ISO 27001 Security Awareness Training
Hi,
Can your Awareness training cover some of your controls without need to further document. Say for instance i have a slideshow presentation and it covers media handling. It is ok to say that the control is selcetd in the SoA and reference out to the training document?
Thank you,
Assign topic to the user
Yes, you do not need to document each and every control - in such cases, you will use awareness sessions and trainings to explain to your employees how particular security activities need to be done.
In the SoA you cannot simply refer to the Training Plan - you need to explain in a sentence or two how the control is implemented - e.g. "The data recorded on media must be encrypted."
Please note that some controls, when identified as applicable, require documentation (e.g., control A.9.1.1 - Access Control Policy).
Comment as guest or Sign in
Apr 08, 2020