ISO 27001:2022 A 6.3 Information security awareness, education and training

Uncategorized 8 Minutes

Audio version of the article

This control aims to ensure that employees, contractors, and third-party users are aware of information security threats and concerns, of their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work and to reduce the risk of human error. It covers the need for employees of an organisation to receive appropriate information security awareness, education, and training, plus regular updates of the organisation’s information security policy, especially as it applies to their job function.Employee Orientation for new employees: All new employees should participate in new employee orientation workshops or be provided with pertinent information including security policies and procedures and potential disciplinary processes/actions for any security breaches. Additionally, new employees should be required to sign an acknowledgment indicating that they read and understand the organization’s acceptable use policy, the organization’s security policies, and any non-disclosures (if applicable). All managers and supervisors should be expected to emphasize the importance of security to their employees. Organizations should provide relevant information security information delivered on a defined schedule (annually, bi-annually, etc.) appropriate to the employee’s job roles and responsibilities. All employees should be required to take general training on basic information security practices and/or acknowledge their basic understanding of the organization’s security policies and procedures. The main benefit of Information Security awareness training is protection from attacks on digital systems or a data breach. Preventing such incidents is critical because a successful cyber attack can financially cripple an organization and significantly harm its brand reputation.

A 6.3 Information security awareness, education and training

Control

Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function.

Purpose

To ensure personnel and relevant interested parties are aware of and fulfill their information security responsibilities.

ISO 27002 Implementation Guidance
General

An information security awareness, education and training programme should be established in line with the organization’s information security policy, topic-specific policies and relevant procedures on information security, taking into consideration the organization’s information to be protected and the information security controls that have been implemented to protect the information. Information security awareness, education and training should take place periodically. Initial awareness, education and training can apply to new personnel and to those who transfer to new positions or roles with substantially different information security requirements. Personnel’s understanding should be assessed at the end of an awareness, education or training activity to test knowledge transfer and the effectiveness of the awareness, education and training programme.

Awareness

An information security awareness programme should aim to make personnel aware of their responsibilities for information security and the means by which those responsibilities are discharged. The awareness programme should be planned taking into consideration the roles of personnel in the organization, including internal and external personnel (e.g. external consultants, supplier personnel). The activities in the awareness programme should be scheduled over time, preferably regularly, so that the activities are repeated and cover new personnel. It should also be built on lessons learnt from information security incidents.
The awareness programme should include a number of awareness-raising activities via appropriate physical or virtual channels such as campaigns, booklets, posters, newsletters, websites, information sessions, briefings, e-learning modules and e-mails.
Information security awareness should cover general aspects such as:
a) management’s commitment to information security throughout the organization;
b) familiarity and compliance needs concerning applicable information security rules and obligations, taking into account information security policy and topic-specific policies, standards, laws, statutes, regulations, contracts and agreements;
c) personal accountability for one’s own actions and inaction, and general responsibilities towards securing or protecting information belonging to the organization and interested parties;
d) basic information security procedures (e.g. information security event reporting) and baseline controls (e.g. password security)
e) contact points and resources for additional information and advice on information security matters, including further information security awareness materials.

Education and training

The organization should identify, prepare and implement an appropriate training plan for technical teams whose roles require specific skill sets and expertise. Technical teams should have the skills for configuring and maintaining the required security level for devices, systems, applications and services. If there are missing skills, the organization should take action and acquire them. The education and training programme should consider different forms [e.g. lectures or self-studies, being mentored by expert staff or consultants (on-the-job training), rotating staff members to follow different activities, recruiting already skilled people and hiring consultants]. It can use different means of delivery including classroom-based, distance learning, web-based, self-paced and others. Technical personnel should keep their knowledge up to date by subscribing to newsletters and magazines or by attending conferences and events aimed at technical and professional improvement.

Other information

When composing an awareness programme, it is important not only to focus on the ’what’ and ’how’, but also the ’why’, when possible. It is important that personnel understand the aim of information security and the potential effect, positive and negative, on the organization of their own behaviour. Information security awareness, education and training can be part of, or conducted in collaboration with, other activities, for example general information management, ICT, security, privacy or safety training.

All employees of the organization, and, where relevant, contractors and third party users, should receive appropriate awareness training in and regular updates of organizational policies and procedures relevant to their job functions. Information security awareness, education, and training (IT security awareness) is the process of informing users about the importance of information security and encouraging them to improve their own computer security habits.Users must be made aware of the security risks that can come from their activities and how they can protect themselves against these risks.Information security awareness, education, and training are critical components of any organisation’s success. It is critical that all employees understand the importance of information security and how it impacts everyone.The more employees understand how to protect themselves from cyber threats, the more secure your organisation will be. The organization must ensure that Information Security Awareness programs inform personnel of the existence and availability of current versions of the information security policy, standards, and procedures. The organization must ensure that employee information security awareness and procedures are reinforced by regular updates. Security reminder messages should be posted in secured areas and/or regularly communicated to personnel according to the intended audience and or classification of the notifications. A copy of the information security policies should be issued to all new personnel as they join and to all existing personnel. Personnel should be made aware of the security classifications of the information assets that they use, and that they handle them appropriately, Some of the control includes:

  • a formal induction process that includes information security training, prior to being granted access to information or information systems;
  • ongoing training in security control requirements, legal-regulatory-certificate responsibilities, and correct procedures generally, suitable to each person’s rules and responsibilities; and
  • periodic reminders that cover both general security topics and specific issues of relevance to the organization given its history of security incidents; and
  • other appropriate efforts to raise and maintain awareness of security issues.

In crafting a good security awareness training program, companies should emphasize to employees the criticality of protecting the organization and provide an overview of the corresponding corporate policies and procedures that cover how to work securely and who to contact if they discover a potential threat. They should also tailor the program to reach employees of all levels at different stages of their employment to keep Information security a top priority and prevent any employee, whether brand new or decades in, from endangering the company. An effective training program should reach workers with varying degrees of technical aptitude and knowledge with different learning styles. It should be multifaceted, with a collection of lessons and learning opportunities so it engages everyone in the company, regardless of their knowledge levels and learning styles. Additionally, a comprehensive program has role-based content, delivering instructional material tailored to the needs of an employee’s role and even material tailored to third-party stakeholders, such as business partners and contract workers, to ensure those individuals don’t put the organization at risk.

The training content should range from written material to interactive online learning to gamification sessions so workers can access information in formats they learn best, whether it’s audio, visual, etc. Content should include lessons with varying degrees of complexity so workers can access the most relevant information according to their roles. Follow-up and ongoing messaging reminds workers of the company’s security policies; delivers short refreshers on how to identify and avoid security risks and violations, as well as how to handle possible security problems; and alerts them to any emerging threats. Measuring and reporting worker involvement in training programs, as well as the effectiveness of the organization’s awareness training, help identify any weaknesses in the program and areas in need of strengthening. A good training program typically has a mix of the following:

  • formal education, such as structured lessons and mandatory instruction;
  • informational learning opportunities, such as weekly emails containing tips, policy updates and security news updates;
  • experiential sessions and even gamification, where workers are required to work through simulations and scenarios to test their understanding and reinforce their training so they’re better prepared to handle real-world security challenges; and
  • security champions, workers who have become particularly skilled at understanding security and are willing to teach and promote security best practices among their colleagues.

The security awareness training program should be comprehensive, starting with rudimentary lessons and moving up to advanced materials. It should also include an assessment process to help organizations identify a worker’s level of security awareness and subsequently create a learning pathway for them. Additionally, organizational leaders need to consider that different roles within the organization face different risks and threats while developing the training program. For example, an entry-level employee with limited access to sensitive data and core IT systems likely encounters fewer risky scenarios than a high-level executive who works with the organization’s proprietary information and financial systems or a senior IT employee who is authorized to work on the core technologies that enable the business. Larger organizations with significant HR departments may be able to develop and deliver their own awareness training program or at least supplement it with outside resources. Many organizations choose to outsource most or all of the training, however, considering this the most effective and efficient way to implement necessary education for its employees. Either way, organizational leaders should have mechanisms to measure whether the training is effective at both the enterprise level and at the individual employee level.

Experts agree awareness and training should be ongoing within the enterprise. Ongoing training helps workers build a security mindset, helping them stay diligent, and gives organizations opportunities to educate workers on new policies and procedures and alert them to the new and evolving threats and risks they may face. To best achieve this, organizations should establish a schedule to determine what training to deliver to what employees and how frequently training must occur. Security awareness training should ideally take place when a new employee joins the company as part of a mandatory onboarding process. When assessments, evaluations or testing indicate a lapse in best practices, organizations should consider mandatory training for the whole enterprise or for individual employees. Many organizations opt to use a learning management system to make training content easily and readily available to employees.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply