So what goes into making a good ISO 27001 consultant?
ISO 27001 consulting is fairly a complex task which requires a combination of skills. This includes understanding the business, understanding information security and there correlation.
The role encompasses the need to interact with each team in the organization including the ability to see assets and controls in multiple domains.
Therefore the ISO 27001 consultant must have the following basic skills:
- Ability to understand business goals, strategies and objectives. Every organization is unique and therefore requires an acute business understanding of what makes them succeed. After all security objectives has to fulfill business objectives.
- Ability to align business goals with security goals
- Ability to define a formal risk assessment and risk management approach in line with business – that is sustainable and repeatable
- Ability to clearly define, articulate and measure key components of risks such as threats, impacts, vulnerabilities and probabilities using a structured model
- Ability to distinguish assets of different categories
- Ability to distinguish risk uniqueness in each asset or asset groups
- Strong technical background on application/database/network security
- Strong background on researching new vulnerabilities and how they can exploit a specific infrastructure
- Ability to present weaknesses in a form that can be evaluated in risk parameters
- Ability to advise client/top management whether to pursue a risk/vulnerability or not
- Ability to define and document policy, procedure and process
- Ability to evaluate technology and automation options
- Ability to advise client using their structure as to who should implement a specific gap.
- Ability to guide an implementer (nominated team within the organization for a specific gap) with right direction on why the policy has to be implemented in terms of business value and risk reduction
- Ability to evaluate the successful implementation of a control
- Ability to ensure the cross functional impact as a result of a newly implemented policy
Selection of an iso 27001 consultant therefore has to be done ensuring adequate experience in all of the above.