Hello dear Advisera Team,
1. Should evidence of competence be related to Information Security, or IT, or something else? Which competence do we have to justify? Should we have the evidence for everybody, or only just for IT Manager or Admins e.g.?
2. What if we have an online learning platform with Data Privacy Training, but only half of the employees completed that training? I don't think it is enough, can it raise a non-confirmity?
Thank you!
Assign topic to the user
1. Should evidence of competence be related to Information Security, or IT, or something else? Which competence do we have to justify? Should we have the evidence for everybody, or only just for IT Manager or Admins e.g.?
The evidence of competence must be related to issues and activities that can impact the ISMS (e.g., secure development for the development and maintenance of information systems included in the ISMS scope, audit techniques for internal auditors, etc.).
You need to evidence competency of anyone who has an impact on the performance of the ISMS, i.e., those who put together and manage the ISMS (e.g., managers and technical staff), and also of those who have to follow the policies and procedures (e.g., all employees included in the ISMS scope).
These articles will provide you a further explanation about competence evidence for ISO 27001:
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
These materials will also help you regarding competence evidence for ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
2. What if we have an online learning platform with Data Privacy Training, but only half of the employees completed that training? I don't think it is enough, can it raise a non-confirmity?
The answer to this question will depend on your defined ISMS scope. In case your ISMS scope is all the organization, and data privacy protection is a requirement for the ISMS, then this situation can rise a non-conformity.
These articles will provide you a further explanation about ISMS scope and readiness for certification:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Feb 17, 2021