CISA vs. ISO 27001 Lead Auditor certification
In a previous post, I talked about personal certifications helping the organization to comply with ISO 27001 clause 7.2 (see this post How personal certificates can help your company’s ISMS). In today’s post, I will show you two specific personal certifications (CISA and ISO 27001 Lead Auditor) and how they can be used together to help improve the effectiveness of one of the most critical steps in the Information Security Management System: the ISMS audit.
For practitioners who have reservations about the merits of personal certifications, try to see this article from a knowledge-learning point of view, dismissing the certification process aspects. The main point of this article is to show the knowledge involved in these certifications. So, let us go to them.
A general audit view
The objective of an audit is to identify and evaluate evidence to determine to what extent the audit criteria are being met. To do that, you need three things:
- a systematic audit process, to ensure that all necessary audit inputs are considered and that the audit results are solid and reliable, and can support the audit objectives;
- a knowledge of the audit target (process, product, or service) and the audit criteria, to ensure that critical process steps, or product / service components, are properly audited; and
- related experience in audit practice, since even the best planning can be ruined by unplanned events, or changes made by the client / auditee during the audit, and the audit still must deliver its proposed results.
So, how can auditor certificates, specifically CISA and ISO 27001 Lead Auditor, help you with that?
Certified Information System Auditor (CISA)
Issued by ISACA, a nonprofit, independent association that advocates for professionals involved in information security, assurance, risk management, and governance, the CISA designation recognizes professionals that have demonstrated experience, skills, and knowledge for auditing information systems, considering:
- the process of auditing information systems
- the structure and processes for governance and management of IT
- the process of information systems acquisition, development, and implementation
- the information systems operations, maintenance, and support
- the protection of information assets (policies, standards, procedures, and controls)
Certified ISO 27001 Lead Auditor
Not issued by a specific entity, but required by auditors working for certification bodies like BSI, AENOR, SGS, Bureau Veritas, etc., the ISO 27001 Lead Auditor certification recognizes auditors specialized in information security management systems (ISMS) based on the ISO/IEC 27001 standard and ISO/IEC 19011. Besides that, holders of this certification are recognized as having the necessary expertise to manage a team of auditors by applying widely recognized audit principles, procedures, and techniques. The essential body of knowledge of this certification considers:
- fundamental principles and concepts of information security
- Information Security Management System (ISMS)
- fundamental audit concepts and principles
- ISO 27001 audit process (preparation, performing, and closing)
- ISO 27001 audit program management
Similarities and differences
Being auditor certifications, both require, of course, knowledge related to an audit process, allowing an individual to effectively use a defined reference to assess processes and report on the compliance status of an organization. At this point, the difference between these two certifications is that while ISO 27001 Lead Auditor focuses on the ISO 27001 standard, CISA is more oriented to IT frameworks, like ITIL and COBIT, for example.
Another significant difference is that while ISO 27001 Lead Auditor certification covers all the processes related to an Information Security Management System, and the controls in Annex A of the standard, CISA is more focused on the aspects related to information systems. For example, CISA does not offer much detail related to Human Resources Security (Annex A.7 of the standard), or Physical Security (Annex A.11). On the other hand, it provides detailed information about practices related to Annex A.6 (Organization of information security), A.8 (Asset management), A.12 (Operations security), and A.14 (Systems acquisition, development and maintenance).
And what now – which one to go for?
Your use of the knowledge gained from these certifications will depend on your role in the audit process. If you are the auditor, the CISA knowledge can provide you with a deeper insight into information systems aspects that can make it easier for you to identify vulnerabilities that can compromise information stored/processed by information systems, adding more value to your audit work.
On the other hand, if you are an IT professional, or IT manager, the knowledge from ISO 27001 Lead Auditor can provide you with a better view of the following issues:
- how information systems fit into the big picture of the business;
- their role in protecting information, and
- how other elements, much of which IT people have little control over, can affect their performance
All these aspects can allow an IT team to proactively work on improvements and fix/protect vulnerabilities, or better communicate with other organizational units to understand/explain their requirements.
The whole is more than the sum of its parts – use both certifications
Therefore, working with the knowledge from both certifications can allow a professional to perform a deeper and more precise evaluation of the information systems’ impacts in the context of the organization’s ISMS. Such approach can improve the alignment between security controls (not only those related to IT) and the organization’s needs, resulting in better protection of information, and in the ISMS’s capacity to meet the business strategies and objectives.
To become more familiar with Lead Auditor training, see this free online course: ISO 27001 Lead Auditor Course.