Information technology -- Security techniques -- Competence requirements for information security management systems professionals

ISO/IEC 27021:2017 specifies the requirements of competence for ISMS professionals leading or involved in establishing, implementing, maintaining and continually improving one or more information security management system processes that conforms to ISO/IEC 27001.

Technologies de l'information -- Techniques de sécurité -- Exigences de compétence pour les professionnels de la gestion des systèmes de management de la sécurité

General Information

Status
Published
Publication Date
30-Oct-2017
Current Stage
6060 - International Standard published
Start Date
22-Sep-2017
Completion Date
31-Oct-2017
Ref Project

RELATIONS

Buy Standard

Standard
ISO/IEC 27021:2017 - Information technology -- Security techniques -- Competence requirements for information security management systems professionals
English language
21 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO/IEC
STANDARD 27021
First edition
2017-10
Information technology — Security
techniques — Competence
requirements for information security
management systems professionals
Technologies de l'information — Tecniques de sécurité — Exigences
de compétence pour les professionnels de la gestion des systèmes de
management de la sécurité
Reference number
ISO/IEC 27021:2017(E)
ISO/IEC 2017
---------------------- Page: 1 ----------------------
ISO/IEC 27021:2017(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2017, Published in Switzerland

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form

or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior

written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of

the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2017 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27021:2017(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Concept and structure ..................................................................................................................................................................................... 1

4.1 General ........................................................................................................................................................................................................... 1

4.2 Concept of ISMS competence ...................................................................................................................................................... 2

4.3 Structure of ISMS competence .................................................................................................................................................. 2

4.4 Demonstration of competence .................................................................................................................................................. 3

4.5 Structure of this document ........................................................................................................................................................... 3

5 Business management competence for ISMS Professionals ................................................................................... 3

5.1 General ........................................................................................................................................................................................................... 3

5.2 Competence: Leadership ................................................................................................................................................................ 3

5.3 Competence: Communication .................................................................................................................................................... 4

5.4 Competence: Business Strategy and ISMS ....................................................................................................................... 4

5.5 Competence: Organization design, culture, behaviour and stakeholder management ............ 5

5.6 Competence: Process design and organizational change management ................................................ 5

5.7 Competence: Human Resource, team and individual management.......................................................... 6

5.8 Competence: Risk management ............................................................................................................................................... 6

5.9 Competence: Resource management .................................................................................................................................. 7

5.10 Competence: Information systems architecture ........................................................................................................ 7

5.11 Competence: Project and portfolio management ..................................................................................................... 8

5.12 Competence: Supplier management .................................................................................................................................... 8

5.13 Competence: Problem management .................................................................................................................................... 8

6 Information security competence for ISMS professionals ........................................................................................ 9

6.1 ISMS Competence: Information Security ......................................................................................................................... 9

6.1.1 General...................................................................................................................................................................................... 9

6.1.2 Competence: Information security governance .................................................................................... 9

6.1.3 Competence: Context of the organization .................................................................................................. 9

6.2 ISMS Competence: Information Security Planning ...............................................................................................10

6.2.1 General...................................................................................................................................................................................10

6.2.2 Competence: Scope of ISMS .................................................................................................................................10

6.2.3 Competence: Information security risk assessment and treatment ................................11

6.3 ISMS Competence: Information Security Operation ............................................................................................11

6.3.1 General...................................................................................................................................................................................11

6.3.2 Competence: Information security operations ...................................................................................12

6.4 ISMS Competence: Information Security Support .................................................................................................12

6.4.1 General...................................................................................................................................................................................12

6.4.2 Competence: Information security awareness, education and training .......................13

6.4.3 Competence: Documentation .............................................................................................................................13

6.5 ISMS Competence: Information Security Performance evaluation.........................................................13

6.5.1 General...................................................................................................................................................................................13

6.5.2 Competence: ISMS monitoring, measurement, analysis and evaluation ......................14

6.5.3 Competence: ISMS auditing .................................................................................................................................14

6.5.4 Competence: Management review ................................................................................................................15

6.6 ISMS Competence: Information Security Improvement...................................................................................15

6.6.1 General...................................................................................................................................................................................15

6.6.2 Competence: Continual improvement........................................................................................................15

6.6.3 Competence: Technological trends and developments ...............................................................16

Annex A (informative) Including knowledge for ISMS professionals as part of a body

of knowledge ..........................................................................................................................................................................................................17

© ISO/IEC 2017 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27021:2017(E)

Bibliography .............................................................................................................................................................................................................................21

iv © ISO/IEC 2017 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27021:2017(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work. In the field of information technology, ISO and IEC have established a joint technical committee,

ISO/IEC JTC 1.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following

URL: www.iso.org/iso/foreword.html.

