There are many different standards and legislations that require organisations to have information security awareness and education programs. Here, lead auditor Ben Pollard gives his advice on ISO 27001/2 - the international standard for information security management systems.
ISO 27001/2 and Information Security Awareness Training
ISO 27001/2 clause 7.2.2 states ‘Information security awareness, education and training - All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function’.
Information security awareness, education and training have historically been referred by some as more of a compliance requirement than an information security control, however with the passage of time and the evolvement of today’s cyber threats, this is no longer the case.
Compliance is still very relevant, and it is important in ISO 27001 to comply with clause 7.2.2, however, more importantly, a culture of information security should be established within organisations, and that culture should be adopted by all employees. Our employees are the first line of defence and we must adopt a security psychology that evolves over time and is aligned with the latest internal and external threats.
Gaining Compliance and Crafting your Security Culture
Organisations should develop effective education and awareness training programs in line with their internal Information security policies in addition to industry best practice, taking into consideration the corporate information to be protected, and also the security controls that have been implemented to protect the information.
The program should consider different forms of education and training which could include:
- Awareness seminars and workshops
- Computer Based Training (CBT)
- Attack simulations (e.g. Phishing campaigns)
- Cyber security alerts and advisories
- Cyber security blogs
Getting Started with your ISO 27001 Awareness Training
Awareness programs should be well planned and take into consideration the different employee roles in an organisation. The activities in the awareness program should be scheduled over time and repeated at least annually so that the activities are continual, and cover new employees and third-party contractors. The awareness program content should also be updated regularly so it stays in line with organisational policies, changes in the threat landscape, and lessons learnt from internal and external information security incidents.
We believe that following these simple guidelines will help an organisation be compliant with ISO 27001/2 clause 7.2.2 and turn the weakest link (our employees) into the strongest.