You can see then that the majority of votes said No, it’s not required but it helps. The comments were also helpful with:

“I think basic levels of IT would assist with the access, use and understanding of ISO27001 in ICT and it would ultimately help end users, however, in the end, Policy, procedure and Instructions to reach best practice regarding IP, and associated PII could be understood looking at the standard and general application could be delivered without IT expertise.”

 

“You don’t need to be an IT expert to work with ISO 27001, but understanding how IT systems are set up and identifying the risks involved is absolutely crucial. Risk identification is key to managing and implementing the right controls. This is not overly technical anyone can learn it with focus and hands on experience. It is all about striking a balance between technical awareness and practical management.”

Our very own Information Security Expert, Dr. Georg Thomas, gave a short answer of Yes, primarily for the understanding on Annex A Controls and backed it up with

“There should be a ‘sort of’ option 🙂
I agree that being an IT Expert is not required, but knowing the fundamentals of IT and Information Security are a must. This is especially the case with effective risk management (as pointed out) and with the more technical aspects of the standard (e.g. Annex A). Whether an implementer or auditor, having some technical background helps with understating the controls, what to look for, identifying OFIs, and assist with applying some of that ‘professional skeptism’ used when auditing.”

Then I followed this up with some research on whether I can do a course on ISO 27001, and then add this Standard to my auditing and consulting toolbelt? What experience do I need? Through my research I found that a recommendation is to have a general knowledge of the ISMS concepts and ISO/IEC 27001 before completing a course. This then of course led me down the path of what is this general knowledge that would help us to expand our scope to include ISO 27001.

Learning ISO 27001 is like learning a new language. While I already ‘speak’ the language of ISO 9001, 14001, and 45001, ISO 27001 introduces new words and rules that I need to understand. It’s not just about memorizing the words—it’s about practicing, using them in real-life situations, and getting comfortable with how everything fits together. This is the journey I’m on, starting as a beginner and learning step by step, and I invite you to join me.

Information Security Frameworks

Expanding your expertise to include ISO/IEC 27001 can significantly enhance your career as an ISO professional. Aligning with cybersecurity frameworks like ISO 27001 is recognized for its benefits. According to a Forbes article, such frameworks help organizations set goals and priorities for their cybersecurity programs, which can lead to improved security posture and operational efficiency.

By developing proficiency in ISO 27001, you position yourself to contribute to these organizational improvements, thereby increasing your value and potential for career advancement.

Foundational Concepts

Embarking on the journey to understand ISO/IEC 27001 can be both challenging and rewarding, especially for those already versed in standards like ISO 9001, 14001, and 45001. As a fellow beginner in this domain, I’ve compiled a list of the general ISMS concepts highlighting the foundation of an Information Security Management System (ISMS) to facilitate our collective learning experience. By delving into these foundational concepts, we can build upon our existing expertise and effectively navigate the complexities of ISO/IEC 27001 together.

1. Information Security Principles

At the heart of ISO/IEC 27001 are the principles of confidentiality, integrity, and availability. Confidentiality ensures that information is accessible only to authorized individuals. Integrity safeguards the accuracy and completeness of information and processing methods. Availability ensures that authorized users have access to information and associated assets when required.

2. Risk Management

Effective risk management involves systematically identifying, assessing, and treating information security risks. This process helps organizations protect against data breaches, cyber-attacks, and theft or loss of data, ensuring business continuity and resilience.

3. ISMS Framework

An ISMS provides a structured framework for managing security risks. It includes policies, procedures, and processes designed to manage information security systematically, ensuring a cohesive and comprehensive approach.

4. Annex A Controls

Annex A of ISO/IEC 27001 provides a comprehensive list of 93 security controls designed to address various aspects of information security. These controls are organized into four categories: Organizational, People, Physical, and Technological controls. This serves as a reference and organizations are not required to implement all 93 controls. Instead, the selection of appropriate controls should be based on a thorough risk assessment that identifies the specific security risks relevant to the organization’s operations. This risk-based approach ensures that the implemented controls are tailored to mitigate the identified risks effectively.

5. Plan-Do-Check-Act (PDCA) Cycle

The PDCA cycle is a methodology aimed at continual improvement. It involves planning the ISMS, implementing and operating it, monitoring and reviewing its performance, and taking corrective actions to improve and update the system as needed.

6. Legal and Regulatory Requirements

Being aware of relevant laws and regulations that impact information security management is necessary. This ensures that the organization remains compliant with legal obligations and can effectively address any legal implications related to information security breaches. These can be Privacy Acts, Security of Infrastructure, Telecommunications Acts, cyber security strategies and so on.