This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, IT Security techniques.
© ISO/IEC 2017 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC 27021:2017(E)
Introduction
This document is intended for use by:

a) individuals who would like to demonstrate their competence as information security management

system (ISMS) professionals, or who wish to understand and accomplish the competence required

for working in this area, as well as wishing to broaden their knowledge,

b) organizations seeking potential ISMS professional candidates to define the competence required

for positions in ISMS related roles,

c) bodies to develop certification for ISMS professionals which need a body of knowledge (BOK) for

examination sources, and

d) organizations for education and training, such as universities and vocational institutions, to align

their syllabuses and courses to the competence requirements for ISMS professionals.

This document should be read and used in conjunction with ISO/IEC 27001.
vi © ISO/IEC 2017 – All rights reserved
---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27021:2017(E)
Information technology — Security techniques —
Competence requirements for information security
management systems professionals
1 Scope

This document specifies the requirements of competence for ISMS professionals leading or involved in

establishing, implementing, maintaining and continually improving one or more information security

management system processes that conforms to ISO/IEC 27001.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 27000, Information technology — Security techniques — Information security management

systems — Overview and vocabulary
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the

following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at http://www.iso.org/obp
— IEC Electropedia: available at http://www.electropedia.org/
3.1
competence
ability to apply knowledge and skills to achieve intended results
[SOURCE: ISO/IEC 17024:2012, 3.6]
3.2
information security management system professional
ISMS professional

person who establishes, implements, maintains and continually improves one or more information

security management system processes
4 Concept and structure
4.1 General

ISMS professionals are people whose role is to manage the establishment, implementation, maintenance

and continual improvement of one or more ISMS processes. They shall have and maintain knowledge

and skills required in this document to fulfil their role successfully.
© ISO/IEC 2017 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC 27021:2017(E)
4.2 Concept of ISMS competence

Within an organization, several management systems may be implemented, operated and maintained.

Each management system will be the responsibility of one or more professionals. One such system is the

ISMS. This document describes the business management and domain-specific competence required

of ISMS professionals responsible for an organization’s ISMS. Figure 1 illustrates how “common

management” and “domain-specific” competence (namely A, B, and X competence) are related with

information security competence. Business management competence are given in Clause 5. Information

security competence for ISMS professionals are given in Clause 6.

Figure 1 — Relationship of ISMS-specific competence with common and domain-specific

competence
4.3 Structure of ISMS competence

For each of ISO/IEC 27001:2013, Clauses 5 to 10, one category and several competence are defined. Each

competence is given a unique name and a unique number, a reference to associated clauses/subclauses

of ISO/IEC 27001 if applicable, the intended outcome of the competence and a list of the knowledge

topics and skills that make up the competence. Each competence is presented using a common template,

shown in Table 1.
Table 1 — Template for competence description
ISO/IEC 27001 :2013 N.N Title of clause/subclause
clause/subclause
(if applicable)

Intended outcome Description of intended outcome – the result of applying the competence

Knowledge required — Outlines of the topics, concepts and principles ISMS professionals

know, are aware of, or are familiar with in this competence
Skills required — The skills ISMS professionals are able to perform
2 © ISO/IEC 2017 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 27021:2017(E)
4.4 Demonstration of competence

For each competence, ISMS professionals shall be able to demonstrate the following:

a) knowledge of the competence demonstrated by the possession of educational and/or professional

qualifications; and
b) skill, or ability to carry out the managerial or technical tasks.
4.5 Structure of this document

This document shows the competence required for ISMS professionals structured into two categories.

These categories are arranged based on common areas of business management and information

security management and include 12 competence each. This is followed by a breakdown of ISMS-

specific competence in a process order (Planning, Operation, Support, Performance evaluation, and

Improvement). The structure of the clauses/subclauses is as follows:
— 5 Business management competence for ISMS Professionals
— 6 Information security competence
— 6.1 ISMS competence: Information Security
— 6.2 ISMS competence: Information Security Planning
— 6.3 ISMS competence: Information Security Operation
— 6.4 ISMS competence: Information Security Support
— 6.5 ISMS competence: Information Security Performance evaluation
— 6.6 ISMS competence: Information Security Improvement.

