ISO/IEC 27021:2017

INTERNATIONAL ISO/IEC
STANDARD 27021
First edition
2017-10
Information technology — Security
techniques — Competence
requirements for information security
management systems professionals
Technologies de l'information — Tecniques de sécurité — Exigences
de compétence pour les professionnels de la gestion des systèmes de
management de la sécurité
Reference number
ISO/IEC 27021:2017(E)
©
ISO/IEC 2017

---------------------- Page: 1 ----------------------
ISO/IEC 27021:2017(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2017, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2017 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 27021:2017(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Concept and structure . 1
4.1 General . 1
4.2 Concept of ISMS competence . 2
4.3 Structure of ISMS competence . 2
4.4 Demonstration of competence . 3
4.5 Structure of this document . 3
5 Business management competence for ISMS Professionals . 3
5.1 General . 3
5.2 Competence: Leadership . 3
5.3 Competence: Communication . 4
5.4 Competence: Business Strategy and ISMS . 4
5.5 Competence: Organization design, culture, behaviour and stakeholder management . 5
5.6 Competence: Process design and organizational change management . 5
5.7 Competence: Human Resource, team and individual management. 6
5.8 Competence: Risk management . 6
5.9 Competence: Resource management . 7
5.10 Competence: Information systems architecture . 7
5.11 Competence: Project and portfolio management . 8
5.12 Competence: Supplier management . 8
5.13 Competence: Problem management . 8
6 Information security competence for ISMS professionals . 9
6.1 ISMS Competence: Information Security . 9
6.1.1 General. 9
6.1.2 Competence: Information security governance . 9
6.1.3 Competence: Context of the organization . 9
6.2 ISMS Competence: Information Security Planning .10
6.2.1 General.10
6.2.2 Competence: Scope of ISMS .10
6.2.3 Competence: Information security risk assessment and treatment .11
6.3 ISMS Competence: Information Security Operation .11
6.3.1 General.11
6.3.2 Competence: Information security operations .12
6.4 ISMS Competence: Information Security Support .12
6.4.1 General.12
6.4.2 Competence: Information security awareness, education and training .13
6.4.3 Competence: Documentation .13
6.5 ISMS Competence: Information Security Performance evaluation.13
6.5.1 General.13
6.5.2 Competence: ISMS monitoring, measurement, analysis and evaluation .14
6.5.3 Competence: ISMS auditing .14
6.5.4 Competence: Management review .15
6.6 ISMS Competence: Information Security Improvement.15
6.6.1 General.15
6.6.2 Competence: Continual improvement.15
6.6.3 Competence: Technological trends and developments .16
Annex A (informative) Including knowledge for ISMS professionals as part of a body
of knowledge .17
© ISO/IEC 2017 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 27021:2017(E)

Bibliography .21
iv © ISO/IEC 2017 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 27021:2017(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
© ISO/IEC 2017 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC 27021:2017(E)

Introduction
This document is intended for use by:
a) individuals who would like to demonstrate their competence as information security management
system (ISMS) professionals, or who wish to understand and accomplish the competence required
for working in this area, as well as wishing to broaden their knowledge,
b) organizations seeking potential ISMS professional candidates to define the competence required
for positions in ISMS related roles,
c) bodies to develop certification for ISMS professionals which need a body of knowledge (BOK) for
examination sources, and
d) organizations for education and training, such as universities and vocational institutions, to align
their syllabuses and courses to the competence requirements for ISMS professionals.
This document should be read and used in conjunction with ISO/IEC 27001.
vi © ISO/IEC 2017 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27021:2017(E)
Information technology — Security techniques —
Competence requirements for information security
management systems professionals
1 Scope
This document specifies the requirements of competence for ISMS professionals leading or involved in
establishing, implementing, maintaining and continually improving one or more information security
management system processes that conforms to ISO/IEC 27001.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the
following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at http://www.iso.org/obp
— IEC Electropedia: available at http://www.electropedia.org/
3.1
competence
ability to apply knowledge and skills to achieve intended results
[SOURCE: ISO/IEC 17024:2012, 3.6]
3.2
information security management system professional
ISMS professional
person who establishes, implements, maintains and continually improves one or more information
security management system processes
4 Concept and structure
4.1 General
ISMS professionals are people whose role is to manage the establishment, implementation, maintenance
and continual improvement of one or more ISMS processes. They shall have and maintain knowledge
and skills required in this document to fulfil their role successfully.
© ISO/IEC 2017 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/IEC 27021:2017(E)

