Rhand Leal
October 6, 2014
One of the greatest challenges in managing information security is assuring that people can handle information and execute security activities in a proper manner. Unprepared and untrained people can pose a risk to information, and to business, and they are as dangerous as any other known threats.
ISO 27001 deals with this issue through clause 7.2 in a very straightforward way:
Additionally, ISO 27001 has an extra item related to the record of evidences about the process realization.
Small organizations, or those without deep in-house IT / security knowledge, can find themselves with the following questions:
As with many other management system questions, there are a lot of possible methods to properly handle information security competencies and human resources, but I’d like to present to you the use of personal certificates.
Personal certificates are designations earned by a person to assure qualification to perform a job or task. Usually earned from a professional society or educational institute, they can also be earned from a private certifier (e.g., a manufacturer or supplier).
Some certification programs have rigorous standards for accreditation, similar to those for professional licensure, and that is a key point for supporting personal certifications to help with clause 7.2. The American National Standards Institute (ANSI), the Institute for Credentialing Excellence (ICE), and the International Register of Certificated Auditors (IRCA) are examples of organizations that set standards for accreditation of certification programs.
Let’s take the questions asked earlier to develop this answer, but remember that most of the following information applies only to accredited certification organizations.
What competencies does my company need? Generally, organizations know what products/services they have/need, but not what is needed to know to use/operate them. In this cases, product/technology oriented certifications can help by defining the body of knowledge needed to properly configure/use/operate those products/services. Operating systems, databases and email services are examples of products/services for which you can find suitable certifications that can help you define what competencies your organization needs.
Other relevant cases are about functions/jobs your organization must realize, like management and assurance. For those, you can find profession oriented certifications. Those certifications focus on non-technological, non-product knowledge, to provide the professional with more holistic competencies about the use of the practices. Project manager, security manager and lead auditor are examples of functions/jobs for which you can find suitable certifications that can help you define what competencies your organization needs. See these articles for more information about ISO 27001 / BS 25999-2 trainings: How to learn about ISO 27001 and BS 25999-2 and How to become ISO 27001 Lead Auditor.
What would be suitable education, training, or experience? For obtaining some of these certifications, the professional must submit to the certifying organization a set of evidences of previous education, training, and experience (which vary from certifier to certifier and from types of certification), in the form of school/university certificates, training certificates and employer recommendations letters. From these requirements your organization can define suitable parameters for checking the education, training, or experience levels of its employees.
How / Where does an organization acquire the required competencies and evaluate the actions taken? After earning the certifications, some of them must be maintained by the professional (a new version of the product could be released or new knowledge published). To stay up to date, they must go through training programs, or other verifiable activities that show they are constantly refreshing their knowledge.
To support the professionals in keeping their certifications, many certifiers provide references for training providers or make available events about new products/technologies/practices where they can obtain/share the knowledge necessary to develop their careers. Information about these courses and events can be used by your organization to plan and record activities related to acquiring required competencies.
Should I adopt personal certifications for my staff? As emphasized earlier, all you really need to have to comply with clause 7.2, including the evidence you need, can be found with the accredited organization that issues the certificates. So, why not use personal certifications as selection criteria for hiring, since all you need to comply with clause 7.2 is already available there and can be made available by the candidate? And, why not establish personal certifications as minimal level for your employees, thereby assuring that your employees are more committed to security practices and self-improvement?
The most recognized certifications are expensive and arduous to earn, and some of them have few professionals certified; this situation reflects on the availability and average salary of these professionals. On the other hand, more competent personnel mean a lower number of incidents and greater productivity. If your organization can balance the costs of higher salaries with the cost savings, this can be a suitable option; if not, you still can use the information provided by the certification organization to define the competencies you need, as a benchmark.
In any case, the fact remains: personal certificates can be very beneficial for both the company and the individual. It’s a win-win proposition.
These free ISO 27001 online courses will give you a complete knowledge and the chance to get certified by a leading certification body.