Question about training

1 - I wanted to know for the Security Awareness Training, if we have our own training, can this be used and we just have to log when the training was completed? Who should participate in the training as all employees take this training.

You can have your own training, but you need more than a log when the training was completed. You need to identify the training content and results achieved (e.g., who has participated, by means of attendance lists, who was approved, by means of exams results or certificates, etc.). In your toolkit, you have a Training and Awareness plan, located in folder 9 Training and awareness, that will help log all information you need to be compliant with ISO 27001 related requirements.

Regarding whom needs to participate, you need to identify which security competencies need to be fulfilled, so you can identify who needs them. These are the people who need to attend the activities.

For example, if you need to fulfill a gap related to clean desk and clean screen, may all employees in the scope will need this one. On the other hand, if you need to fulfill a gap in network security, maybe only IT personnel need to attend the activity.

For further information, see:

• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

2 - It's from a site KnowBe4. I wanted to know for this part can our employees use this site or they have to use your site for ISO? Do we have to show who has had training?

ISO 27001 does not prescribe how to perform awareness and training, so organizations can use their own training/awareness material, use a training provider, or adopt a mix of these approaches.

Regarding training providers, you can use anyone you see fits your needs.

Regarding records to be kept, the same records you keep when you perform training by yourself need to be kept.