Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27021:2017 — ISMS Professional Competence
Competence requirements for information security management system professionals
ISO/IEC 27021:2017 specifies the competence requirements for professionals performing information security management system (ISMS) activities — including planning, implementing, maintaining, auditing, and improving an ISMS based on ISO/IEC 27001. It establishes a benchmark for the knowledge, skills, and personal attributes required of ISMS practitioners, and provides a framework for organizations to assess and develop their internal security talent.
ISO/IEC 27021 is the “who” complement to the “what” of ISO/IEC 27001 and the “how” of ISO/IEC 27003/27002. It answers the critical question: what qualifications should the people running your ISMS actually have?
The standard was developed in response to a growing industry need for consistent, internationally recognized competence criteria for information security professionals. Before ISO/IEC 27021, organizations relied on diverse and often incompatible certification schemes that varied significantly in rigor, scope, and quality. This fragmentation made it difficult for employers to compare certifications and for professionals to plan meaningful career development paths. ISO/IEC 27021 addresses this by establishing a common reference framework that certification bodies, training providers, and employers can all align with.
1. Competence Framework Structure
The standard defines competence across four dimensions: knowledge, skills, personal attributes, and qualifications. It recognizes that ISMS professionals operate at different levels — from entry-level practitioners to senior consultants and auditors — and specifies progressively deeper competence requirements at each level.
| Competence Dimension | Description | Examples |
|---|---|---|
| Knowledge (K) | Theoretical and factual understanding of ISMS concepts, standards, and methodologies | Understanding of PDCA cycle, risk assessment methods, ISO/IEC 27001 clause requirements, control objectives |
| Skills (S) | Ability to apply knowledge to perform ISMS tasks effectively | Risk identification facilitation, policy drafting, security control selection, internal audit execution |
| Personal Attributes (P) | Behavioral characteristics that contribute to professional performance | Analytical thinking, ethical judgment, communication clarity, stakeholder management, attention to detail |
| Qualifications (Q) | Formal certifications, education, and professional experience | ISO/IEC 27001 Lead Auditor certification, CISSP, CISM, relevant university degree, years of infosec experience |
The competence framework is hierarchical. The standard defines core competence units that apply to all ISMS roles, supplemented by role-specific units for activities such as risk assessment, internal audit, management review facilitation, and incident response coordination.
2. Role-Specific Competence Requirements
ISO/IEC 27021 maps competence units to specific ISMS roles, ensuring that each role has clearly defined acceptance criteria. The table below summarizes the competence requirements for common ISMS roles:
| Role | Core Knowledge Areas | Key Skills Required | Recommended Experience |
|---|---|---|---|
| ISMS Manager | 27001 std, risk management, ISMS architecture, audit principles | Project management, policy development, cross-functional leadership | 3-5 years in infosec with ISMS implementation experience |
| Risk Assessor | Risk methodologies (quantitative/qualitative), threat modeling, control mapping | Facilitation, analytical reasoning, documentation, risk communication | 2-4 years with demonstrated risk assessment track record |
| Internal Auditor | Audit principles (ISO 19011), ISO/IEC 27001 clauses, evidence collection | Interviewing, observation, report writing, nonconformity classification | 40+ hours of audit training + 4 full audits under supervision |
| Security Control Implementer | Annex A controls, technical security solutions, security architecture | Technical implementation, configuration management, integration testing | 3+ years in IT security operations or engineering |
| ISMS Consultant | Full ISMS lifecycle, business continuity, legal/regulatory context, industry best practices | Strategic advisory, gap analysis, remediation planning, stakeholder influence | 7+ years with multiple full ISMS implementation projects |
A well-structured competence matrix serves dual purposes: it helps individuals plan their career development paths, and it helps organizations identify skill gaps in their security teams. The best ISMS programs integrate competence management directly into their HR performance management systems.
3. Competence Assessment and Continual Development
The standard emphasizes that competence is not a static attribute. ISMS professionals must continually update their knowledge and skills to address evolving threats, changing regulatory landscapes, and advancing technologies. ISO/IEC 27021 recommends a combination of assessment methods:
- Formal examinations: Objective tests of knowledge against defined competence units, typically leading to certification.
- Work product review: Evaluation of actual deliverables such as risk assessment reports, SOA documents, security policies, and audit reports.
- Observed performance: Direct observation of professionals performing ISMS activities, such as co-sitting an audit or observing a risk assessment workshop.
- Continuing professional education (CPE): Ongoing learning through courses, conferences, webinars, and self-study, measured in CPE credits per year.
A common pitfall in ISMS competence management is relying solely on certification as a proxy for competence. A certified professional may have passed an examination but lack practical experience or contextual understanding of a specific industry. ISO/IEC 27021 emphasizes the need for demonstrated competence through multiple assessment vectors.
For engineering teams, the competence framework can be operationalized through a skills matrix. Each team member’s current and target competence levels are mapped against the competence units, creating a visual representation of team strengths and gaps. This feeds directly into training budgets, hiring plans, and project resourcing decisions.
4. Frequently Asked Questions
Q: Is ISO/IEC 27021 a certification standard for individuals?
A: Not directly. ISO/IEC 27021 provides the competence requirements framework. Certification bodies (such as PECB, BSI, IRCA) use it as the basis for developing their individual certification schemes, but the standard itself does not issue certificates.
A: Not directly. ISO/IEC 27021 provides the competence requirements framework. Certification bodies (such as PECB, BSI, IRCA) use it as the basis for developing their individual certification schemes, but the standard itself does not issue certificates.
Q: How does ISO/IEC 27021 relate to ISO/IEC 27006?
A: ISO/IEC 27006 specifies requirements for certification bodies that audit and certify organizations for ISO/IEC 27001. ISO/IEC 27021 specifies requirements for the competence of individual ISMS professionals. They serve different scopes: organizational certification vs. individual certification.
A: ISO/IEC 27006 specifies requirements for certification bodies that audit and certify organizations for ISO/IEC 27001. ISO/IEC 27021 specifies requirements for the competence of individual ISMS professionals. They serve different scopes: organizational certification vs. individual certification.
Q: Do all members of an ISMS team need to comply with ISO/IEC 27021?
A: The standard recommends that organizations use it as a benchmark for competence assessment, but it is not mandatory for ISMS operation. Organizations of different sizes and maturity levels may adopt it proportionally — a 5-person startup ISMS team will have different competence needs than a 50-person enterprise team.
A: The standard recommends that organizations use it as a benchmark for competence assessment, but it is not mandatory for ISMS operation. Organizations of different sizes and maturity levels may adopt it proportionally — a 5-person startup ISMS team will have different competence needs than a 50-person enterprise team.
Q: Does ISO/IEC 27021 cover cybersecurity technical skills (e.g., penetration testing, SOC analysis)?
A: It focuses on ISMS management competence rather than deep technical cybersecurity skills. Technical specialist competence is addressed by other standards — for example, ISO/IEC 27033 series for network security or ISO/IEC 27032 for cybersecurity practitioner skills.
A: It focuses on ISMS management competence rather than deep technical cybersecurity skills. Technical specialist competence is addressed by other standards — for example, ISO/IEC 27033 series for network security or ISO/IEC 27032 for cybersecurity practitioner skills.