4.2 Concept of ISMS competence
Within an organization, several management systems may be implemented, operated and maintained.
Each management system will be the responsibility of one or more professionals. One such system is the
ISMS. This document describes the business management and domain-specific competence required
of ISMS professionals responsible for an organization’s ISMS. Figure 1 illustrates how “common
management” and “domain-specific” competence (namely A, B, and X competence) are related with
information security competence. Business management competence are given in Clause 5. Information
security competence for ISMS professionals are given in Clause 6.
Figure 1 — Relationship of ISMS-specific competence with common and domain-specific
competence
4.3 Structure of ISMS competence
For each of ISO/IEC 27001:2013, Clauses 5 to 10, one category and several competence are defined. Each
competence is given a unique name and a unique number, a reference to associated clauses/subclauses
of ISO/IEC 27001 if applicable, the intended outcome of the competence and a list of the knowledge
topics and skills that make up the competence. Each competence is presented using a common template,
shown in Table 1.
Table 1 — Template for competence description
ISO/IEC 27001 :2013 N.N Title of clause/subclause
clause/subclause
(if applicable)
Intended outcome Description of intended outcome – the result of applying the competence
Knowledge required —  Outlines of the topics, concepts and principles ISMS professionals
know, are aware of, or are familiar with in this competence
Skills required —  The skills ISMS professionals are able to perform
2 © ISO/IEC 2017 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 27021:2017(E)

4.4 Demonstration of competence
For each competence, ISMS professionals shall be able to demonstrate the following:
a) knowledge of the competence demonstrated by the possession of educational and/or professional
qualifications; and
b) skill, or ability to carry out the managerial or technical tasks.
4.5 Structure of this document
This document shows the competence required for ISMS professionals structured into two categories.
These categories are arranged based on common areas of business management and information
security management and include 12 competence each. This is followed by a breakdown of ISMS-
specific competence in a process order (Planning, Operation, Support, Performance evaluation, and
Improvement). The structure of the clauses/subclauses is as follows:
— 5 Business management competence for ISMS Professionals
— 6 Information security competence
— 6.1 ISMS competence: Information Security
— 6.2 ISMS competence: Information Security Planning
— 6.3 ISMS competence: Information Security Operation
— 6.4 ISMS competence: Information Security Support
— 6.5 ISMS competence: Information Security Performance evaluation
— 6.6 ISMS competence: Information Security Improvement.
Annex A provides elements of knowledge for ISMS professionals that can be used in a body of knowledge
(BOK) for an organization. When an organization creates a BOK which covers the knowledge for ISMS
professionals, Annex A can be referenced as a source of elements that are included in the BOK.
5 Business management competence for ISMS Professionals
5.1 General
To accomplish their roles in an organization successfully and efficiently ISMS professionals shall acquire
and keep up-to-date with respect to the fundamental areas of business management.
5.2 Competence: Leadership
ISO/IEC 27001:2013 5 Leadership
clau s e/s u b clau s e
(if applicable)
Intended outcome Directing, motivating and encouraging staff across the organization to deliver
information security
Knowledge required — Theories of leadership
— Negotiation techniques
© ISO/IEC 2017 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/IEC 27021:2017(E)

