In this article, Ben Pollard — a lead ISO 27001 auditor, Director at Cyber Security Specialists and Non-Executive Director here at usecure — gives his advice on the international standard for information security management systems, ISO 27001/2.
ISO 27001/2 & Information Security Awareness Training
Information security awareness training has historically been seen by some as more of a compliance requirement than a real information security control. However, with the passage of time and the evolution of cyber threats, this is no longer the case.
For ISO 27001 compliance, it is essential to comply with clause 7.2.2. Even more important, however, is to establish a culture of information security within your organisation and see to its adoption by all employees.
Our employees are our first line of defence, and it is essential to empower them with the right security mindset.
The benefits of complying with ISO 27001
27001/2 clause 7.2.2 states:
‘Information security awareness, education and training - All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function’.
Achieving compliance and crafting your security culture
Organisations should develop effective education and awareness training programs in line with their internal information security policies. This should be done in addition to following industry best practice, taking into consideration the corporate information to be protected, and also the security controls that have been implemented to protect the information.
Learn how usecure enables you to achieve best practice standards through ongoing staff training.
What your security awareness program should include
To comply with ISO 27001/2, your security awareness training program should consider different forms of education and training. For example:
Cyber security alerts and advisories
Getting started with your ISO 27001 awareness training
Awareness programs should be planned ahead of time and take into consideration the different employee roles within your organisation. The awareness program should be scheduled over time and repeated at least monthly, so that the training is continual and covers new employees and third-party contractors.
The awareness program content should also be updated regularly so it stays in line with organisational policies, changes in the threat landscape, and lessons learnt from internal and external information security incidents.
We believe that following these simple guidelines will help an organisation be compliant with ISO 27001/2 clause 7.2.2 and more importantly, will educate, empower and protect our users against the constant barrage of cyber threats. This in turn will protect organisations and their clients, their data and of course their reputation!
Looking for a complete online security awareness training solution that won't bore your employees with long seminars or endless presentations? Try our bite-size, individually tailored SAT today.