Implementing an ISO 27001-compliant ISMS can seem dauntingly complex, and it can be difficult to know how the Standard’s specifications should be applied to your organisation’s particular circumstances. Failure to understand or comply with a particular requirement of the Standard could jeopardise your implementation project, which, in turn, could mean failure of the certification audit, potentially costing your organisation dearly. It is therefore essential that your implementation team is appropriately trained in order to ensure the success of the project.
Self-study vs training course
Firstly, you must decide on the best approach to learning for your organisation. Each approach has its own advantages and disadvantages, and is suitable for different types of staff. For senior managers responsible for leading an ISO 27001 project, I can offer the following advice:
- Self-study is often the least expensive option, but its success relies on extensive personal time commitment, and has been shown to be less reliable and to take longer than other approaches.
- E-learning is more effective but in many ways just offers a digital version of the self-study option. Many larger organisations choose this solution for staff awareness programmes but neglect to provide the support and mentoring required to ensure that staff actually benefit from the course. E-learning also only provides training for individuals and does not support the training and coordination of a wider team.
- Instructor-led classroom sessions remain the quickest, most effective method of ensuring delegates gain the requisite skills and knowledge. This method also The disadvantage of traditional public classroom training courses is that they usually have higher prices and associated costs of transport, accommodation, subsistence and time away from the office.
- In-house (or on-site) training refers to classroom training for a group of people at an organisation’s own premises. It provides all the benefits of focused public classroom courses with none of the extra expense and disruption. The downside is that a minimum of 5-10 delegates are required to make the session cost-effective, and a one-session-fits-all approach does not provide the training required for specialist roles such as internal and lead auditor.
Who should be trained?
A typical implementation team will comprise senior-level IT staff (e.g. the IT director, IT manager and information security manager) and other data managers (e.g. the HR manager), all of whom will need to be trained to Foundation level. Of these, there will need to be a Lead Implementer to manage the implementation project, supported by a Risk Manager and an Internal Auditor (although the Lead Implementer and Risk Manager may well be the same person). Many teams will also train one member of staff as an ISO 27001 Lead Auditor in order to understand the external certification auditor’s requirements and methodology.
IT Governance Ltd is responsible for the world’s first accredited ISO 27001 education programme, which offers a learning path with training courses from Foundation through to Advanced level. All courses offer attendees the opportunity to enhance their career development by attaining industry-standard ISO 17024-accredited qualifications awarded by IBITGQ.