ISO 27001 training & awareness
Assign topic to the user
Answer: It is enough for an employee to sign this document only once - i.e. when starting to work for the company.
Is it necessary to create job descriptions for each job title or is it enough to create training requirements for each job title?
Answer: Job descriptions are not required by ISO 27001, but it is required to define clear roles and responsibilities - this is done through every policy and procedure that you'll find in our toolkit.
ISO 27001 requires you to to define required competences of every person that does work "that affects information security performance." So if some of these persons are not competent enough, then you'll send them on training.
Once everyone has been to the ISO 27001 awareness program, how often should employees reattend?
Answer: ISO 27001 does not require you to create ISO 27001 awareness programs, only security awareness - therefore, you do not have to explain the whole ISO 27001 standard in these awareness se ssions, only the things that are the most important from the security point of view.
Again, the standard does not specify the frequency, so it is up to you to decide what is appropriate in your case (you don't want your employees to forget about security); usually this is done once a year.
These articles will help you:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
So the training presentation in the toolkit regarding ISO 27001 is not required? If not when is it used?
Thanks!
Also does the statement of acceptance satisfy the requirement that all employees are aware of the info sec policy?
Thanks Again!
You can use the training presentation not for your all employees, but for the members of the project team that will be implementing ISO 27001.
Regarding the Statement of Acceptance - it is important to understand that main point of ISO 27001 is not the documentation itself, it is about changing the way that the employees behave. Therefore, if your employees sign this statement, but they do now really know what the security policies are all about, then you have achieved nothing; you have to make sure they understand why are these policies needed and how to comply with them.
Comment as guest or Sign in
Aug 18, 2016