Guest user Created: Jan 13, 2016 Last commented: Jan 13, 2016

ISO 27001 training vs awareness

Ive a question concerning the clause 5.1.1 - more specifically, about the Information security awareness, education and training. This can, I realise, be specific to an organisation, however, my concern refers to the training aspect vs. awareness and education. We have been giving awareness and eduction sessions, but the training aspect i believe is something more in-depth. Does this mean establishing more physical awareness e.g. mock phishing attacks, leaving USB sticks (etc etc) around the office to see who picks it up and who plugs it in etc?

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 13, 2016

We have a couple of staff members that have quite a few opinions that we are not training' anybody, just making them aware, which for the most part, I agree with.

Answer:

From the ISO 27001 perspective, training is education - this means during the training you provide additional knowledge and skills to your employees. Example of training is ISO 27001 Lead Implementer Course.

As opposed to trainings, which give an answer to the question How?, awareness must give an answer to the questi on Why? that is, explain to your employees why they should accept information security or business continuity rules.

You'll learn more here: How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

By the way clause 5.1.1 from ISO 27001:2013 does not speak about training and awareness - this is specified in clauses 7.2, 7.3 and control A.7.2.2

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community