ISO IEC 27021-2017 PDF

Full title and description

ISO/IEC 27021:2017 — Information technology — Security techniques — Competence requirements for information security management systems professionals. This International Standard specifies competence requirements for professionals who lead or are involved in establishing, implementing, maintaining and continually improving one or more information security management system (ISMS) processes that conform to ISO/IEC 27001.

Abstract

ISO/IEC 27021:2017 sets out the competence requirements (knowledge, skills and experience) expected of ISMS professionals responsible for the planning, implementation, operation, monitoring, maintenance and continual improvement of information security management system processes that conform to ISO/IEC 27001. It is intended to support consistent professional competence across roles involved with ISMS activities.

General information

• Status: Published.
• Publication date: October 2017 (2017-10).
• Publisher: ISO/IEC (International Organization for Standardization / International Electrotechnical Commission).
• ICS / categories: 35.030 (Information technology security techniques).
• Edition / version: Edition 1 (2017). This publication has one amendment, ISO/IEC 27021:2017/Amd 1:2021.
• Number of pages: 21.

Scope

Specifies competence requirements for ISMS professionals leading or involved in establishing, implementing, maintaining and continually improving one or more information security management system processes that conform to ISO/IEC 27001. The standard is focused on the professional capabilities needed to support ISMS lifecycle activities rather than prescribing organisational processes or controls themselves.

Key topics and requirements

• Defined competence elements (knowledge, skills and experience) for ISMS roles involved in planning, implementing and maintaining ISMS processes.
• Expectations for understanding ISO/IEC 27001 requirements and structure, including risk-based approaches to information security.
• Technical and managerial knowledge areas relevant to ISMS (information security concepts, risk management, security controls, legal/regulatory considerations).
• Experience-based requirements and evidence (practical experience in ISMS activities, leadership of ISMS projects or processes).
• Communication, stakeholder engagement and continual professional development as aspects of competence.
• Guidance to organizations, HR and certification bodies on assessing and recognising ISMS professional competence (applicable to hiring, training and personnel assignment decisions).

Typical use and users

Used by organizations to define role profiles and hiring/training requirements for ISMS professionals, by consultants and trainers developing ISMS competency curricula, and by certification/accreditation bodies and peer reviewers to understand expectations for personnel competence related to ISO/IEC 27001 implementation and oversight.

Related standards

Closely related to ISO/IEC 27001 (requirements for an ISMS) and ISO/IEC 27002 (controls guidance). It complements guidance and competence topics in ISO/IEC 27007 (guidelines for ISMS auditing) and aligns with requirements used by certification and accreditation schemes such as ISO/IEC 27006 (now updated as ISO/IEC 27006-1:2024 for audit/certification bodies). These related standards provide the normative requirements (27001), controls guidance (27002), audit guidance (27007) and certification/accreditation requirements (27006 / 27006-1) that interact with the professional competence concepts in ISO/IEC 27021.

Keywords

ISMS, information security, competence, skills, experience, ISO/IEC 27001, professional requirements, accreditation, certification, ISMS personnel

FAQ

Q: What is this standard?

A: ISO/IEC 27021:2017 is an international standard that specifies competence requirements for professionals who lead or are involved with information security management system (ISMS) processes conforming to ISO/IEC 27001.

Q: What does it cover?

A: It covers the expected knowledge, skills and experience for ISMS roles (planning, implementation, operation, monitoring, maintenance and continual improvement), and provides a basis for assessing and recognising ISMS professional competence.

Q: Who typically uses it?

A: ISMS managers and practitioners, HR and competency managers, training providers, consultants, and accreditation/certification bodies or peer reviewers who need to define, assess or verify the competence of personnel involved with ISO/IEC 27001-based ISMS activities.

Q: Is it current or superseded?

A: The standard was published in October 2017 (Edition 1). It has one published amendment (ISO/IEC 27021:2017/Amd 1:2021). As of the publication record, the document remains published and subject to the normal ISO review cycle. For the latest status (confirmation of review outcome or any subsequent revisions) consult the ISO catalogue entry.

Q: Is it part of a series?

A: Yes — it is part of the ISO/IEC 27000 family of information security standards and is intended to be used alongside companion standards such as ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27007 and the standards addressing certification/accreditation of ISMS audits (e.g., ISO/IEC 27006 and the updated ISO/IEC 27006-1:2024).

Q: What are the key keywords?

A: ISMS, competence, information security, ISO/IEC 27001, professional requirements, accreditation, certification, skills, experience, ISMS auditor/manager.