ISO 27001/2 & Information Security Awareness Training
Information security awareness training has historically been seen by some as more of a compliance requirement than a real information security control. However, with the passage of time and the evolution of cyber threats, this is no longer the case.
For ISO 27001 compliance, it is essential to comply with clause 7.2.2. Even more important, however, is to establish a culture of information security within your organisation and see to its adoption by all employees.
Our employees are our first line of defence, and it is essential to empower them with the right security mindset.
In this article, Ben Pollard — a Lead ISO 27001 Auditor — gives his advice on:
How to comply with ISO 27001/2 through security awareness training
The essential ingredients for effective security awareness training
The benefits of achieving ISO 27001/2 compliance
How to get started today
Achieving compliance and crafting your human security culture
The ISO 27001/2 clause 7.2.2 states:
‘Information security awareness, education and training - All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function’.
This means that organisations should develop effective education and awareness training programs in line with their internal information security policies.
This should be done in addition to following industry best practice, taking into consideration the corporate information to be protected, and also the security controls that have been implemented to protect the information.
What your security awareness program should include
To comply with ISO 27001/2, your security awareness training program should consider different forms of education and training. For example:
Cyber security alerts and advisories
The benefits of complying with ISO 27001
How to keep ongoing security awareness training effective and manageable
Awareness programs should be:
- Planned ahead of time and take into consideration the different employee roles within your organisation.
- Scheduled overtime and repeated at least monthly, so that the training is continual and covers new employees and third-party contractors.
- Content should also be updated regularly so it stays in line with organisational policies, changes in the threat landscape, and lessons learnt from internal and external information security incidents
- Learn how usecure's automated security awareness training enables you to meet ISO 27001 training requirements with ease
We believe that following these simple guidelines will help an organisation be compliant with ISO 27001/2 clause 7.2.2 and more importantly, will educate, empower and protect our users against the constant barrage of cyber threats.
This in turn will protect organisations and their clients, their data and of course their reputation!
Meet your ISO 27001 staff training requirements with usecure🚀
Learn how usecure enables businesses to easily implement ongoing security awareness training that meets ISO 27001 requirements and drives user resilience through admin-lite automation.
About the Author - Ben Pollard
Ben Pollard is a Lead ISO 27001 Auditor, Director at Cyber Security Specialists and Non-Executive Director at usecure.