Home Page > Introduction > For SME's
Information for SMEs
For SME organisations, information security certifications play a key role in the selection of professionals, vendors and consultancies to fill the company’s security roles, or to help the organisation achieve and maintain compliance levels so as to be more marketable to clients or business partners. SMEs may also choose certifications for employees to undertake to ensure that employees can continue to fulfil their security related duties successfully.
Clear security goals should be defined prior to choosing any certified professionals to add into the SME’s skill pool. These goals will define the job requirements, which inturn will mandate SME certifications that will be required by the organisation. When attempting to match security goals with certifications, SMEs should consider the following questions:
Questions for SMEs
| Considerations
| |
| Is the motivation for security guidance due to current issues, or in order to prepare for the future? |
When determining the scope of the security issues facing your organisation (and consequently the types of certified professionals required) SMEs should consider future IT strategy objectives. |
| Are you seeking a professional with a broad understanding of information security management or a technical specialist for a particular part of the security infrastructure? |
Examine the certification “Type” and “Key Elements of Knowledge” to gain an understanding of what each certification covers so as to find the best fit to your business needs.
Broadbase type certifications will cover a wider array of security concepts, whereas other certification types will provide a more focused approach. |
| Does the SME require certain types of systems/infrastructures audited? |
If particular system types require auditing, SMEs should look towards certifications flagged under the “Auditing” type.
Checking the “Key Elements of Knowledge” field and also the 17799 & FIPS mappings will help discern whether a certification covers a particular focus area.
Tables in the Appendix map out certain broad technology types to various vendor certifications. |
| Are the technologies the acquired professional will be using well defined, and of a certain vendor? Does this vendor have a certification for the given technology? |
If the answer is yes, check the vendor certification listing to see if that particular technology has a vendor certification. These certifications generally offer a more in-depth and technical approach to a specific brand of technology, and would be best for an SME in need of such specialised scoping.
Tables in the Appendix map out certain broad technology types to various vendor certifications. |
| Do certifications verify a professional’s technical competency? |
Many of the independent certifications have technical styled questions in assessments which must be passed prior to becoming certified. However, this is not acceptable as a complete measure of technical competency. If a certification explicitly states that practical experience and / or training is required in order to gain certification, this will give better indication of a candidate’s practical exposure. |
SMEs must be aware that certifications do not necessarily guarantee technical competence. When searching for a candidate, other key criteria that indicate skill level and appropriateness for a given position should be highly factored into any selection processes.
Finally, the SME should ensure that any professionals under consideration are indeed certified as the claim. Governing bodies of certifications will generally have a service related to listing or finding professionals which are currently certified with them. These will generally be available on or through the governing body’s websites or the certification’s website.
