ISO/IEC 27001 lead auditor

The ISO 27001 Lead Auditor certification consists of a professional certification for auditors specializing in information security management systems (ISMS) based on the ISO/IEC 27001 standard and ISO/IEC 19011. This certification is provided by accredited certification bodies or IRCA. Accredited means having gone through an Accreditation process via a national accreditation body such as Professional Evaluation and Certification Board (PECB). The certification body is the organisation that can issue the ISO27001 compliance certificates.

The training of lead auditors normally includes a classroom and exam portion and a requirement to have performed a number of ISO27001 audits. Attending the course and passing the exam is not sufficient for an individual to use the credentials of Lead Auditor as professional and audit experience is required. If an individual wants to issue an ISO27001 certificate of compliance then the audit must be done by a Lead Auditor working for an accredited certification body and done using all the rules of that certification body, which will need to adhere to ISO17021 and ISO27006.

The course usually consists of 40 hours (four days) of training and a final exam of the fifth day. This certification is different from the ISO 27001 Lead Implementer certification which is targeted for information security professionals who want to implement the ISO 27001 standard rather than audit it or the ISO/IEC 27005 Risk Manager certification which focuses only on the risk management portion of ISO/IEC 27001.

The main benefit from achieving the ISO 27001 Lead Auditor certification is the recognition that the individual can be engaged by certification bodies to perform information management system audits under their direction and management system.

The main ISO 27001 auditor certifications normally follow these designations:

• Provisional ISMS Auditor
• ISMS Auditor/Internal Auditor
• Lead ISMS Auditor

Provisional ISMS Auditor

The Provisional ISMS Auditor / Provisional Internal ISMS Auditor certification is for an individual who don't have enough experience to conduct audits. Requirements are:

• Secondary education (minimum)
• 5 years of work experience (or 4 years plus degree / near degree)
• 1 year of work experience - information security related
• Having successfully completed an ISMS foundation course and an ISMS auditor course
• No audit experience

ISMS Auditor/Internal Auditor

The ISMS Auditor certification is for an individual with substantial audit experience but no experience in leading an audit. The ISMS Internal Auditor certification is for an individual with substantial internal audit experience. Requirements are:

• Secondary education (minimum)
• 5 years of work experience (or 4 years plus degree / near degree)
• 2 year of work experience - information security related

Lead ISMS Auditor

The Lead ISMS Auditor is for an individual with substantial experience in leading an audit. Requirements vary according to the certification body but typically include such requirements as:

• Secondary education (minimum)
• 5 years of work experience (or 4 years plus degree / near degree)
• 2 year of work experience - information security related
• Successfully completed an ISMS Lead Auditor course
• Completed at least 4 audits for a total duration of at least 20 days, as well as 3 audits as a lead auditor for a total duration of at least 15 days.

External links

• IRCA
• RABQSA
• PECB