Skip to main content

Information Security Management Systems Certification Scheme (ISMS)

The IRCA Information Security Management Systems (ISMS) Certification Scheme is for auditors using ISO 27001.

Make an enquiry

Complete the form so that we can best advise you on your next steps to membership and future success.

To be certificated to this scheme, you'll need to demonstrate that you have the skills to audit the proper implementation of ISO 27001.

Who the scheme is for

  • ISMS auditors, such as those employed/contracted by third-party certification/registration bodies and those involved in first or second-party ISMS audits
  • Information security practitioners, such as information security consultants, IT security managers and IT personnel
  • Employees conducting ISMS audits within their own organisation (internal audits).


As an information security management systems auditor you need to demonstrate that you:

  • Know the range of application for an ISMS
  • Know information security-related legislation applicable to the country(s) of operation
  • Know the techniques and tools used in information security management
  • Understand the potential business impacts of ISMS
  • Understand the importance of asset and owner identification
  • Know the control objectives and how these are addressed
  • Understand risk assessment and identification
  • Understand threats, vulnerabilities and impacts
  • Understand the difference between risk assessment and risk evaluation
  • Understand the methodology of risk treatment, application, residual risk and review of risk treatment plan
  • Know and understand the importance of the statement of applicability in the ISMS, and how it is used
  • Know the difference between an IS event and incident.

The ISMS scheme is based on the following key standards:

  • ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements
  • ISO/IEC 17799:2005 Information technology security techniques – Code of practice for information security management
  • EA 7/03 Guidelines for the accreditation of bodies operating certification/registration of information security management systems
  • ISO/IEC 27001:2013 which provides correspondence and alignment with ISO 9001:2000 Quality management systems – Requirements and ISO 14001:2004 Environmental management systems - Requirements with guidance for use.

Apply now for certification

ISO 27001:2005 has now been replaced by ISO 2001:2013. If you previously certificated with us using 27001:2005, and have not completed transition training to ISO 27001:2013, you will no longer be eligible for certification to this scheme. Please contact our membership team to discuss how you can become certified again using the link below.

Acceptable alternative standards

We may accept audits to alternative standards not listed on the IRCA certification scheme. To find out more please visit the Acceptable Alternative Standards page.

Make an enquiry

Complete the form so that we can best advise you on your next steps to membership and future success.

Recommend membership to a colleague and get £25*

1. Fill in a simple form
2. We’ll send them an invite
3. They join CQI or IRCA
4. You get rewarded