Book a Demo
Demo Centre
Get The Guide

7 Essential Steps To Making Your Security Awareness Training Work

Avoid wasting your time, sanity and budget. Start driving user awareness today.

Get The Guide

Ben Pollard

ISO 27001 Security Awareness Training

There are many different standards and legislations that require organisations to have information security awareness and education programs.employee meeting

Here, lead auditor Ben Pollard gives his advice on ISO 27001/2 - the international standard for information security management systems.

ISO 27001/2 and Information Security Awareness Training

ISO 27001/2 clause 7.2.2 states ‘Information security awareness, education and training - All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function’.

Information security awareness, education and training have historically been referred by some as more of a compliance requirement than an information security control, however with the passage of time and the evolvement of today’s cyber threats, this is no longer the case.

Compliance is still very relevant, and it is important in ISO 27001 to comply with clause 7.2.2, however, more importantly, a culture of information security should be established within organisations, and that culture should be adopted by all employees. Our employees are the first line of defence and we must adopt a security psychology that evolves over time and is aligned with the latest internal and external threats.

woman using computer in a public place

Gaining Compliance and Crafting your Security Culture

Organisations should develop effective education and awareness training programs in line with their internal Information security policies in addition to industry best practice, taking into consideration the corporate information to be protected, and also the security controls that have been implemented to protect the information.

The program should consider different forms of education and training which could include:

Poster campaigns

- Awareness seminars and workshops

- Computer Based Training (CBT)

- Attack simulations (e.g. Phishing campaigns)

- Cyber security alerts and advisories

- Cyber security blogs


Getting Started with your ISO 27001 Awareness Training

Awareness programs should be well planned and take into consideration the different employee roles in an organisation. The activities in the awareness program should be scheduled over time and repeated at least annually so that the activities are continual, and cover new employees and third-party contractors.  The awareness program content should also be updated regularly so it stays in line with organisational policies, changes in the threat landscape, and lessons learnt from internal and external information security incidents.

We believe that following these simple guidelines will help an organisation be compliant with ISO 27001/2 clause 7.2.2 and turn the weakest link (our employees) into the strongest.

Free security Awareness starter kit