ISO 27001 Lead Implementer certification after CISSP
messirossi
Member Posts: 5 ■□□□□□□□□□
Hi guys, Need some advice if getting ISO 27001 LI certified would be a good idea or not. I work as a network security engineer and have the CISSP cert along with a bunch of vendor certs. I want to make a move up to an InfoSec consultant role. Could someone please advice me if the LI certification would be a good addition or maybe I should do the 27001 LA first ? Also does it make any sense to do the certification without having the experience of audits. Would be paying around 850 USD for the ISO 27001 4 day training + certification. Thanks.
Comments
-
Skyyyyy2001 Member Posts: 57 ■■■□□□□□□□it's fine if you have no audit experience, in fact, you will learn a lot to see things from an auditing point of view. the rest of the lesson you will learn about the standard and the points to look out for from the standard and the relevant controls that need to be in place.
all in all, it's a good learning course -
Info_Sec_Wannabe Member Posts: 428 ■■■■□□□□□□In the ISO 27001 LA course that I took (training provider was BSI), the instructor focused the discussion mostly on clauses 4 through 10 (how these clauses should be interpreted and how it is intertwined with the other clauses) and on the audit process per ISO 19011 (high level only since the intent is to audit management systems). Overall, the class was good, but I was hoping that the course would also touch briefly on Annex A controls and how these should be audited or checked for compliance.
Hope this helps.X year plan: (20XX) OSCP [ ], CCSP [ ] -
the_Grinch Member Posts: 4,165 ■■■■■■■■■■How many organizations use and implement 27001? I ask because I often heard that many organizations only implement parts and that the process for full certification is expensive/long. Interested to see if 27001 is prevalent.WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff -
Phalanx Member Posts: 331 ■■■□□□□□□□It will become more prevalent with GDPR making an appearance in a couple of weeks. ISO27001 is pretty damn close to GDPR (save a few things), and is part of the reason companies who are ISO27001 compliant have comparitively little to do for the new data protection laws.Client & Security: Microsoft 365 Modern Desktop Administrator Associate | MCSE: Mobility
Server & Networking: MCSA: Windows Server 2016 | MTA: Networking Fundamentals
Data Privacy & Project/Service Management: PECB GDPR DPO/Practitioner | ITIL 2011: Foundation | CompTIA Project+
Currently Studying: Microsoft 365 Enterprise Administrator Expert -
Info_Sec_Wannabe Member Posts: 428 ■■■■□□□□□□the_Grinch wrote: »How many organizations use and implement 27001? I ask because I often heard that many organizations only implement parts and that the process for full certification is expensive/long. Interested to see if 27001 is prevalent.
I know less than 5 companies who adhere to ISO 27001 and most of them are service providers. Yes, the process for full certification is expensive and long, especially for those companies who operate in multiple jurisdictions / locations. In my employer's case, we only had a portion of our operations certified (by limiting our scoping statement) and our strategy is to include more locations and business units as the process matures.X year plan: (20XX) OSCP [ ], CCSP [ ] -
the_Grinch Member Posts: 4,165 ■■■■■■■■■■Thanks for the info guys! All very interesting indeed!WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff -
chickenlicken09 Member Posts: 537 ■■■■□□□□□□Is the job of geting iso27001 certified too much for one person to do in a company?
What is the cost for a company to get iso27001 certified roughly ? -
Gawyn210 Member Posts: 9 ■■□□□□□□□□What is the cost for a company to get iso27001 certified roughly ?
Costs can vary wildly depending upon the current level of protections in place, the company's complexity and the time given to prepare for the certification. I've seen in done for less than 10K (USD) and I've also seen companies spent over a million USD in preparation. -
Info_Sec_Wannabe Member Posts: 428 ■■■■□□□□□□Is the job of geting iso27001 certified too much for one person to do in a company?
This would depend on a number of factors such as the size and complexity of the organization, how mature or the extent to which security is embedded within existing processes, organizational culture toward security (as it usually involves additional costs and resources on the part of the company), etc.X year plan: (20XX) OSCP [ ], CCSP [ ]