ISO/IEC INTERNATIONAL STANDARD 27021 First edition 2017-10 Information technology Security techniques Competence requirements for information security management systems professionals Technologies de I'information - Tecniques de sécurité -Exigences de compétence pour les professionnels de la gestion des systemes de managementdelasécurité Reference number ISO/IEC 27021:2017(E) IEC s @IS0/IEC2017 JACKEY, MA ut license from IHS IS0/IEC 27021:2017(E) COPYRIGHTPROTECTEDDOCUMENT IS0/IEC 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO's member body in the country of the requester. IsO copyright office Ch. de Blandonnet 8 . CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 [email protected] www.iso.org @ IS0/IEC 2017 - All rights reserved licensee=NanyangTechnological Univ/5926867100,User=JACKEY,MA Noreprodu networking permitted without license from IHS IS0/IEC27021:2017(E) Contents Page Foreword ..V Introduction. ...vi 1 Scope. 2 Normative references 3 Terms and definitions 4 Concept and structure. ..1 4.1 General. .1 4.2 Concept of ISMS competence. ..2 4.3 Structure of ISMS competence . 2 4.4 Demonstration of competence. 4.5 Structure of this document. 3 5 Business management competence for IsMS Professionals .3 5.1 General .3 5.2 Competence: Leadership 3 5.3 Competence:Communication .4 5.4 Competence: Business Strategy and ISMS 4 5.5 Competence: Organization design, culture, behaviour and stakeholder management 5 5.6 Competence: Process design and organizational change management 5 5.7 Competence: Human Resource, team and individual management. 6 5.8 Competence: Risk management. .6 5.9 Competence: Resource management .7 5.10 Competence: Information systems architecture. . 5.11 Competence: Project and portfolio management .8 5.12 Competence: Supplier management. 5.13 Competence: Problem management. ..8 6 Information security competence for ISMS professionals .9 6.1 ISMS Competence: Information Security .9 6.1.1 General. .9 6.1.2 Competence: Information security governance .9 6.1.3 Competence: Context of the organization .9 6.2 ISMS Competence: Information Security Planning .10 6.2.1 General. ..10 6.2.2 Competence: Scope of ISMS. .10 6.2.3 Competence: Information security risk assessment and treatment. ..1 6.3 ISMS Competence: Information Security Operation. .11 6.3.1 General. .11 6.3.2 Competence: Information security operations ..12 6.4 ISMS Competence: Information Security Support... ..12 6.4.1 General. ..12 6.4.2 Competence: Information security awareness, education and training .13 6.4.3 Competence: Documentation... ..13 6.5 ISMS Competence: Information Security Performance evaluation. .13 6.5.1 General. ..13 6.5.2 Competence: ISMS monitoring, measurement, analysis and evaluation ..14 6.5.3 Competence: ISMS auditing.. .14 6.5.4 Competence: Management review. ..15 6.6 ISMS Competence: Information Security Improvement .15 6.6.1 General. ..15 6.6.2 Competence: Continual improvement .15 6.6.3 Competence: Technological trends and developments ..16 Annex A (informative) Including knowledge for IsMS professionals as part of a body ..17 of knowledge. pyrtneatonalAllrights reerved iii JACKEY, MA nitted without license from IHS Not for Resale