Expert Advice Community

Guest

ISO 27001 Security Awareness Training

  Quote
Guest
John O'Doneely Created:   Apr 07, 2020 Last commented:   Apr 08, 2020

ISO 27001 Security Awareness Training

Hi,

Can your Awareness training cover some of your controls without need to further document. Say for instance i have a slideshow presentation and it covers media handling. It is ok to say that the control is selcetd in the SoA and reference out to the training document?


Thank you,

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 08, 2020

Yes, you do not need to document each and every control - in such cases, you will use awareness sessions and trainings to explain to your employees how particular security activities need to be done.

In the SoA you cannot simply refer to the Training Plan - you need to explain in a sentence or two how the control is implemented - e.g. "The data recorded on media must be encrypted."

Please note that some controls, when identified as applicable, require documentation (e.g., control A.9.1.1 - Access Control Policy).

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 07, 2020

Apr 08, 2020