CALL US 1-888-553-2256

The ISO 27001 & ISO 22301 Blog

Rhand Leal

How personal certificates can help your company’s ISMS

One of the greatest challenges in managing information security is assuring that people can handle information and execute security activities in a proper manner. Unprepared and untrained people can pose a risk to information, and to business, and they are as dangerous as any other known threats.

ISO 27001 requirements for competencies


ISO 27001 deals with this issue through clause 7.2 in a very straightforward way:

  1. Identify the required competencies for those people whose activities have impact on the information security performance;
  2. Assure that those people have the required competencies, by means of suitable education, training, or experience;
  3. Acquire the required competencies wherever applicable, and evaluate the effectiveness of the actions taken to do that.

Additionally, ISO 27001 has an extra item related to the record of evidences about the process realization.

Small organizations, or those without deep in-house IT / security knowledge, can find themselves with the following questions:

  • What competencies do I need?
  • What would be suitable education, training, or experience?
  • How / Where do I acquire the required competencies and evaluate the actions taken?

As with many other management system questions, there are a lot of possible methods to properly handle information security competencies and human resources, but I’d like to present to you the use of personal certificates.

What are personal certificates?

Personal certificates are designations earned by a person to assure qualification to perform a job or task. Usually earned from a professional society or educational institute, they can also be earned from a private certifier (e.g., a manufacturer or supplier).

Some certification programs have rigorous standards for accreditation, similar to those for professional licensure, and that is a key point for supporting personal certifications to help with clause 7.2. The American National Standards Institute (ANSI), the Institute for Credentialing Excellence (ICE), and the International Register of Certificated Auditors (IRCA) are examples of organizations that set standards for accreditation of certification programs.

How can personal certificates help my company comply with clause 7.2?

Let’s take the questions asked earlier to develop this answer, but remember that most of the following information applies only to accredited certification organizations.

What competencies does my company need? Generally, organizations know what products/services they have/need, but not what is needed to know to use/operate them. In this cases, product/technology oriented certifications can help by defining the body of knowledge needed to properly configure/use/operate those products/services. Operating systems, databases and email services are examples of products/services for which you can find suitable certifications that can help you define what competencies your organization needs.

Other relevant cases are about functions/jobs your organization must realize, like management and assurance. For those, you can find profession oriented certifications. Those certifications focus on non-technological, non-product knowledge, to provide the professional with more holistic competencies about the use of the practices. Project manager, security manager and lead auditor are examples of functions/jobs for which you can find suitable certifications that can help you define what competencies your organization needs. See these articles for more information about ISO 27001 / BS 25999-2 trainings: How to learn about ISO 27001 and BS 25999-2 and How to become ISO 27001 Lead Auditor.

What would be suitable education, training, or experience? For obtaining some of these certifications, the professional must submit to the certifying organization a set of evidences of previous education, training, and experience (which vary from certifier to certifier and from types of certification), in the form of school/university certificates, training certificates and employer recommendations letters. From these requirements your organization can define suitable parameters for checking the education, training, or experience levels of its employees.

How / Where does an organization acquire the required competencies and evaluate the actions taken? After earning the certifications, some of them must be maintained by the professional (a new version of the product could be released or new knowledge published). To stay up to date, they must go through training programs, or other verifiable activities that show they are constantly refreshing their knowledge.

To support the professionals in keeping their certifications, many certifiers provide references for training providers or make available events about new products/technologies/practices where they can obtain/share the knowledge necessary to develop their careers. Information about these courses and events can be used by your organization to plan and record activities related to acquiring required competencies.

Should I adopt personal certifications for my staff? As emphasized earlier, all you really need to have to comply with clause 7.2, including the evidence you need, can be found with the accredited organization that issues the certificates. So, why not use personal certifications as selection criteria for hiring, since all you need to comply with clause 7.2 is already available there and can be made available by the candidate? And, why not establish personal certifications as minimal level for your employees, thereby assuring that your employees are more committed to security practices and self-improvement?

Everyone can benefit

The most recognized certifications are expensive and arduous to earn, and some of them have few professionals certified; this situation reflects on the availability and average salary of these professionals. On the other hand, more competent personnel mean a lower number of incidents and greater productivity. If your organization can balance the costs of higher salaries with the cost savings, this can be a suitable option; if not, you still can use the information provided by the certification organization to define the competencies you need, as a benchmark.

In any case, the fact remains: personal certificates can be very beneficial for both the company and the individual. It’s a win-win proposition.

These free ISO 27001 online courses will give you a complete knowledge and the chance to get certified by a leading certification body.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

4 responses to “How personal certificates can help your company’s ISMS”

  1. Usman says:

    thanks Dejan,

    very well explained.

  2. Joshi says:

    I would also love to hear from you on the difference between ISMS policy document and ISMS policy manual. Is it all the same. The manual you referred here, is it the ISMS policy manual or ISMS manual; is it all the same.?

  3. Atul Pandey says:

    Thanks for the intelligent articulation Rhand, it is indeed the ground reality but grossly over-looked by most of Implementation Consultants, Service Consumers & Service Providers (for the 3rd party enablers to service portfolio) alike.

    I recently achieved Stage II eligibility of ITSM for an international client & optimized this aspect of Personal Certifications in ITSM too as highlighted in your article above. (They have active ISMS cert, I assist in surveillance audits for same)

    I am grateful to you for presenting it in such a lucid manner, and thanks to Dejan for sharing this link on LInkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.