15

I recently got offered a promotion but as part of the package I've been requested to do ISO 27001, ITIL, ARPA and other kinds of training. I've previously avoided this sort of training as I felt it would 'distract' me from my technical security knowledge.

In terms of penetration testing, are these qualifications useful? Do these provide good frameworks for penetration testing? I have zero aspirations to become a non-technical manager (at least for the foreseeable future) and compliance/auditing doesn't interest me specifically. However, my knowledge around them is minimal so I'm curious if I should take them up on the offer or suggest technical training instead.

schroeder
  • 123,438
  • 55
  • 284
  • 319
NULLZ
  • 11,426
  • 17
  • 77
  • 111

3 Answers3

14

While it may not be the hardcore technical pentesting you are used to, it will definitely aid you in understanding processes and security controls within a company. This may help you to bring your findings in an understandable way to the business and IT management.

Obviously it also means you could do more than just pentesting as you could also write a standard or baseline (27001).

Don't be afraid to try something new from time to time :).

Deirdre Hendrick
  • 175
  • 5
Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • In my experience it also allows you to manage pen test teams, sell the benefits of testing to risk and compliance officers, and generally widen your horizons... If you want to. – Rory Alsop Feb 23 '13 at 21:44
3

I've rarely found more knowledge to be a detrimental thing. It may not be super useful, but it may help in some rare scenarios.

Peleus
  • 3,827
  • 2
  • 18
  • 20
2

Not of much benefit. I am a PenTester with both ITIL and ISO 27k certifications. While ITIL has hardly to do anything directly with information security and is very generic but can be effective in putting a process for faster incident response and change control. ISO 27k exists as standard and very broad guidelines for processes to be followed by any organization who takes InfoSec seriously. The standard also provisions for Audits to measure effectiveness of information security processes and controls. This audit can include both Source Code Analysis and Penetration Testing. Only way a Penetration Tester can find some use of this is to expect some level of security exists if the Organization is ISO 27k Certified. You won't be taught a single command when attending these trainings.

The knowledge of ITIL and ISO 27k will be required if you are trying to get a managerial role within big organizations. They like to measure everything and have metrics for nearly all process outcomes. ITIL and ISO 27k are more about process who has scope and mechanism built for continuous improvement.

Krishna Pandey
  • 1,497
  • 1
  • 16
  • 26