Having assisted just short of 200 organisations achieve ISO 27001 certification, we are often asked about what we consider to be the critical steps or building blocks when implementing an effective information security management system. Whenever we respond to the question, part of our answer is always “ensure you have the appropriate resources in place.” With human resources, do they have the appropriate skills, knowledge, and experience to carry out their role? The key question then, and one we will address in this blog, is how do you determine if the people who are working under your control are competent from an information security perspective?
The starting point is to sit down and identify what your competency requirements actually are.
There are likely to be a number of roles within your organisation that could have an impact (positively and negatively) on the security of your information. Some of these will be general roles, for example, executive-level managers like your CEO and CFO. There may be senior management roles such as the heads of operational departments within your organisation. Then there are specialist roles, such as the information security manager and of course, there is everyone else! For the latter (i.e. general workforce) there may be little in the way of formal qualifications required when it comes to information security, but there are a number of internal competencies that should be considered including:
- Knowledge and awareness of the company’s policy requirements
- Awareness of the importance of one’s own contribution to information security
- An understanding of how to report security incidents and weaknesses
Some of the more specific roles will naturally have the potential to have a far greater impact on the security of your information. These roles might include your information security manager, data protection officer, internal auditors and technical security specialists, such as your firewall and Windows administrators.
For these roles and others like them, it is important to ensure that each person performing the role is competent in terms of experience and education/training. Again, the starting point is to define what competencies are required, for example:
- Formal education and training related to their specialism
- A minimum number of years’ experience in a role related to their specialism.
In addition to the above, there are of course general competency requirements. The often neglected aspect of competency lies in the ‘soft skills’ area. Examples of soft skills include emotional intelligence, acting as a team player, time management skills and problem-solving. The relevance and importance of a lot of these skills will be driven by the culture and core values of the organisation, but in our opinion, can ultimately have a significant impact on the information security capability of the organisation. If we take the role of information security manager or compliance manager, a key aspect of their role is communicating, influencing, guiding and motivating others to adopt best practice
Once you have defined your competency requirements, you should determine the level of competency that each of the personnel working under your control in the identified roles possesses. This may be easier to determine with some of the ‘harder’ than the ‘softer’ skills, but there are a number of tools out in the market (e.g. psychometric tests) that can help. This will enable you to identify where there is any shortfall incompetency. Where a shortfall exists, plans to remove the shortfall should be developed. This is likely to include training and awareness, but could also be resolved through recruitment and/or restructuring within the organisation, with people moving into roles they are more competent to perform.
It is also important that the competence requirements for roles and the competency of personnel fulfilling those roles are monitored, as changes in the business could affect the competency requirements and changes to technology could lead to competency degradation over time.
Records should also be kept as evidence that personnel working under your control are competent to perform their roles.