Promotion - Manager likes ISO 27000 Series - Where Can I Study?

RogueJDRogueJD Member Posts: 46 ■■■□□□□□□□
Hey all,

I'm currently working for an organization as an internal Information Security Auditor. I'm considering a transfer to another section in the same organization that will involve a significant promotion. Working in that department, for that team, is my "dream job".

I know the hiring manager quite well. He has stated that both he and his superiors see a lot of potential in my working there. He stated that I was a shoe-in for the job, and we just need to go through the formalities of opening the job to the public, and conducting interviews, as we're quite a large organization.

The hiring manager is quite familiar with ISO 27000 series. He implemented an ISO 27001 program at a very, very large, well-known organization in the past. During our many conversations about the position, he has brought up ISO 27001.

I'm familiar with other frameworks; NIST, COBIT, etc., but ISO 27000 is something where I only have a high-level understanding.

Since ISO wants you to pay for their standards, I don't have access to them. I was hoping to study using publicly-available resources. Any ideas?

Comments

  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    RogueJD wrote: »
    Working in that department, for that team, is my "dream job".

    Pursue your dreams. Buy the ISO27001/27002 book from ISO/IEC 27001 27002 IT Security Techniques Package ISO/IEC 27001:2013 ISO/IEC 27002:2013 - IT Security Techniques
  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    If your manager has implemented ISO then he has the documents, why not ask him to gove give it to you. They are only 90 pages or so.
  • iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA | Pentest+ 
    2022: GMON | GDAT
    2023: GREM  | GSE | GCFA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
  • TeKniquesTeKniques Member Posts: 1,262 ■■■■□□□□□□
    Definitely pay the money for the ISO 27001 controls and 27002 code of practice for the controls from ISO. The stuff you find online will either be outdated or hard to understand how it works. I was the lead consultant on an ISO 27001 certification for a customer and without the two documents it would of been a failure. Particularly, the 27002 document gives you guidance on how to implement the controls outlined in the 27001 framework. This is key, because if (when) you're audited and you receive a GAP analysis you will want to refer back to this document for specifics on any non-conformity.
  • RogueJDRogueJD Member Posts: 46 ■■■□□□□□□□
    Thank you all for the suggestions. Unfortunately, I don't have the money to spend over $350 for those publications - not in time for the interview (ETA: 2-3 months).

    I'm aware of the value of having these, but I just can't afford it. From a "cost-benefit-analysis" aspect, I'd say it isn't worth it to me, as I need only a cliff's notes understanding of this framework. Once I've proven a basic understanding, I will be given the resources I need to pursue a mastery of it.

    TL;DR: Can't afford it now. Don't need to be a master for the interview. Will be furnished with the materials after demonstrating a basic comprehension.

    I'll try that auditor course that iBrokeIT posted. Seems worth a shot. I just hope it's truly free. I don't need a cert, so we'll see where this goes.

    Keep the suggestions coming.
Sign In or Register to comment.