Recommendations on Security Awareness and Training
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1 - How do I get this going in my company?
The first thing you need to do is identify which gaps of incompetence you have (i.e., which knowledge, or skills your employees need to have). Some examples are:
- Use of passwords
- Backup operation
- Software installation and patching
- Performing of internal audit
Second, you need to define the method to be applied: training sessions, workshops, newsletters? What will work best for your company? On which frequency to perform them (e.g., weekly, monthly, annually?)
After that, you need to evaluate if these gaps can be fulfilled by internal personnel, or you will need external support.
Once you have these answers, you can start defining your training and awareness plan.
These articles will provide you a further explanation about awareness:
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
This material will also help you regarding awareness:
- Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.
2 - What will the auditor be looking for in this requirement?
For clause 7.2 (competence), the auditor will be looking for evidence that you have:
- determined which security competencies are necessary
- identified gaps in knowledge, skills, and/or experience in information security related to activities that employees need to perform (e.g., secure development skills for the development team)
- performed actions to fulfill those gaps (e.g., by means of training attendance lists, certificates, etc.) and verified that those actions were effective.
For further information, see:
- What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/
- Checklist of mandatory documentation required by ISO 27001:2013 (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-27001
Comment as guest or Sign in
Aug 20, 2021