Competencies for ISO 27001 implementation and management

Answer: ISO 27001 requires that people with roles and responsibilities regarding information security have competency on the activities to be performed, in terms of education, experience or skills. So, you do not have to have certain certificates if you can show your competence by other means like the registry of the time you've been performing these activities.

Regarding the participation of the consultant, this is not mandatory, and if you are confident that you can handle some activities by yourself you do not need to use a consultant for them (instead of a full time work, you can use him only as a mentor to guide or review your work). For cases like this we also suggest people to take a look at the free demo of our ISO 27001 Documentation Toolkit at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

This toolkit is made for companies that implement the standard for the first time and consider they do not need a consultant for the whole project. You only have to scroll down the scree a little to access the free demo tab.

This articles will provide you further explanation about competencies and implementation process:
- What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/
- 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/

2 - If it is necessary to have the certificate for the part of the first revision and the preparation which one would you recommend?

Answer: Regarding certification, I suggest you to consider ISO 27001 Lead Auditor, because this one will give you an insight on how the mind of a certification auditor works, and with that you can better manage your system. Another interesting training is the ISO 27001 Lead Implementer, but this one does not provide an international recognized certification as the Lead Auditor, but it can help you with insights in the implementation process. For more information see:
- What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
- What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/

3 - Does the company that has ISO 27001 certification must have defined ISO or CISO function? Does that position require certain mandatory certificate?

Answer:By the standard there is no mandatory requirement to designate a CISO function, but in operational terms it is a good idea to consider one. Again, there is no need for a certificate if you can show some other form of evidence that this person has the required competence (e.g., a registry of the years working in this function)

This article will provide you further explanation about CISO:
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/

These materials will also help you regarding ISO 27001 competencies:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/