There are many different standards and regulations that require organisations to have information security awareness and education programs. In this article, lead auditor Ben Pollard gives his advice on ISO 27001/2 - the international standard for information security management systems.
ISO 27001/2 and Information Security Awareness Training
ISO 27001/2 clause 7.2.2 states ‘Information security awareness, education and training - All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function’.
Information security awareness training has historically been seen by some as more of a compliance requirement than a real information security control. However, with the passage of time and the evolution of cyber threats, this is no longer the case.
For ISO 27001 compliance it is essential to comply with clause 7.2.2. Even more important, however, is to establish a culture of information security within your organisation and see to its adoption by all employees. Our employees are our first line of defence, and it is essential to empower them with the right security mindset.
Achieving compliance and crafting your security culture
Organisations should develop effective education and awareness training programs in line with their internal information security policies. This should be done in addition to following industry best practice, taking into consideration the corporate information to be protected, and also the security controls that have been implemented to protect the information.
The program should consider different forms of education and training which could include:
- Poster campaigns
- Awareness seminars and workshops
- Computer Based Training (CBT)
- Attack simulations (e.g. Phishing campaigns)
- Cyber security alerts and advisories.
Getting started with your ISO 27001 Awareness Training
Awareness programs should be planned ahead of time and take into consideration the different employee roles within your organisation. The awareness program should be scheduled over time and repeated at least annually, so that the training is continual and covers new employees and third-party contractors.
The awareness program content should also be updated regularly so it stays in line with organisational policies, changes in the threat landscape, and lessons learnt from internal and external information security incidents.
We believe that following these simple guidelines will help an organisation be compliant with ISO 27001/2 clause 7.2.2 and turn the weakest link - our employees - into an essential safeguard against cyber threats.
Looking for a complete online security awareness training solution that won't bore your employees with long seminars or endless presentations? Try our bite-size, individually tailored SAT today.