ISO 27001 Implementation Guideline for Clause 7.2, Clause 7.3 & Clause 7.4

Competence


Required activity

The organization determines the competence of persons needed for information security performance and ensures that the persons are competent.

Implementation Guidance

Competence is that the ability to use knowledge and skills to realize intended results. it’s influenced by knowledge, experience and wisdom. Competence are often specific (e.g. about technology or specific management areas like risk management) or general (e.g. soft skills, trustworthiness, and basic technological and managerial subjects).
Competence relates to persons that employment in check of the organization. this suggests that competence should be managed for persons that are employees of the organization and for people as required. Acquisition of upper or new competence and skills are often achieved both internally and externally through experience, training (e.g. courses, seminars and workshops), mentoring, hiring or contracting external persons.
For competence that’s only temporarily needed – for a selected activity or for a brief period of your time, e.g. to hide unexpected temporary shortage of internal personnel – organizations can hire or contract external resources, whose competence is to be described and verified.
The organization should:
Determine the expected competence for every role within the ISMS and choose if it must be documented (e.g. during a job description);
Assign the roles within the ISMS to persons with the specified competence either by:
  • identifying persons within the organization who have the competence (based e.g. on their education, experience, or certifications);
  • planning and implementing actions to possess persons within the organization obtain the competence (e.g. through provision of coaching, mentoring, reassignment of current employees);
  • engaging new persons who have the competence (e.g. through hiring or contracting);
Evaluate the effectiveness of actions 
  • EXAMPLE 1 Consider if persons have acquired competence after the training.
  • EXAMPLE 2 Analyse the competence of newly hired or contracted persons a while after their arrival within the organization.
  • EXAMPLE 3 Verify if the plan for acquiring new persons has been completed needless to say.
Verify that the persons are competent for his or her roles;
Make sure that the competence evolves over time as necessary which it meets expectations.
  • Appropriate documented information is required as evidence of competence. The organization should therefore retain documentation about the required competence affecting information security performance and the way this competence is met by relevant persons.

Awareness

Required activity

The persons doing work under the organization’s control are made conscious of the knowledge security policy, their contribution to the effectiveness of the ISMS, benefits of improved information security performance and implications of not conforming to the wants of the ISMS.

Implementation Guidance

Awareness of persons working under the organization’s control refers to having the required understanding and motivation about what’s expected of them with reference to information security.
Awareness concerns persons who need to know, understand, accept
  • Support the objectives stated within the information security policy;
  • Follow the principles to properly perform their daily tasks in support of data security.
Additionally, the persons doing work under the organization’s control also got to know, understand and accept the implications of not conforming with the ISMS requirements. Implications are often negative consequences for information security or repercussions for the person.
These persons got to remember that an information security policy exists and where to seek out information about it. Many staff in a corporation don’t got to know the detailed content of the policy. Instead, they ought to know, understand, accept and implement the knowledge security objectives and requirements derived from the policy that affect their job role. These requirements are often included in the standards or procedures they’re expected to follow to try to their job.
------------------------------------------------------------------------------------------------------------
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com

Comments

Popular posts from this blog

10 Secrets You Will Never Know About Cyber Security And Its Important

ISO 27001 Annex : A.5 Information Security Policies

Impact Of ISO 27001 Lead Auditor