Skills required — Set and give direction for information security across the organization
— Provide guidance, set objectives and drive progress within the information
security function, team and the business
— Deliver commitments
— Deploy responsibilities and authorities at the different levels of the organization
5.3 Competence: Communication
ISO/IEC 27001:2013 7.4 Communication
c l a u s e/su b c l a u s e
(if applicable)
Intended outcome Sharing the correct information in a concise manner with the relevant parties
and enabling the most productive interaction with the organization's manage-
ment with regards to information security
Knowledge required — Theories and methods of communication
— Stakeholder analysis techniques
— Communication techniques
Skills required — Design the process and communication channels appropriate for the or-
ganization to establish the ISMS
— Communicate using appropriate language and media to a range of audiences
— Forge relationships with top management and business professionals
— Determine the need for internal and external communications relevant
the ISMS
5.4 Competence: Business Strategy and ISMS
ISO/IEC 27001:2013 4.1 Understanding the organization and its context
c l a u s e/su b c l a u s e
(if applicable)
Intended outcome Understanding how business strategy is formulated and how information
security and ISMS strategy fits into the overall business strategy
Knowledge required — Business strategy and strategy formulation process
— The legal and regulatory environment in which the organization operates
— Definition of strategy, for example, by using a strategic alignment tree
— Application of strategic objectives and ISMS global objectives to the dif-
ferent process of the ISMS
Skills required — Understand business strategy and the strategy of the organization
— Set information security objectives in the context of the business and its
strategy
— Demonstrate strategic direction with respect to the ISMS, ranging from
planning to improvement that is organized toward common goals in in-
formation security
— Allocate (or assist in the allocation of) resources to meet business and
information security objectives
4 © ISO/IEC 2017 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC 27021:2017(E)

5.5 Competence: Organization design, culture, behaviour and stakeholder management
ISO/IEC 27001:2013 4.2 Understanding the needs and expectations of interested parties
c l a u s e/su b c l a u s e
(if applicable)
Intended outcome Ensuring that the ISMS implementation matches the organizational structure
and culture
Knowledge required — Organization design theory
— Theory of organization culture
— Organizational behaviour approaches, methodologies and frameworks
— Conflict management
Skills required — Understand organization design
— Understand organization behaviour
— Analyse and evaluate organization culture
— Integrate the ISMS into organization design
— Manage conflict stakeholders with different interests and negotiate in
order to accomplish security objectives
5.6 Competence: Process design and organizational change management
ISO/IEC 27001:2013 No applicable clauses or subclauses
c l a u s e/su b c l a u s e
(if applicable)
Intended outcome Engineering of the performance of day-by-day information security related
activities
Knowledge required — Operational planning and control
— Process design methodologies and frameworks
— Process documentation and record management
— Organizational context
— Change management methodologies and frameworks
Skills required — Direct processes, and oversee the plans to achieve information security
objectives
— Manage organizational processes
— Manage outsourced processes
— Manage change management processes
— Manage records
© ISO/IEC 2017 – All rights reserved 5

---------------------- Page: 11 ----------------------
ISO/IEC 27021:2017(E)

5.7 Competence: Human Resource, team and individual management
ISO/IEC 27001:2013 7.2 Competence
c l a u s e/su b c l a u s e
(if applicable)
Intended outcome Taking proactive action and developing organizational processes to address the
development needs of individuals, teams and the entire workforce
Knowledge required — Appraisal systems and processes
— Competence development methods
— Competence needs analysis methodologies
— Learning and development support methods (e.g. coaching, teaching, training)
— The optimum staffing and skills required to implement and maintain the ISMS
— Information security qualifications and certifications
Skills required — Set organizational and individual objectives, goals and targets and link them
— Understand and use strategies such as empowerment
— Measure and influence the level of employee motivation
— Use tools such as performance management, objective setting and appraisals
— Coach and/or train and/or mentor individuals or teams
— Work in cross-functional teams to achieve business and/or information
security objectives
— Build a team work culture
— Support the specification, interview, recruitment, selection, training,
supervision and development of staff with appropriate skills, experience
and motivation
— Measure the results of training, coaching and related actions and the ac-
quisition of the skills
5.8 Competence: Risk management
ISO/IEC 27001:2013 No applicable clauses or subclauses
c l a u s e/su b c l a u s e
(if applicable)
Intended outcome Understanding of the methodologies, frameworks and outputs of risk management
Knowledge required — Fundamental principles of risk
— Business risk management methodologies and frameworks, risk assess-
ment treatment
— The legal and regulatory environment the organization operates in
Skills required — Understand the definition of risk and its components in real-world scenarios
— Comprehend business risk management methodologies, assessment and
treatment methodologies and processes
— Explain the outputs of business or enterprise risk management
6 © ISO/IEC 2017 – All rights reserved

