ISO 27001 Lead Implementer certification after CISSP

messirossi

Hi guys, Need some advice if getting ISO 27001 LI certified would be a good idea or not. I work as a network security engineer and have the CISSP cert along with a bunch of vendor certs. I want to make a move up to an InfoSec consultant role. Could someone please advice me if the LI certification would be a good addition or maybe I should do the 27001 LA first ? Also does it make any sense to do the certification without having the experience of audits. Would be paying around 850 USD for the ISO 27001 4 day training + certification. Thanks.

Skyyyyy2001

it's fine if you have no audit experience, in fact, you will learn a lot to see things from an auditing point of view. the rest of the lesson you will learn about the standard and the points to look out for from the standard and the relevant controls that need to be in place.

all in all, it's a good learning course

Info_Sec_Wannabe

In the ISO 27001 LA course that I took (training provider was BSI), the instructor focused the discussion mostly on clauses 4 through 10 (how these clauses should be interpreted and how it is intertwined with the other clauses) and on the audit process per ISO 19011 (high level only since the intent is to audit management systems). Overall, the class was good, but I was hoping that the course would also touch briefly on Annex A controls and how these should be audited or checked for compliance.

Hope this helps.

the_Grinch

How many organizations use and implement 27001? I ask because I often heard that many organizations only implement parts and that the process for full certification is expensive/long. Interested to see if 27001 is prevalent.

Phalanx

It will become more prevalent with GDPR making an appearance in a couple of weeks. ISO27001 is pretty damn close to GDPR (save a few things), and is part of the reason companies who are ISO27001 compliant have comparitively little to do for the new data protection laws.

Info_Sec_Wannabe

the_Grinch wrote: »

How many organizations use and implement 27001? I ask because I often heard that many organizations only implement parts and that the process for full certification is expensive/long. Interested to see if 27001 is prevalent.

I know less than 5 companies who adhere to ISO 27001 and most of them are service providers. Yes, the process for full certification is expensive and long, especially for those companies who operate in multiple jurisdictions / locations. In my employer's case, we only had a portion of our operations certified (by limiting our scoping statement) and our strategy is to include more locations and business units as the process matures.

the_Grinch

Thanks for the info guys! All very interesting indeed!

chickenlicken09

Is the job of geting iso27001 certified too much for one person to do in a company?

What is the cost for a company to get iso27001 certified roughly ?

Gawyn210

eddo1 wrote: »

What is the cost for a company to get iso27001 certified roughly ?

Costs can vary wildly depending upon the current level of protections in place, the company's complexity and the time given to prepare for the certification. I've seen in done for less than 10K (USD) and I've also seen companies spent over a million USD in preparation.

Info_Sec_Wannabe

eddo1 wrote: »

Is the job of geting iso27001 certified too much for one person to do in a company?

This would depend on a number of factors such as the size and complexity of the organization, how mature or the extent to which security is embedded within existing processes, organizational culture toward security (as it usually involves additional costs and resources on the part of the company), etc.