What is covered under ISO 27001 Clause 7.2?
- determined the competence of the people doing the work on the ISMS that could affect its performance
- people that are deemed competent on the basis of the relevant education, training or experience
- where required, take action to acquire the necessary competence and evaluated the effectiveness of the actions
- retained evidence of the above for audit purposes
On the basis of these requirements, it is easy to think the answer for 7.2 might be hiring in an information security expert - but that is not always necessary!
There are a whole bunch of skills and experiences required for a successful implementation and ongoing management of an ISMS that is certified to ISO 27001, beyond expertise in physical security, cyber security, computer security or other forms of information security per se.
Those include: commercial, legal, HR, IT, as well as the relevant products & services expertise for the work in scope.
Building and running an ISMS is usually a collaborative team job. The most important thing is an understanding of the organisation, its purpose and goals, its culture, risk appetite and the requirements expressed in clauses 4.1, 4.2, 4.3, 6.1, 6.2.
So how do you demonstrate compliance to clause 7.2 of ISO 27001?
Alongside the 7.3 awareness and 7.4 communication clauses, 7.2 can be demonstrated with a blanket statement about the team involved and their credibility, with links across the ISMS to demonstrate their work as evidence to save time.
Additionally, a simple table for showing the people involved, the role they are performing with notes alongside their relevant experience, training or education is helpful and some auditors like to see that detail. It does not have to be a CV, just show why they are involved e.g. Fred Bloggs - implementation leader with a day job of service delivery and IT manager.
Has 5 years experience in both fields, and relevant training or education e.g. attended cyber security online courses, undertook a masters in computer science.
This can be kept very simple, it is not an information security training needs analysis or detailed action plan (although you might want one of those too depending on the organisation style and its approach to HR development plans).
All the external auditor will want to know is that the team involved are competent and it's likely that some or all of the team will be involved in the audit process anyway, at which point the auditor will form their own opinion anyway.
Remember, information security done with a business led approach is about running the business better, not just implementing ALL controls for the sake of it. Therefore it is unlikely there will be gaps in the core skills and understanding of your organisation, otherwise it's unlikely to be operating!
If however there are gaps in the competence, skills and experiences around implementing and running an information security management system to meet this clause, they can be closed in a number of ways:
- Sending the staff involved on ISO 27001 lead auditor, lead implementer, and implementation training courses, or one of the many other information security courses out there. This can, however, become expensive for one person let alone a team both in terms of cost and time out the office. It might lead to implementation issues in its own right if the trainer or programme is too general, old fashioned or fails to understand the organisation culture, ways of working, etc.
- Reading around many of the free resources on the internet like this website resources, sites like the National Cyber Security Centre (NCSC) with its specialist guides and checklists, and digesting the ISO 27001 and ISO 27002 standards is going to show the auditor a level of competence too. That dovetails with Annex A 5.6 for staying aware of and involved in specialist information security forums and professional associations.
- Hire in specialist physical resources to help build competence - there is a growing market for virtual CISO (Chief Information Security Officers) and teams around them. This can certainly make sense and we recommend it for targeted work alongside the internal resources who are specialist in their fields when the organisation has capacity and capability issues and budget is less of a problem.