In this video, we will cover what is meant by the competence close,
and we'll also look at the required documentation associated with this clause.
This is associated to close 7.2 in the ISO 27,001 step.
Competence is the clause that deals with ensuring that the personnel involved in your SMS and your information security team
and also, to some degree the organization as a whole,
have the necessary qualifications and skills to perform their jobs
for the rest of the organization. This will be to assess whether or not the organization has awareness with regards to information security and what the organization is doing to improve its security posture.
The standard makes reference to four specific requirements with regards to competence.
determine the required competence off personal involved in functions related to information security.
Ensure that the above personal have the appropriate skills, certification and training
where necessary. Ensure that the appropriate personal acquire the required competencies with these do not already exist
and maintain appropriate documented information
for the first point. Your organization needs to establish what the required skill set is.
Do you need a certified I So 27,001 lead implementer to hit up the ice. M s team.
Do you require a C I S S P certified person?
Do you have an in house sock or security operation center?
Do they have the right skills?
Do you have an in house certified ethical hacker or offensive security certified professional?
Or will this be an arts of skills? It
all of these decisions need to be made and formally approved.
Once you know what your organization needs for supporting the ice, um is on its information security function as a whole.
You can go about ensuring that the personnel in each of these rolls has the required certification and skill set.
well, then you move to step three, which is ensuring that personal that do not have the required skill sets or certifications are trained and get the required certifications and skill sets.
This clause is not just focused on information security personal.
It is the rest of the organization as well.
Now it's not feasible for everyone in an organization to have an information security certification,
but it is important that each person in the organization has a basic understanding of information, security terms and concepts,
and the information security policies and controls applicable to your organization.
This is where information security awareness comes into play.
This ensures that everyone has a baseline understanding off required concepts.
What these concepts are. You will need thio decide based on the risk profile of your organization.
I risked department should undergo more in depth training.
if you have an in house development team, it would be beneficial to train this team insecure development and coding practices and educate your programmers on how attacks can happen through specific coding practices
and model practices.
This is one way to help ensure that security is implemented proactively
and not just through a patrol east later on.
So what do you need to document for this
Demonstrating compliance to close 7.2 competence can be done through the maintenance of the following documents.
Of course, this list is not exhaustive,
but is an illustration off some of the common documents that are used
for a nice, amiss implementation project.
It is good to demonstrate some form of understanding off the ice. So 27,001 standard, specifically
training such as this could serve as an illustration, that resource is have an in depth understanding off the standard, how to implement the closes and what to expect from an audience.
Let's go through the examples
certifications of stuff,
for example, and I so 27,001 lead implementer
certifications of your staff in your information security team.
For example, if you have a C i S S p
for a CH or whatever the certification is
attendance registers and content off your information security awareness sessions.
Attendance registers and content off specialized training sessions.
For example, the secure systems development training
as well as any contracts with external parties for specialized services,
for example, independent penetration testing
in this lesson, we went over hard to meet the requirements of the standard with regards to competence for the ice mess and information security.
We also examine some examples of documentation that would assist during a certification orders as one is to ensure compliance against the I. So, 27,001 standard in general