Annex A provides elements of knowledge for ISMS professionals that can be used in a body of knowledge

(BOK) for an organization. When an organization creates a BOK which covers the knowledge for ISMS

professionals, Annex A can be referenced as a source of elements that are included in the BOK.

5 Business management competence for ISMS Professionals
5.1 General

To accomplish their roles in an organization successfully and efficiently ISMS professionals shall acquire

and keep up-to-date with respect to the fundamental areas of business management.

5.2 Competence: Leadership
ISO/IEC 27001:2013 5 Leadership
clau s e/s u b clau s e
(if applicable)

Intended outcome Directing, motivating and encouraging staff across the organization to deliver

information security
Knowledge required — Theories of leadership
— Negotiation techniques
© ISO/IEC 2017 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC 27021:2017(E)

Skills required — Set and give direction for information security across the organization

— Provide guidance, set objectives and drive progress within the information
security function, team and the business
— Deliver commitments

— Deploy responsibilities and authorities at the different levels of the organization

5.3 Competence: Communication
ISO/IEC 27001:2013 7.4 Communication
c l a u s e/su b c l a u s e
(if applicable)

Intended outcome Sharing the correct information in a concise manner with the relevant parties

and enabling the most productive interaction with the organization's manage-
ment with regards to information security
Knowledge required — Theories and methods of communication
— Stakeholder analysis techniques
— Communication techniques

Skills required — Design the process and communication channels appropriate for the or-

ganization to establish the ISMS
— Communicate using appropriate language and media to a range of audiences
— Forge relationships with top management and business professionals
— Determine the need for internal and external communications relevant
the ISMS
5.4 Competence: Business Strategy and ISMS
ISO/IEC 27001:2013 4.1 Understanding the organization and its context
c l a u s e/su b c l a u s e
(if applicable)

Intended outcome Understanding how business strategy is formulated and how information

security and ISMS strategy fits into the overall business strategy
Knowledge required — Business strategy and strategy formulation process
— The legal and regulatory environment in which the organization operates
— Definition of strategy, for example, by using a strategic alignment tree
— Application of strategic objectives and ISMS global objectives to the dif-
ferent process of the ISMS

Skills required — Understand business strategy and the strategy of the organization

— Set information security objectives in the context of the business and its
strategy
— Demonstrate strategic direction with respect to the ISMS, ranging from
planning to improvement that is organized toward common goals in in-
formation security
— Allocate (or assist in the allocation of) resources to meet business and
information security objectives
4 © ISO/IEC 2017 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 27021:2017(E)

5.5 Competence: Organization design, culture, behaviour and stakeholder management

ISO/IEC 27001:2013 4.2 Understanding the needs and expectations of interested parties

c l a u s e/su b c l a u s e
(if applicable)

Intended outcome Ensuring that the ISMS implementation matches the organizational structure

and culture
Knowledge required — Organization design theory
— Theory of organization culture
— Organizational behaviour approaches, methodologies and frameworks
— Conflict management
Skills required — Understand organization design
— Understand organization behaviour
— Analyse and evaluate organization culture
— Integrate the ISMS into organization design
— Manage conflict stakeholders with different interests and negotiate in
order to accomplish security objectives
5.6 Competence: Process design and organizational change management
ISO/IEC 27001:2013 No applicable clauses or subclauses
c l a u s e/su b c l a u s e
(if applicable)

Intended outcome Engineering of the performance of day-by-day information security related

activities
Knowledge required — Operational planning and control
— Process design methodologies and frameworks
— Process documentation and record management
— Organizational context
— Change management methodologies and frameworks

Skills required — Direct processes, and oversee the plans to achieve information security

objectives
— Manage organizational processes
— Manage outsourced processes
— Manage change management processes
— Manage records
© ISO/IEC 2017 – All rights reserved 5
---------------------- Page: 11 ----------------------
ISO/IEC 27021:2017(E)
5.7 Competence: Human Resource, team and individual management
ISO/IEC 27001:2013 7.2 Competence
c l a u s e/su b c l a u s e
(if applicable)

Intended outcome Taking proactive action and developing organizational processes to address the

development needs of individuals, teams and the entire workforce
Knowledge required — Appraisal systems and processes
— Competence development methods
— Competence needs analysis methodologies
— Learning and development support methods (e.g. coaching, teaching, training)
— The optimum staffing and skills required to implement and maintain the ISMS
— Information security qualifications and certifications

Skills required — Set organizational and individual objectives, goals and targets and link them

