Information security management is a necessity for all institutions and enterprises that regard company information as valuable assets. Developing, auditing and managing information security depends upon professional expertise in order to achieve the desired information security governance. This research seeks the key skills required for the position of information security management as well as the methods to develop these skills through professional training programs. The study adopts the Delphi method which requires building a list of items through a literature survey and involves experts with certain expertise to modify the list until a consensus on less than 20% of the items is reached. Through completing three rounds of the Delphi technique – data collection, relevance voting and ranking – sixteen skills are shortlisted as the key skills. In the final list, the majority belong to core information security skills, and the top two skills belong to project/process management skills and risk management skills, indicating the importance of these skills for the information security manager role. In addition, a series of related professional training programs and certifications are surveyed, the outcome of which highlights a number of most comprehensive and appropriate programs to develop these determined skills.

Introduction

An Information Security Management System (ISMS) is a set of standards, by which companies can protect their vital information assets in certain industries such as healthcare (Gardiyawasam Pussewalage & Oleshchuk, 2016) and finance (Roumania, Nwankpab, & Roumani, 2016). It mainly focuses on closing the gap in the security systems and processes through risk management (Bojanc & JermanBlazic, 2008; Silva, De Gusmão, Poleto, Silva, & Costa, 2014). Moreover, the process was standardized via the ISO/IEC 27001:2005 (later, revised by ISO/IEC 27001:2013) based on the British Standards BS 7799 and developed by the UK’s Department of Trade and Industry (Humphreys, 2016). The implementation of ISO/IEC 27001 is based on examining various core concepts that are treated either solely or combined, and includes the context of organizations, issues, risks, opportunities, interested parties, leadership, threats, communication, documented information, performance evaluation, risk owners, risk treatment plans, controls, and continual improvement. In this respect, risk management plays a major role in implementing this standard as it should always be planned, controlled and assessed. Information security provides a way to protect the valuable assets of any organization, especially the ones that hold sensitive information. It is based on three main principles, which are (ISO/IEC, 2013): 1 Confidentiality: preventing unauthorized access to sensitive data; 2 Integrity: truthfulness of the data, which cannot be modified without authorization; and 3 Availability: accessibility of the data whenever it is requested by authorized personnel. Information security owes its importance to several issues, especially from the legal point of view. As governmental services increasingly become online day by day, a large amount of vital information about individuals and governments could be at risk in different parts of the world without the presence of security systems (Ozkan & Karabacak, 2010; Saarenpaa, 2008). Studies show that, in an organization, there are many business-related highlights to be considered in ISMS which include, and are not limited to: 1 Preserving information within the organization in order to maintain competitiveness in the market; 2 Sustaining growth by making the needed information available at all times to the company’s decision-makers; and 3 Enhancing communication systems within the organization to support efforts towards stability (Wawak, 2010).