This control aims to ensure that employees, contractors, and third-party users are aware of information security threats and concerns, of their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work and to reduce the risk of human error. It covers the need for employees of an organisation to receive appropriate information security awareness, education, and training, plus regular updates of the organisation’s information security policy, especially as it applies to their job function.Employee Orientation for new employees: All new employees should participate in new employee orientation workshops or be provided with pertinent information including security policies and procedures and potential disciplinary processes/actions for any security breaches. Additionally, new employees should be required to sign an acknowledgment indicating that they read and understand the organization’s acceptable use policy, the organization’s security policies, and any non-disclosures (if applicable). All managers and supervisors should be expected to emphasize the importance of security to their employees. Organizations should provide relevant information security information delivered on a defined schedule (annually, bi-annually, etc.) appropriate to the employee’s job roles and responsibilities. All employees should be required to take general training on basic information security practices and/or acknowledge their basic understanding of the organization’s security policies and procedures. The main benefit of Information Security awareness training is protection from attacks on digital systems or a data breach. Preventing such incidents is critical because a successful cyber attack can financially cripple an organization and significantly harm its brand reputation.
A 6.3 Information security awareness, education and training
Control
Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function.
Purpose
To ensure personnel and relevant interested parties are aware of and fulfill their information security responsibilities.
ISO 27002 Implementation Guidance
General
An information security awareness, education and training programme should be established in line with the organization’s information security policy, topic-specific policies and relevant procedures on information security, taking into consideration the organization’s information to be protected and the information security controls that have been implemented to protect the information. Information security awareness, education and training should take place periodically. Initial awareness, education and training can apply to new personnel and to those who transfer to new positions or roles with substantially different information security requirements. Personnel’s understanding should be assessed at the end of an awareness, education or training activity to test knowledge transfer and the effectiveness of the awareness, education and training programme.
Awareness
An information security awareness programme should aim to make personnel aware of their responsibilities for information security and the means by which those responsibilities are discharged. The awareness programme should be planned taking into consideration the roles of personnel in the organization, including internal and external personnel (e.g. external consultants, supplier personnel). The activities in the awareness programme should be scheduled over time, preferably regularly, so that the activities are repeated and cover new personnel. It should also be built on lessons learnt from information security incidents.
The awareness programme should include a number of awareness-raising activities via appropriate physical or virtual channels such as campaigns, booklets, posters, newsletters, websites, information sessions, briefings, e-learning modules and e-mails.
Information security awareness should cover general aspects such as:
a) management’s commitment to information security throughout the organization;
b) familiarity and compliance needs concerning applicable information security rules and obligations, taking into account information security policy and topic-specific policies, standards, laws, statutes, regulations, contracts and agreements;
c) personal accountability for one’s own actions and inaction, and general responsibilities towards securing or protecting information belonging to the organization and interested parties;
d) basic information security procedures (e.g. information security event reporting) and baseline controls (e.g. password security)
e) contact points and resources for additional information and advice on information security matters, including further information security awareness materials.
Education and training
The organization should identify, prepare and implement an appropriate training plan for technical teams whose roles require specific skill sets and expertise. Technical teams should have the skills for configuring and maintaining the required security level for devices, systems, applications and services. If there are missing skills, the organization should take action and acquire them. The education and training programme should consider different forms [e.g. lectures or self-studies, being mentored by expert staff or consultants (on-the-job training), rotating staff members to follow different activities, recruiting already skilled people and hiring consultants]. It can use different means of delivery including classroom-based, distance learning, web-based, self-paced and others. Technical personnel should keep their knowledge up to date by subscribing to newsletters and magazines or by attending conferences and events aimed at technical and professional improvement.
Other information
When composing an awareness programme, it is important not only to focus on the ’what’ and ’how’, but also the ’why’, when possible. It is important that personnel understand the aim of information security and the potential effect, positive and negative, on the organization of their own behaviour. Information security awareness, education and training can be part of, or conducted in collaboration with, other activities, for example general information management, ICT, security, privacy or safety training.
