ISO 27001 Staff Security Awareness
Assign topic to the user
Your scenario is not enough to be compliant with the standard, because it is not clear that you identified the necessary competencies for awareness and training (i.e., which topics you need to cover, which in general are based on perceived risks, turnover rate, or legal requirements), and while you captured evidence of provision, it is not clear that effectiveness of the actions taken is evaluated (e.g., by means of a test at the end of each session).
ISO 27001 does not prescribe the frequency of training, so organizations can define it according to their needs.
The standard also does not prescribe ways of delivering training and awareness, so organizations can define them according to their needs.
For further information, see:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
This material will also help you regarding awareness and training:
- Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.
Comment as guest or Sign in
Apr 26, 2022