Based on your experience, what are the benefits (beside the mandatory requirements) of having an internal auditor certified on 27001 in a company? I am a security consultant working for third party customers and I would like to go for the certification of 27001 as an internal auditor first since I think:
- This is a great domain to be aware of in terms of cyber security
- It is able to develop specific communication skills so to identify risks in a company
- It is establishing a CIA mindset whenever positioning a specific technology
I wonder what else can be justified so the management to support the certification process and related costs
Answer: All benefits you mentioned are related to the auditor itself. To get the buy in from management to support the certification process and related costs, you should explain to them that a certified auditor is more capable to identify both non conformities and opportunities for improvement (which are much better) during internal audits, and that knowledge makes it easier to talk with the certi fication auditor, avoiding misunderstandings and getting useful tips to improve the information security management system.