ISO 27001 Competence – Tutorial

Home / ISO 27001 Tutorials / ISO 27001 Competence – Tutorial

Introduction

In this tutorial we are going to cover ISO 27001 Competence.

You will learn

  • What it is ISO 27001 Competence
  • How to implement Competence

ISO 27001 Competence

ISO 2701 competence is about ensuring you have the skills and experience to run the information security management system.

What is does it mean? It means you have people on the team when we’re running your information security management system (ISMS) that know how to run the management system.

You cannot have ISO 27001 and go for certification if nobody knows any anything about it, they’ve got no experience in it and they’ve got no knowledge in it.

Implementation Guide

You will make sure that people are competent and document and evidence that.

ISO 27001 Competency Matrix

Competency will be record in a competency matrix. This is the record of the relevant skills and experience that people have.

ISO 27001 Competence Matrix Example

Assign People

There are required roles in the information security management system and people need assigning to those roles.

The people that are assigned to those roles will have the competence to perform the role and be recorded in the competency matrix.

Here you are focusing on the performance of information security management system (ISMS). Therefore, you are focusing on resources specific to the information security management system (ISMS) and its operation.

Information Security Skills

It is up to you to decide what information security skills you need. There are some industry best practice for you to consider. The examples are included in the competency matrix and common qualifications are:

  • CISSP
  • CISA
  • CISM
  • PCI DSS
  • GDPR / data protection
  • ISO 27001 Lead Auditor
  • ISO 27001 Lead Implementer.

If I was going to do the bare minimum I would just have the 27001 Lead Auditor / ISO 27001 Lead Implementor column because that is specific but the other ones if you have them or they’re aspirational or they’re relevant to you then, then you would include them in there.

If there are other information security relevant skills that you either have in your company or that you aspire to, or you are working towards, then clearly you can list them in there as well. It is going to be very dependent on who you are. You might have network security skills, AWS security qualification or skills or experience.

Education

Recording education is optional but can be a good foundation and part of a wider evidence of competence and experience.

Business Technologies

Business Technologies that the business relies on would be something that you will evidence competence in.

There is an argument that it isn’t necessarily specific to the information security management system but I have seen pedantic auditors pick up on this.

Managing Competence

Competence is something that will evolve and will be managed.

You will have people that are

  • trained
  • experienced
  • qualified
  • training is planned for them
  • they have a gap in competence

You will evidence that you are managing your requirements for competence.

Evidence of Competence

For a belts and braces again I have seen this, it does say to record evidence of the competence.

It may well be that in conjunction with the HR that you keep copies of

  • courses
  • quizzes
  • references
  • certifications

that you’ve done that can demonstrate that level of competence.

External Employees

It can be useful to rely on the competence of third parties. If you engage with third parties and consultants then this is a fast track to the evidence of competence for the areas that they cover.

DO IT YOURSELF ISO 27001

All the templates, tools, support and knowledge you need to do it yourself.

ISO 27001 Toolkit Business Edition

ISO 27001 Competence – Training Video

If you prefer to watch rather than read you can watch: How to implement ISO 27001 Clause 7.2 Competence | Step-by-Step Guide

ISO 27001 Toolkit Business Edition

ISO 27001 Toolkit | Beginner Friendly | Free Support | 5 Day Build

ISO 27001:2022 requirements

ISO 27001:2022 Annex A 5 - Organisational Controls

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

ISO 27001:2022 Annex A 8 - Technology Controls

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing