ISMS

1 - Is this sufficient during an ISO 27001 certification external audit to prove that *** took the necessary actions with regards to training internal employees?

Please note that the security awareness training on our website focuses on regular users and general information security knowledge. In case you have specific security technical/management needs (e.g., secure development techniques or security strategy planning) this training won’t be sufficient.

Considering that, you need first to identify which information security competencies gaps you need to treat, so you can evaluate if our training will cover all your needs, or if you need to complement it.

This article will provide you a further explanation about awareness and training:

• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

2 - Is there any way to prove the employees have effectively followed your training ? Something like a completion certificate?

Through the paid version of our security awareness training program, you can export the progress report and track which employees already attended the training and their results.

When using the free version, you can create quizzes to apply to employees who have taken the training to evaluate their learning.

3 - Would you recommend additional steps?

The steps provided in the Training and awareness plan template included in your toolkit are enough to be compliant with the standard.

Common approaches for information security awareness are training sessions, the use of newsletters, the use of video tutorials, and meetings between management and staff, which should be performed on a regular basis.

Regarding content, please note that you will have different publics with different interests:

• top management needs to make decisions over issues that many times are not so clear for them, and they do not need deep knowledge about technicalities of security issues (they will be more concerned about how it impacts the business). In these cases, your awareness should be focused on the decisions they need to make.
• technical personnel with operational responsibilities for security needs deep knowledge over technologies, methodologies, and processes, so your awareness should be focused on the procedures and rules they need to follow
• overall personnel needs a basic understanding of security, to properly identify, report, and react to risky situations. In these cases, your awareness should be focused on examples and how to proceed according to the policies and procedures