Information Security Management Systems Certification Scheme (ISMS)

To be certificated in this scheme, you'll need to demonstrate that you have the skills to audit the proper implementation of ISO/IEC 27001.

Who the scheme is for

• ISMS auditors, such as those employed/contracted by third-party certification/registration bodies and those involved in first or second-party ISMS audits
• Information security practitioners, such as information security consultants, IT security managers and IT personnel
• Employees conducting ISMS audits within their own organisation (internal audits).

Requirements

As an information security management systems auditor, you need to demonstrate that you:

• Know the range of application for an ISMS
• Know information security-related legislation applicable to the country(s) of operation
• Know the techniques and tools used in information security management
• Understand the potential business impacts of ISMS
• Understand the importance of asset and owner identification
• Know the control objectives and how these are addressed
• Understand risk assessment and identification
• Understand threats, vulnerabilities and impacts
• Understand the difference between risk assessment and risk evaluation
• Understand the methodology of risk treatment, application, residual risk and review of the risk treatment plan
• Know and understand the importance of the statement of applicability in the ISMS, and how it is used
• Know the difference between an IS event and an incident.

The ISMS scheme is based on the following key standards:

• ISO/IEC 27001:2022 Information technology – Security techniques – Information security management systems – Requirements
• ISO 19011:2018 – Guidelines for auditing management systems