ISO 27001 auditing: 6 things to know about auditing training and careers
ISO 27001 is one of the most well-known and widely adopted frameworks for how organizations should manage their information security. There are two types of organizations that use it, says Ralph O’Brien, an Infosec Skills author and practitioner who’s been focusing on privacy for the past 22 years.
“There are proactive organizations that say, ‘This is a good thing that gives us a security structure. It gives us governance. It gives us real benefit. It’s a competitive advantage. Let’s go and do this because we want to do it.’ And then there will be more reactive organizations that have to do it to win a tender or as a barrier to enter into a contract. They realize, ‘Dang, we can’t even apply to work with this other business unless we have it.”
In the second case it can take a lot longer for the organization to see and reap the benefits from the information security management system that results, said O’Brien.
We talked to Ralph O’Brien about his new ISO 27001 Audits learning path, how IT and cybersecurity professionals can benefit from learning these skills, and his advice for those looking to break into the auditing field.
What is ISO 27001?
Ralph: ISO 27001 is an international standard that creates an information security management system (ISMS) that an organization can be certified or badged against. It’s similar to other security standards like a SOC 1 or a SOC 2, and we’ve it seen mandated in some industry sectors and supply chains across the world, especially in Japan, the UK, Europe and the U.S. It’s about ensuring that what’s under your management’s control has the right level of security applied to it. So where the 27000 family of standards really has its strength is in making sure that you have assessed the level of security you need, that you’ve delivered upon that security, and that you’re measuring and monitoring and improving the level of security you’ve put in place.
In this learning path, we’re looking at a lead auditor. So on top of the 27001 standard, we are then looking at how a lead auditor would use both hard knowledge of the standard and softer skills in order to evidence and assess compliance to that certification standard.
Who should take the ISO 27001 Audits courses?
Ralph: We actually break the learning path down into a few different bits. Obviously, we give you the theory on what 27001 and 27002 and other standards in the family are, and how you go about getting certified to 27001 — and there’s quite a lot there. We also walk through all of the security controls in its sister standard, ISO 27002, and how the two are related. So we take apart both the management system standard and the controls framework standard. And then we talk about how you might go about auditing them, both hard skills and soft skills, and what’s required to kind of get “the badge on the wall” — the accredited certification.
It’s going to be useful for anyone seeking that badge. It’s going to be useful for anyone who’s going to be delivering internal or external audits, or even consultants, or people who will be assessing organizations to see whether they would be able to get that badge — either pre-audit or internal audit, or external audit themselves.
Will students be learning about specific security controls?
Ralph: Yes, ISO 27002, the control standard, contains 14 different domains and over a hundred security controls. But what’s interesting about the 27002 framework is they’re not mandatory or exhaustive. That means you’re expected, within the 27001 framework, to know your organization, and do a risk assessment to select the “right controls for you”. There are actually all sorts of other standards and frameworks out there that contain controls. There’s privacy management, 27701. There’s cloud security controls, 27017. There are all sorts of other standards which contain control frameworks that technically you could plug into the 27001 framework overview. However, we focus here on the 27002 controls as a matter of priority.
So to me, what 27001 says is, “Know yourself. Know who you are. Do a risk assessment. Understand your security controls. Measure and monitor them. Improve them.” I think what’s really important to understand is that rather than containing defined requirements, it’s actually a very general standard. It kind of says, “This is how you run a security management system, and the controls and the control strength that you assign to that, well, that is going to be entirely dependent on what you self-assess as part of the process.” Obviously, the level of security in a top-secret nuclear bunker is far different than that of corner grocers, but both can obtain the badge.
What are the career benefits of learning ISO 27001?
Ralph: ISO 27001 perhaps has its biggest market in Japan, Europe — especially the UK — but we’ve seen it creep into America and a lot of the bigger providers are certainly getting 27001 certificates for data centers or cloud providers, and now organizations won’t dream of getting into bed with partner organizations unless they have those badges. So we are starting to see those certifications arise very similarly to how SOC 1 and SOC 2 became very prevalent across the U.S.
The other advantage to these badges is if you’re already audited by an external third party, then perhaps you won’t get audited again by your customer because they’ve got this other badge or the audit report they can look at and rely upon. But who the course is going to attract is anyone involved in that process, from the management to the auditors to the security teams. Anybody who needs to understand the way these management systems would apply to the way their organization works.
What are some continuing education options to take after ISO 27001 Audits?
Ralph: From a 27001 point of view, it’s not a technical course, so it doesn’t teach you how to be, say, a Microsoft engineer. It talks about security management in its widest sort of form. I’d say two types of people will be taking these courses: people who are interested in 27001 and people who are going to get lead audit skills out of it. Now from there, you may want to specialize in auditing or you may want to specialize in security or you may want to specialize in management. So there are plenty of directions you could go next.
Do you have any advice for those trying to break into the field?
Ralph: Auditing’s as much around soft skills as hard skills. I know a lot of auditors who get very excited when they first get into the field and feel like it’s their job to find fault or nonconformity. They get very excited and start jumping up and down when they’ve got an audit finding. One of the things I teach is ensuring that you’ve got it right. I, too, have fallen victim to enthusiasm, saying, “Look — there’s an audit finding!” and then at the end of the day management explains, “Well, if you’d looked there, you would’ve found this.” You look like a fool. So rather than jumping on audit findings, the first question I say is, “Well, what have I done wrong?” What did I miss?”
The other thing for auditors to learn is that they’re not consultants, and their job stops when they’ve found that they can or cannot evidence the requirements. A lot of auditors go on a bit further and recommend, and that’s really a consultant’s job. The auditor’s skill is in how to audit. The auditor’s skill is in evidencing the requirements and not in having an opinion, remaining impartial. At the end of the day, it’s for the organization to generate a corrective action and for the auditor to perhaps agree with that. But who gives an auditor, who’s been auditing for three years, a right to tell a security professional of 30 years, how to run their security division?
So focus on your job, make sure that you are quite scientifically evidencing the requirements against the criteria, and when you can’t evidence them, give an audit finding. But make sure that you don’t overstep your bounds from auditor into consultancy.
To learn more about Ralph O’Brien’s ISO 27001 Audits learning path, create your free Infosec Skills account.
About Ralph O’Brien
Ralph is a trusted advisor on global privacy and security compliance, practices and management. His experience includes strategic GDPR adoption programs, advisory services and assurance delivery in global multinational environments.
He has worked in a wide variety of industry sectors including defense, public sector, pharma and financial services, representing both multinational corporations and boutique specialist consultancies.
He continues to be a hands-on practitioner, combining business-level consultancy with training and technical experience. He was responsible for the first global joint 27001/25999 management system to be certified. With a focus upon business processes and the protection of information, and an ethos of management assurance, risk management and knowledge transfer he continues to ensure effective protection of assets appropriate to the business needs of the client.