ISO/IEC 27021:2017/Amd 1:2021

Overview

ISO/IEC 27021:2017 Amendment 1:2021 focuses on enhancing the competence requirements for professionals involved in Information Security Management Systems (ISMS). This amendment updates the original ISO/IEC 27021:2017 standard by incorporating specific clauses and subclauses from ISO/IEC 27001:2013 into the competence framework. The integration ensures that ISMS professionals meet updated and relevant security management criteria, reflecting best practices in operational planning, risk management, and organizational roles.

This international standard, developed collaboratively by ISO and IEC technical committees, is essential for certifying bodies, auditors, and ISMS implementers who require a comprehensive understanding of information security management competencies aligned with ISO/IEC 27001:2013.

Key Topics

• Addition of ISO/IEC 27001:2013 Clauses: The amendment integrates key clauses to competence requirements, including:

  • Operational planning and control (Clause 8.1)
  • Actions to address risks and opportunities (Clause 6.1, including subclauses)
  • Information security objectives and planning (Clause 6.2)
  • Determining the scope of ISMS (Clause 4.3)
  • Management review processes (Clause 9.3)
  • Understanding needs and expectations of interested parties (Clause 4.2)
  • Organizational roles, responsibilities, and authorities (Clause 5.3)

• Enhanced Competence Criteria: Professionals are expected to demonstrate mastery of these additional clauses, ensuring that their skills and knowledge are in line with the evolving standards of information security management.

• Standard Development and Maintenance: The document is maintained according to ISO/IEC directives with consideration for patent rights and international collaboration, ensuring up-to-date and globally applicable guidance.

Applications

• ISMS Professional Certification: Organizations certifying ISMS professionals can leverage ISO/IEC 27021:2017/Amd 1:2021 to define competence requirements clearly, ensuring certified individuals possess knowledge aligned with ISO/IEC 27001:2013.

• Training and Development: Information security training programs can update curricula to include the newly added clauses, equipping learners with comprehensive skills required by the latest standards.

• Audit and Compliance: Auditors and compliance officers can refer to this amendment for evaluating the competence of ISMS professionals during certification and surveillance audits, promoting consistent and reliable assessments.

• Organizational Security Management: Enterprises implementing or maintaining an ISMS can align their staffing and professional development strategies with the enhanced competence framework to better secure information assets.

Related Standards

• ISO/IEC 27001:2013 – The foundational standard for Information Security Management Systems outlining requirements for establishing, implementing, maintaining, and continually improving ISMS.

• ISO/IEC 27000 Series – A family of standards providing best practices for information security controls, risk management, and implementation guidelines.

• ISO/IEC 27002 – Code of practice for information security controls supporting ISO/IEC 27001 implementation.

• ISO/IEC Directives, Part 1 and Part 2 – Guidelines for the development and editorial rules of ISO/IEC standards ensuring consistency and clarity.

By adhering to ISO/IEC 27021:2017 Amendment 1, professionals and organizations strengthen information security management competencies, facilitating robust protection against evolving cyber threats and supporting effective ISMS operation worldwide.