— Understand and use strategies such as empowerment
— Measure and influence the level of employee motivation
— Use tools such as performance management, objective setting and appraisals
— Coach and/or train and/or mentor individuals or teams
— Work in cross-functional teams to achieve business and/or information
security objectives
— Build a team work culture
— Support the specification, interview, recruitment, selection, training,
supervision and development of staff with appropriate skills, experience
and motivation
— Measure the results of training, coaching and related actions and the ac-
quisition of the skills
5.8 Competence: Risk management
ISO/IEC 27001:2013 No applicable clauses or subclauses
c l a u s e/su b c l a u s e
(if applicable)

Intended outcome Understanding of the methodologies, frameworks and outputs of risk management

Knowledge required — Fundamental principles of risk
— Business risk management methodologies and frameworks, risk assess-
ment treatment
— The legal and regulatory environment the organization operates in

Skills required — Understand the definition of risk and its components in real-world scenarios

— Comprehend business risk management methodologies, assessment and
treatment methodologies and processes
— Explain the outputs of business or enterprise risk management
6 © ISO/IEC 2017 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/IEC 27021:2017(E)
5.9 Competence: Resource management
ISO/IEC 27001:2013 7.1 Resources
c l a u s e/su b c l a u s e
(if applicable)

Intended outcome Ensuring that appropriate resources are determined and provided in time for

the establishment, implementation, maintenance and continual improvement
of the ISMS
Knowledge required — Financial reporting and measurement
— Budget creation and management techniques
— Cost management and reduction techniques
— Time and materials management techniques
— Management review and corrective action processes

Skills required — Determine the resources needed for the establishment, implementation,

maintenance and continual improvement of the ISMS
— Budget business elements including cost of implementation and operation
of the ISMS
— Understand financial reporting, including cashflow and profit and loss
— Create business and investment cases
— State ROI (return on investment), ROSI (return on security investment)
and other financial benefits
— Apply cost control and budget management techniques
— Provide appropriate resources in time in the right place
5.10 Competence: Information systems architecture
ISO/IEC 27001:2013 No applicable clauses or subclauses
c l a u s e/su b c l a u s e
(if applicable)

Intended outcome Understanding the applicable information systems architecture used to create,

store, process, transmit and dispose of the organization's information
Knowledge required — Information systems architecture requirements
— Hardware components, tools and hardware architectures
— Operating systems and software platforms
— Integration of, and dependency on, business processes with ICT applications
— Information security aspects of information systems architecture

Skills required — Understand the business objectives/drivers that impact the information

systems architecture
— Understand the interaction of security components and information system
architecture components
© ISO/IEC 2017 – All rights reserved 7
---------------------- Page: 13 ----------------------
ISO/IEC 27021:2017(E)
5.11 Competence: Project and portfolio management
ISO/IEC 27001:2013 No applicable clauses or subclauses
c l a u s e/su b c l a u s e
(if applicable)

Intended outcome Managing efficiently and effectively the different types of ISMS related projects

and actions (such as corrective, preventative, improvement) in order to meet
their intended outcomes on time, on budget and to quality
Knowledge required — Project management methodologies and frameworks
— Portfolio management methodologies and frameworks
— Approaches to define project steps and tools to set up action plans
Skills required — Manage projects, portfolio, activities and tasks
— Manage, with the business, the portfolio of ISMS-related investment projects
— Plan projects to implement strategies, establish procedures and implement
them successfully and efficiently
— Work in cross-disciplinary teams to achieve business and/or information
security objectives
5.12 Competence: Supplier management
ISO/IEC 27001:2013 No applicable clauses or subclauses
c l a u s e/su b c l a u s e
(if applicable)

Intended outcome Understanding the role of suppliers and the supply chain in the organization

and the impact on information security
Knowledge required — Use of suppliers and the supply chain
Skills required — Assess suppliers and the supply chain(s)
— Assess the impact on information security of suppliers and the supply chain(s)
— Manage suppliers where required
— Provide information security guidance when creating, assessing, selecting,
managing and exiting supplier relationships
5.13 Competence: Problem management
ISO/IEC 27001:2013 No applicable clauses or subclauses
c l a u s e/su b c l a u s e
(if applicable)

Intended outcome Identifying and resolving problems that might have consequences for the ISMS

in a timely manner

Knowledge required — Problem solving and analysis methodologies and frameworks

Skills required — Understand internal and external issues
— Analyse and synthesize information and data concerning the problems
— Describe management problems analytically, apply analytical approaches,
and elaborate problem solutions
— Present and explain proposed solutions to relevant audiences
8 © ISO/IEC 2017 – All rights reserved
----------------
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.