---------------------- Page: 12 ----------------------
ISO/IEC 27021:2017(E)

5.9 Competence: Resource management
ISO/IEC 27001:2013 7.1 Resources
c l a u s e/su b c l a u s e
(if applicable)
Intended outcome Ensuring that appropriate resources are determined and provided in time for
the establishment, implementation, maintenance and continual improvement
of the ISMS
Knowledge required — Financial reporting and measurement
— Budget creation and management techniques
— Cost management and reduction techniques
— Time and materials management techniques
— Management review and corrective action processes
Skills required — Determine the resources needed for the establishment, implementation,
maintenance and continual improvement of the ISMS
— Budget business elements including cost of implementation and operation
of the ISMS
— Understand financial reporting, including cashflow and profit and loss
— Create business and investment cases
— State ROI (return on investment), ROSI (return on security investment)
and other financial benefits
— Apply cost control and budget management techniques
— Provide appropriate resources in time in the right place
5.10 Competence: Information systems architecture
ISO/IEC 27001:2013 No applicable clauses or subclauses
c l a u s e/su b c l a u s e
(if applicable)
Intended outcome Understanding the applicable information systems architecture used to create,
store, process, transmit and dispose of the organization's information
Knowledge required — Information systems architecture requirements
— Hardware components, tools and hardware architectures
— Operating systems and software platforms
— Integration of, and dependency on, business processes with ICT applications
— Information security aspects of information systems architecture
Skills required — Understand the business objectives/drivers that impact the information
systems architecture
— Understand the interaction of security components and information system
architecture components
© ISO/IEC 2017 – All rights reserved 7

---------------------- Page: 13 ----------------------
ISO/IEC 27021:2017(E)

5.11 Competence: Project and portfolio management
ISO/IEC 27001:2013 No applicable clauses or subclauses
c l a u s e/su b c l a u s e
(if applicable)
Intended outcome Managing efficiently and effectively the different types of ISMS related projects
and actions (such as corrective, preventative, improvement) in order to meet
their intended outcomes on time, on budget and to quality
Knowledge required — Project management methodologies and frameworks
— Portfolio management methodologies and frameworks
— Approaches to define project steps and tools to set up action plans
Skills required — Manage projects, portfolio, activities and tasks
— Manage, with the business, the portfolio of ISMS-related investment projects
— Plan projects to implement strategies, establish procedures and implement
them successfully and efficiently
— Work in cross-disciplinary teams to achieve business and/or information
security objectives
5.12 Competence: Supplier management
ISO/IEC 27001:2013 No applicable clauses or subclauses
c l a u s e/su b c l a u s e
(if applicable)
Intended outcome Understanding the role of suppliers and the supply chain in the organization
and the impact on information security
Knowledge required —   Use of suppliers and the supply chain
Skills required — Assess suppliers and the supply chain(s)
— Assess the impact on information security of suppliers and the supply chain(s)
— Manage suppliers where required
— Provide information security guidance when creating, assessing, selecting,
managing and exiting supplier relationships
5.13 Competence: Problem management
ISO/IEC 27001:2013 No applicable clauses or subclauses
c l a u s e/su b c l a u s e
(if applicable)
Intended outcome Identifying and resolving problems that might have consequences for the ISMS
in a timely manner
Knowledge required —   Problem solving and analysis methodologies and frameworks
Skills required — Understand internal and external issues
— Analyse and synthesize information and data concerning the problems
— Describe management problems analytically, apply analytical approaches,
and elaborate problem solutions
— Present and explain proposed solutions to relevant audiences
8 © ISO/IEC 2017 – All rights reserved

----------------
...