Jacques Badagbon’s new professional skills on ISO27001 implementation
Last May, Jacques had successfully passed PECB ISO/IEC 27001 Lead Implementer exam, with the challenge of obtaining an essential and highly acclaimed certification that recognises its holder’s expertise in setting up an Information Security Management System (ISMS). Since this specific training of several days, Jacques has the professional skills to do so according to the standard. Three questions to the new expert.
What is the ISO 27001 standard?
ISO/IEC 27001 is an international standard for information security management from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is entitled “Information technology – Security techniques – Information security management systems – Requirements”. It provides the rules for the certification of organisations.
In concrete terms, this standard allows for the improvement of the level of security within a perimeter defined by the organisation. In addition to technical measures to secure the IT system, it recommends the establishment of good practices. In all, 6 processes make up this standard, which is largely based on the Deming wheel (Plan, Do Check, Act) (principle of continual improvement) and on risk management.
By securing and consolidating the information security core, the ISO 27001 standard offers guarantees to the organisation’s stakeholders regarding the issues of confidentiality, integrity and availability of data. Entering into a normative process of continual improvement of information security is a regulatory issue in many sectors, particularly in digital health. There is also an interest from a marketing and communication point of view, by inspiring confidence in the organisation’s partners.
How does an ISO 27001 lead implementer training, evaluation and certification work?
As the person responsible for the security of the information system at Ventio, it was essential to train myself on the most advanced reference management system on the subject.
My training was provided by Edugroupe, but the examination and certification were delivered by PECB, which is able to certify people. It was a four-day course, a mix of face-to-face and online training with about ten people, followed by the exam on the fifth day. The training is composed of theoretical and practical sessions (case studies, quizzes, discussions…) covering the different parts of the ISO 27001:2013 standard, its annex but also the ISO 27002, ISO 27003, ISO 27004 and ISO 27005 standards.
Indeed, it is important to know that if ISO 27001 gathers the different measures to be checked in order to certify a good management system for the security of information and is in this sense the certifying standard, it is also supplied with an annex which proposes 114 measures to be considered in order to meet the standard.
ISO 27002 provides this set of good practices for information security management. The 27003 proposes the procedure to follow for the implementation of the ISMS, and the ISO 27004 standard gives recommendations on the indicators and dashboards relating to the ISMS. Finally, ISO 27005 is a methodology for managing information security risks.
The certification examination then covers all aspects of ISO 27001 and also the previously mentioned standards that complement it. It lasts three hours and consists of multiple choice questions and case studies. Professional experience in information security is then required for certification, which is the case with my experience at Ventio.
What is your feedback Jacques?
This training was very interesting. The heterogeneity of the participants (lawyers, information systems security managers, project managers, cyber consultants, etc.) made the exchanges and practical work quite enriching, showing in particular how the different profiles and positions can react to security problems within a team.
The instructor was also very benevolent and knew how to direct the exchanges in order to maintain cohesion and relevance around the subjects of the standard and information security. He also shared with us his different experiences on these subjects.
I really enjoyed this week of training which more than met my expectations. I came away with a wealth of skills in IT security management within an organisation, a certification and new professional relationships in the cybersecurity sector. This certification reinforces my skills in the field of data protection, as I am already a provisional DPO and have CISCO CyberOps certifications.
At Ventio, we make it a point of priority to increase internal skills on strategic subjects related to the protection of sensitive data, with a focus on health, in order to be able to support organisations on these subjects. Advice on the ISO27001 standard and GDPR compliance in the processing of sensitive health data, services that Ventio is able to offer its clients with certified experts.
Our internal R&D also integrates cybersecurity and regulatory compliance by design into our services, which leads to training and awareness of applicable standards and best practices.
Jacques Badagbon, with this second year of apprenticeship in the company in parallel with his excellent training in the Networks and Telecommunications Master’s degree at Aix-Marseille University, will thus have a solid professional foundation to carry out his missions.
Ventio is also the wind that pushes the region’s young talents towards excellence so that they are ready to face the digital challenges of tomorrow.