The implementation of an ISO27001-compliant ISMS can seem dauntingly complex and it can be difficult to know how the standard’s specifications should be applied to your organisation’s particular circumstances. Failure to understand or comply with a particular requirement of the standard could jeopardise your implementation project, which in turn could mean failure of the certification audit, which could potentially cost your organisation dearly. It is therefore essential that your implementation team is appropriately trained in order to ensure the success of the project.
Self-study v training course
Firstly, you must decide on your best approach to learning. Each learning approach has its own advantages and disadvantages and is suitable for different types of staff member. For the senior managers who will lead the implementation project:
- Self-study is often the least expensive option, but its success relies on extensive personal time commitment, and it has been shown to take longer to deliver than other approaches.
- E-learning is more effective but in many ways just offers a digital version of the self-study option. Many larger organisations choose this solution for staff awareness programmes but can neglect to provide the support and mentoring required to ensure that delegates actually benefit from the course. It can also be disadvantageous that e-learning only provides training for individuals and does not support the training and coordination of a wider team.
- Instructor-led classroom sessions remain the most effective and quickest method of ensuring delegates gain the requisite skills and knowledge. This method also supports team training, which allows delegates to understand how ISO 27001 processes apply to their particular organisation. The disadvantage of traditional classroom training courses is that they usually have high prices and involve the additional associated costs of transport, accommodation, subsistence and time away from the office.
- In-house (or onsite) training refers to the delivery of a classroom training course at an organisation’s own premises to a group of people, and provides all the benefits of focused public classroom courses with none of the associated extra expense and disruption.
Who should be trained?
A typical implementation team will comprise senior-level IT staff (e.g. the IT Director, IT Manager and Information Security Manager) and other data managers (e.g. the HR Manager), all of whom will need to be trained to Foundation level. Of these, there will need to be a Lead Implementer to manage the implementation project, supported by a Risk Manager and an Internal Auditor. (The Lead Implementer and Risk Manager may well be the same person.) Many teams will also train one member of staff as an ISO 27001 Lead Auditor in order to understand the requirements and the methodology employed by an external auditor from a Certification Body like BSI or LRQA.
IT Governance Ltd is responsible for the world’s first accredited programme of ISO 27001 education that offers a learning path with training courses from Foundation through to Advanced level. All courses offer delegates the opportunity to enhance their career development by attaining industry-standard qualifications awarded by IBITGQ.