Let's chat about something important for HR and the company's information security certification. It's crucial to get this right, especially when hiring people.
I keep repeating that, but it's key to know that IT security isn't the same as information security, and information security differs from an information security management system. We don't want to end up hiring someone to manage the system when they don't really know what it's all about, right?
Let's look at the typical company's structure. This includes all sorts of roles, experiences, and certifications people might have. When we talk about an ISO management system, we're talking about the whole organization, not just a part.
In this setup, the technical specialists like engineers, developers, and IT security folks, represented by gray blocks, usually don't deal with areas like management, supply chain, HR, sales, marketing, or legal.
Now, about certifications:
- CISSP is for Information Systems Security Professionals.
- CISA is for Certified Information Systems Auditors.
- CISM is for Certified Information Security Managers. These certifications are focused on information systems or IT security, not the broader information security of the entire organization, including management and other departments.
Moving on to financial audits, which are totally different from information security and from ISO audits. They're separate careers with different degrees. Financial audits are vital for financial organizations, but they're not about informational security frameworks governance or any other infosec compliance or IT security audits, and they are not about ISO audits, either. Only the green block inside of the organization requires to have CPA and financial experience.
However, after a SOC 2 report, a certified accountant (CPA) does the auditing for SOC 2. Still, inside the organization, the prep work must be done by someone with ISO 27001 certification and experience, and it doesn't need to be a certified CPA. And guess what? Only a few accountants have this kind of experience! I would say less than 0.5% of all certified accountants. Therefore, SOC 2 is usually audited by a pair of auditors: one is CPA, and the other is ISO 27001 certified and experienced.
Let's talk about legal degrees. People in red-highlighted roles might have them, and it's useful. As a lawyer by degree, it helps to understand the foundation of the legislation structure, texts of standards, and applicability of laws and standards for internet services, for example. But it's not a requirement - the most important thing is having relevant certification and governance experience. Very few lawyers have experience in ISO or governance - those are very different roles and professions.
Governance and compliance roles (ISO certification):
Lastly, an ISO auditor or implementer needs to cover all company areas and know how to apply the standard to each one: every step, every process, starting from the annual management review meeting and down to each department's performance. You can see that in the chart above: everything marked by the ISO label is included/ covered by ISO audits.
And here's a thing: none of these ISO compliance or governance specialists need to know coding or how to do a penetration test. If they do, I'd question their ISO experience and audit skills. Why? Because the ISO auditor role is in high demand on the market right now and is a well-paid job with many challenges and developing pathways within the ISO standards. Why would people with that experience and knowledge go side-track or downshift to a narrow technical field?
Again, ISO is the management system audit, not the technical audit of one part of the software development process. There are two completely different roles and degrees. Who would you find if hiring a high-paid CEO who would be willing to do coding, testing, and cold calls to sell the product? That is precisely the same!
Real case study:
To conclude, if you send me a job role for an Information Security Compliance Manager that requires a mix of accounting, software development, coding, management, infrastructure security skills, and years of experience in each, I'll see it as a huge red flag. It's like asking for a professional ice hockey player who's also a commercial pilot, a certified welder, and a coder and has over ten years of experience and multiple certifications in each field.
It shows you might not understand what you're looking for. And when I see your company in my next ISO audit schedule... well, you can guess how I'd feel and what I'd expect. Who would you find by that job description in the next two months? What is the strangest result of that work I will see there?
My advice? Do your research better, and please avoid sending out job descriptions that don't make sense, especially if your future already assigned ISO auditor can see them. Please send this article to your recruitment agencies or colleagues; it may save your company's future ISO certification.
#soc2 #ISMS #ISO27001 #hr #Informationsecurity #roledescription #infosec #CISA #CISSP #ISO27701 #dataprivacy #security #SOX