ISO 27001 Certified Professionals

nangananga Member Posts: 201
Hi,
Guys, I am looking for a career in information security. After going through jobs postings i found that there is more of skills required in - ISO 27001, and compliance standards.

I would be thankful if you guys could please let me know how to go about getting those skills.

I am a security+, ccna and doing an internship with no big experince with a masters in IT Mgmt.

Thanks in advance

Comments

  • eMeSeMeS Member Posts: 1,875
    I am familiar with the ISO 27001 standard, but I know of no specific certification that "qualifies" someone to implement, advise, or audit against ISO 27001. This is very different from ISO 20000, for which I am a certified consultant (there is also an auditor certification available).

    I suspect that this situation is because with ISO 20000 a large body of knowledge existed around IT Service Management, for which there were already well-developed certification schemes in place. It was probably a natural outgrowth of these organization to build certification for ISO 20000.

    The other part of this is that the high-end security certifications (e.g., CISSP), very likely account for ISO 27001. I once read about HIPAA "certifications" being a total scam, because the certifications weren't well respected, and the material was already something that a qualified CISSP would know.

    Perhaps a CISSP can provide their thoughts...

    If you are looking only for some specific ISO 27001 training, I would recommend BSI at: http://www.bsiamerica.com/en-us/Training/Course-areas/Information-security-training/

    MS
  • maumercadomaumercado Member Posts: 163
    What are the requirements to become ISO 27000 certified?
    Im a secury analyst for a small company in colombia that specializes in software testing an QA, we would like to have our security department iso 27000 certified! thats why im asking this!
  • eMeSeMeS Member Posts: 1,875
    maumercado wrote:
    What are the requirements to become ISO 27000 certified?
    Im a secury analyst for a small company in colombia that specializes in software testing an QA, we would like to have our security department iso 27000 certified! thats why im asking this!

    1. Achieve the requirements of ISO/IEC 27001:2005. The specification is available at http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=42103

    With rare exceptions, organizations hire experienced consultants that help them achieve any of a number of ISO standards. I'd be happy to discuss with your organization if at some point you want to facilitate contact.

    Thanks,

    MS
  • nangananga Member Posts: 201
    But How do I got about gathering those skills....where does one start to work on these stuff !!! icon_rolleyes.gif
  • eMeSeMeS Member Posts: 1,875
    nanga wrote:
    But How do I got about gathering those skills....where does one start to work on these stuff !!! icon_rolleyes.gif

    I would say that you are already on your way. You have Security+, which covered at a high-level ISO 27001/17799, if I remember correctly.

    Following that, you might want to talk with some of the people on this board that hold higher level security certs such as CISSP. I believe that there is an experience requirement for that cert, and I think it addresses the topic of 17799/27001. A holder of it can say for sure.

    Another step you might want to take is to get ISO 20000 consultant certified....there are classes that you can take with a really hard test at the end. Another option is to look at certification/training for some of the mature ISO standards, such as 900x. Any experience/certification with one ISO standard should help you towards your goal.

    In fact, if a company achieves 17799/27001 then they have met the requirements for Information Security Management in ISO 20000 in most cases. The point being, ISO specifications are really just a list of controls, that if met mitigate or eliminate potential risks. Understanding ISO 20000 is definitely application to 27001, and vice-versa.

    If I can point you to an ISO 20000 consultant class, let me now. They are rare, last 3 days, and require a 1 hour multiple choice test and a 1 hour essay exam at the end. It takes about 6 weeks to get the results, and the pass rate is around 40%. It's very rare and only in demand in certain cirlces....however, where demand exists supply is limited, so it is very lucrative coupled with IT Service Management experience......make sure you know what you're getting into before you go down this path so that you don't waste your time and money. Also, the ISO 20000 consultants certification has a pre-req of ITIL Foundation, so factor that in as well.

    MS
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 12,076 Admin
    The ISO/IEC 27000-series is used to assure Information Security Management Systems (ISMS), not certify people. You can become an auditor that performs ISMS quality assurance through organizations such as IIA and ISACA.

    Have a look at: ISO27k InfoSec Management Standards Web site
Sign In or Register to comment.