ISO/IEC 27001 lead auditor

The ISO 27001 Lead Auditor certification consists of a professional certification for auditors specializing in information security management systems (ISMS) based on the ISO/IEC 27001 standard and ISO/IEC 19011. This certification is provided by training companies, some accredited and some not. Accredited means having gone through an Accreditation process via a national accreditation body such as Professional Evaluation and Certification Board (PECB).

The training of lead auditors normally includes a classroom and exam portion and a requirement to have performed a number of ISMS audits. Attending the course and passing the exam is not sufficient for an individual to use the credentials of Lead Auditor as professional and audit experience is required.

The course usually consists of 40 hours (four days) of training and a final exam of the fifth day. This certification is different from the ISO 27001 Lead Implementer certification which is targeted for information security professionals who want to implement the ISO 27001 standard rather than audit it or the ISO/IEC 27005 Risk Manager certification which focuses only on the risk management portion of ISO/IEC 27001.

The main benefit from achieving the ISO 27001 Lead Auditor certification is the recognition that the individual can be engaged by information security managers and certification bodies to perform information management system audits under their direction.

The main ISO 27001 auditor certifications normally follow these designations:

• Provisional ISMS Auditor
• ISMS Auditor/Internal Auditor
• Lead ISMS Auditor

Contents 1 Provisional ISMS Auditor 2 ISMS Auditor/Internal Auditor 3 Lead ISMS Auditor 4 External links

Provisional ISMS Auditor

The Provisional ISMS Auditor / Provisional Internal ISMS Auditor certification is for an individual who doesn't have enough experience to conduct audits. Requirements are:

• Secondary education (minimum)
• 5 years of work experience (or 4 years plus degree / near degree)
• 1 year of work experience - information security related
• Having successfully completed an ISMS foundation course and an ISMS auditor course
• No audit experience

ISMS Auditor/Internal Auditor

The ISMS Auditor certification is for an individual with substantial audit experience but no experience in leading an audit. The ISMS Internal Auditor certification is for an individual with substantial internal audit experience. Requirements are:

• Secondary education (minimum)
• 5 years of work experience (or 4 years plus degree / near degree)
• 2 year of work experience - information security related

Lead ISMS Auditor

The Lead ISMS Auditor is for an individual with substantial experience in leading an audit. Requirements are:

• Secondary education (minimum)
• 5 years of work experience (or 4 years plus degree / near degree)
• 2 year of work experience - information security related
• Having successfully completed an ISMS foundation course and an ISMS auditor course
• Having completed at least 4 audits for a total duration of at least 20 days, as well as 3 audits as a lead auditor for a total duration of at least 15 days.

External links

• IRCA
• RABQSA
• PECB