,
  • ensure that these persons are competent on the basis of appropriate education training or experience,
  • where applicable take actions to acquire the necessary competence and evaluate the effectiveness of those actions and
  • retain the appropriate documented information of evidence of competence.

Now, there is a note on here that says – applicable actions can include for example the provision of training, mentoring or the reassignment of current employees or hiring or contracting of competent persons. Okay, so, that’s what the standard says. What is it looking for?

Implementation Guide

What does it actually want? Well, the way we’re going to satisfy this is we’re going to take one of the High Table ISO 27001 Templates, we’re going to take the ISO 27001 Competency Matrix Template, which is available to download individually or as part of the ultimate ISO 27001 Toolkit and we’re going to go through and we’re going to populate that and let me explain to you how we satisfy the Clause by using it.

What is does it mean? It means we’ve got people on the team when we’re running our information security management system (ISMS) that have the competence, that know how to run the management system. We cannot have ISO 27001 and go for certification if nobody knows any anything about it, they’ve got no experience in it, they’ve got no knowledge in it.

What we have to do is we have to make sure that people are competent, and we have to document that, we need documented evidence for that.

You will hear me say time and time again when it comes the audit, we play the auditor not the standard. Every single auditor is different, every auditor will have a different opinion. Some are a little bit more pedantic than others. So, what we’re doing is we’re covering every eventuality and I’m going to give you every use case, every scenario that could come up.

DO IT YOURSELF ISO27001

Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition

ISO 27001 Competency Matrix

What I want to do is I want to put together a Competence Matrix.

ISO 27001 Competence Matrix Example

What I want to do within that Competence Matrix is I want to list down the left-hand side the employees.

Assign People

What I’m looking for here are employees but people that are referenced in the ISO 27001 assigned roles and responsibilities document which we saw in ISO 27001 Clause 7.1, or that are assigned to a role within the ISO 27001 accountability RASCI table.

So, what that means is that everybody that is assigned one of the ISO 27001 Clauses, everybody that is assigned to one of the ISO 27001 Annex A controls, everybody that has a role documented in the roles and responsibilities document, in terms of the CEO, the leadership team, the management review team, information security manager, Etc, reference back to ISO 27001 Resources if you want to go through that in more detail, every single single one of those is going to be listed down the left-hand side.

The question that comes up is – do I need every employee? Technically no you don’t.

What I am doing, what we are doing here, is focusing on the performance of information security management system (ISMS). We’re focusing on resources specific to the information security management system (ISMS) and its operation. You are going to have other tools in your arsenal for the management of employees, for their competences in role, for your training, for your awareness of them. This is very, very specific to target in this particular Clause.

Information Security Skills

What you can see in the example are the Information Security Skills to Include in the Competence Matrix. These are a series of columns which are provided by default, but that you can change, that are in green. These are the information security relevant skills. What we need to do is determine the skills and the knowledge and the experience that we need and we need to list it. So, based on good practice, what I have provided for you within the template is industry normal qualification, industry normal things that you would expect people to have. Things like CISSP, CISA, CISM. Potentially PCI DSS. Potentially GDPR that has, or data protection that has, relevance and then ISO 27001 Lead Auditor and ISO 27001 Lead Implementer. If I was going to do the bare minimum I would just have the 27001 Lead Auditor / ISO 27001 Lead Implementor column because that is specific but the other ones if you have them or they’re aspirational or they’re relevant to you then, then you would include them in there.

So, every single one of those is something that clearly, that the information security professionals that do what I do for a living would have by default. If there are other information security relevant skills that you either have in your company or that you aspire to, or you are working towards, then clearly you can list them in there as well. It is going to be very dependent on who you are. You know, you might have network security skills, AWS security qualification or skills or experience. So, there are a host of other things that you may have that you can list in here and by all means do so.

Education

What you can see in here is that there is a column for Education. Now you don’t have to put that but it can be useful just to record in there – degree – like yes or no, does the person have a degree, are they degree level educated? You can argue is that relevant or isn’t it. It’s a nice to have.

If you don’t want it just remove it from there but what you can then see to the right of that are Business Technologies.

Business Technologies

Now what I like to do with my clients and on my client engagements is to list out the most significant Business Technologies that the business has and then what I am looking at doing is then recording the competence against that. Now, there is an argument that it isn’t necessarily specific to the information security management system but for me it is and I have seen pedantic auditors pick up on this, so, what I would like to do is, I would like for employees that have security related skills or experience in Business Technologies and business related Technologies, I want to list them and I want to record them within this spreadsheet.

Competence Key

The overall spreadsheet itself when we’re recording our competence has a key. You can read the key but for me what I’m doing is I am recording whether or not an individual is trained, whether or not they are experienced, whether or not training is planned for them, whether or not there is a gap, i.e.  they need the training and the training isn’t currently planned so we have a gap, or I’m leaving it blank because it’s not applicable. What this is allowing me to do is to have a very visual representation of the level of competence that I have within my team, where my gaps are, to plan and structure in my training, my training and awareness for the team going forward.

Evidence of Competence

For a belts and braces again I have seen this, it does say to record evidence of the competence, so, it may well be that in conjunction with the HR what you want to be doing is you want to be keeping copies of any courses online, courses online quizzes, that you’ve done that can demonstrate that level of competence.

External Employees

Within here, this particular competency spreadsheet looks like it’s heavily focused on internal employees but it can include external third parties. It can include that. Now, when it comes to doing the certification if you are engaged with a consultant it is usual that you would put the consultant’s name within the Competency Matrix, that they would in theory tick the boxes for you for the skills and experiences that you need and that the evidence of their competence will either come from them issuing you with their training certificate but most likely it will be the provision of the contract that you have with them that sets out the products and services that they are offering to you and you would be relying on the experience part of the requirement for this particular Clause. So again, if challenged on it or I can see that you’ve used these people but they’re not trained, experience in terms of the standard, technically is a very valid approach to competence and you can argue that experience over training is valid for you. Okay, so, just be aware of the nuance is.

Implementation Summary

So that is how I would record competence, that is how I would, implement competence and again, yes, the top tip would be engagement with a professional and then the use of the professional because you need their knowledge, you need their experience. Again especially at the implementation, the kick-off phase, the implementation phase, probably up to the first certification, you do need theirexperience and you do need their knowledge.

Conclusion

So that is ISO 27001 Competence.I am Stuart Barker. I am the ISO 27001 Ninja and until the next tutorial and deep dive, peas out.

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing