Guest user Created: Mar 30, 2022 Last commented: Mar 30, 2022

Security Awareness training - Compliance question

We have started to use Advisera security awareness training (currently subscribed to a Company account up to 50 users) and several of our employees who have been notified about the program, are still not registered or their status in overdue. In the light of the above, will that prevent us from being compliant to ISO 27001 (In that specific area)? Must all employees complete the program or is it enough to show there an ongoing activity?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Mar 30, 2022

I’m assuming you refer to a certification audit situation.

Considering that, to be compliant with clauses 7.2 Competence and 7.3 Awareness you need to ensure that at least the personnel in the main roles related to information security (e.g., the CEO, the CISO, IT Head, IT staff, internal auditor, etc.) had performed their training and awareness activities and that there are no overdue activities (i.e., you do not need that all employees complete the program by the time of the certification audit, only to evidence that the program is ongoing).

This article will provide you with a further explanation about awareness and training:

How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Mar 30, 2022

Expert Advice Community