LIVE VIRTUAL TRAININGS
Learn in small groups from top experts and real-life examples

Expert Advice Community

Guest

Competence evidences for ISO 27001

  Quote
Guest
Guest user Created:   Mar 11, 2017 Last commented:   Mar 14, 2017

Competence evidences for ISO 27001

Regarding clause 7.2 from ISO 27001, what is expected for this? Are we expected to assess the competency of everyone in the organisation? If so is a CBT general security course sufficient to achieve this? I appreciate that as the Head of IS and given my qualifications I have a certain level of competence but what would be expected or "applicable" to all our users?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 11, 2017

We are intending on delivering face to face awareness training on the specific policies being deployed, this will be both general awareness and targeted to those groups of people that specific policies relate to, would a general CBT be enough to back this up?

Answer: You have to assess the competency only of those included in the scope of your ISMS. Regarding competence evidences, besides a CBT general security course an face to face training for awareness of all people included in the scope, maybe you also should consider specific courses for technical and management personnel, like IT team and top management, since they required more specific knowledge to fulfil their informat ion security related tasks. Additionally, for evidence of competence the standard also accepts evidences of experience and education, and where you can provide those evidences the CBT and face to face training may be optional.

This article will provide you further explanation about competence evidences for ISO 27001:
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

These materials will also help you regarding competence evidences for ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/
Quote
0 0
Expert
Rhand Leal Mar 14, 2017
Question: Does this mean the competency only needs to be assessed of
Those who put together and manage the ISMS ? I.e. Me as head of Infosec and those who write or approve any policy? Or do we need to assess the competency of anyone who has to follow the policy?

Answer: You need to assess the competency of anyone who has an impact in the performance of the ISMS, i.e. those who put together and manage the ISMS and also of those who have to follow the policies.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 11, 2017

Mar 14, 2017

Suggested Topics