Legal requirements and security awareness

Although the call was very interesting for us, some new questions are still emerging and we would like to get support from emails. I will start with two questions:

1. When I'm looking for my suppliers and they only have EU-U.S. Privacy Shield, Swiss-U.S. Privacy Shield creditations for information privacy, is that enough assuring compliance with ISO 27001 ? And What about SOC2 and SOC 3 ?

Answer: Considering ISO 27001, your suppliers need to be compliant with the legal requirements your own organization must be compliant with regarding information security, if they will have access to information in the scope of your ISMS. Considering that, if your organization must be compliant with SOC2 and SOC3, and your suppliers will have access to information related to these two requirements, then your suppliers will also have to be compliant with SOC2 and SOC3. If this is not the case, then your suppliers do not need to be compliant with such legal requirements.

2. Now talking about security awareness for all employees, is the confirmation that all employees watched a series of security awareness videos (like the ones in Advisera eTraining) enough for being compliant with ISO 27001 A.7.2.2 ?

Answer: Regarding awareness, a confirmation that an employee has watched security awareness videos will be sufficient to comply with control A.7.2.2. But you must note that this controls also cover training and education, and for these evaluations of improvement after the training or education activities are also required.

This article will provide you further explanation about awareness and training:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/