All employees of the organization, and, where relevant, contractors and third party users, should receive appropriate awareness training in and regular updates of organizational policies and procedures relevant to their job functions. Information security awareness, education, and training (IT security awareness) is the process of informing users about the importance of information security and encouraging them to improve their own computer security habits.Users must be made aware of the security risks that can come from their activities and how they can protect themselves against these risks.Information security awareness, education, and training are critical components of any organisation’s success. It is critical that all employees understand the importance of information security and how it impacts everyone.The more employees understand how to protect themselves from cyber threats, the more secure your organisation will be. The organization must ensure that Information Security Awareness programs inform personnel of the existence and availability of current versions of the information security policy, standards, and procedures. The organization must ensure that employee information security awareness and procedures are reinforced by regular updates. Security reminder messages should be posted in secured areas and/or regularly communicated to personnel according to the intended audience and or classification of the notifications. A copy of the information security policies should be issued to all new personnel as they join and to all existing personnel. Personnel should be made aware of the security classifications of the information assets that they use, and that they handle them appropriately, Some of the control includes:
- a formal induction process that includes information security training, prior to being granted access to information or information systems;
- ongoing training in security control requirements, legal-regulatory-certificate responsibilities, and correct procedures generally, suitable to each person’s rules and responsibilities; and
- periodic reminders that cover both general security topics and specific issues of relevance to the organization given its history of security incidents; and
- other appropriate efforts to raise and maintain awareness of security issues.
In crafting a good security awareness training program, companies should emphasize to employees the criticality of protecting the organization and provide an overview of the corresponding corporate policies and procedures that cover how to work securely and who to contact if they discover a potential threat. They should also tailor the program to reach employees of all levels at different stages of their employment to keep Information security a top priority and prevent any employee, whether brand new or decades in, from endangering the company. An effective training program should reach workers with varying degrees of technical aptitude and knowledge with different learning styles. It should be multifaceted, with a collection of lessons and learning opportunities so it engages everyone in the company, regardless of their knowledge levels and learning styles. Additionally, a comprehensive program has role-based content, delivering instructional material tailored to the needs of an employee’s role and even material tailored to third-party stakeholders, such as business partners and contract workers, to ensure those individuals don’t put the organization at risk.
The training content should range from written material to interactive online learning to gamification sessions so workers can access information in formats they learn best, whether it’s audio, visual, etc. Content should include lessons with varying degrees of complexity so workers can access the most relevant information according to their roles. Follow-up and ongoing messaging reminds workers of the company’s security policies; delivers short refreshers on how to identify and avoid security risks and violations, as well as how to handle possible security problems; and alerts them to any emerging threats. Measuring and reporting worker involvement in training programs, as well as the effectiveness of the organization’s awareness training, help identify any weaknesses in the program and areas in need of strengthening. A good training program typically has a mix of the following:
- formal education, such as structured lessons and mandatory instruction;
- informational learning opportunities, such as weekly emails containing tips, policy updates and security news updates;
- experiential sessions and even gamification, where workers are required to work through simulations and scenarios to test their understanding and reinforce their training so they’re better prepared to handle real-world security challenges; and
- security champions, workers who have become particularly skilled at understanding security and are willing to teach and promote security best practices among their colleagues.
The security awareness training program should be comprehensive, starting with rudimentary lessons and moving up to advanced materials. It should also include an assessment process to help organizations identify a worker’s level of security awareness and subsequently create a learning pathway for them. Additionally, organizational leaders need to consider that different roles within the organization face different risks and threats while developing the training program. For example, an entry-level employee with limited access to sensitive data and core IT systems likely encounters fewer risky scenarios than a high-level executive who works with the organization’s proprietary information and financial systems or a senior IT employee who is authorized to work on the core technologies that enable the business. Larger organizations with significant HR departments may be able to develop and deliver their own awareness training program or at least supplement it with outside resources. Many organizations choose to outsource most or all of the training, however, considering this the most effective and efficient way to implement necessary education for its employees. Either way, organizational leaders should have mechanisms to measure whether the training is effective at both the enterprise level and at the individual employee level.
Experts agree awareness and training should be ongoing within the enterprise. Ongoing training helps workers build a security mindset, helping them stay diligent, and gives organizations opportunities to educate workers on new policies and procedures and alert them to the new and evolving threats and risks they may face. To best achieve this, organizations should establish a schedule to determine what training to deliver to what employees and how frequently training must occur. Security awareness training should ideally take place when a new employee joins the company as part of a mandatory onboarding process. When assessments, evaluations or testing indicate a lapse in best practices, organizations should consider mandatory training for the whole enterprise or for individual employees. Many organizations opt to use a learning management system to make training content easily and readily available to employees.