Ive a question concerning the clause 5.1.1 - more specifically, about the Information security awareness, education and training. This can, I realise, be specific to an organisation, however, my concern refers to the training aspect vs. awareness and education. We have been giving awareness and eduction sessions, but the training aspect i believe is something more in-depth. Does this mean establishing more physical awareness e.g. mock phishing attacks, leaving USB sticks (etc etc) around the office to see who picks it up and who plugs it in etc?
ISO 27001 or ISO 27018?
I have been working very extensively on the marketing of the ISO27K and the advantages it can offer to businesses in Australia.