ISO 27001 staff awareness training – meeting the requirements

ISO 27001 is the international standard that describes best practices for an information security management system (ISMS). It recognises that, although technological defences are essential, they will have limited use if staff don’t understand their information security responsibilities. After all, technology won’t help you if an employee leaves their password written down for anyone to see or misplaces a removable device.

The Standard therefore mandates that organisations cover information security issues at the employee level regularly and thoroughly.

What you should be doing

There is a three-step process for staff awareness training best practices:

1) Identify what staff need to learn: sensitive information will be accessed and used in a variety of ways across your organisation. You need to account for each of these and make a note of the knowledge and skills that are required to stay secure.

2) Train your staff: what you teach your staff – and how those lessons are delivered – will depend on what they need to know. Organisations have several options, which are covered below.

3) Measure the training’s effectiveness: it’s no good training staff if they don’t retain the information. Any training course should conclude with some form of test to measure the outcome. Informal tests or interviews will suffice in most circumstances, but professional courses will typically end with a formal exam and the possibility of accredited certification.

How to deliver training

Effective staff awareness should begin with broad training courses that cover the essentials of any given topic. These don’t have to be particularly long – for example, our Information Security & ISO27001 Staff Awareness E-Learning Course can be completed in 45 minutes – but they should provide enough information to prevent staff from making basic mistakes.

The aim of these courses is to make sure employees realise that information security is everybody’s responsibility, and that there are simple things they should be doing that can significantly improve their organisation’s cyber security posture.

The courses can be delivered in-house or outsourced to a third party.

Organisations should also encourage staff to read more about ISO 27001. It will probably be hard to provide everyone with detailed guides on the Standard (although they will be very helpful for staff overseeing the ISMS’s implementation and maintenance), but at the very least, staff should be required to read the organisation’s information security policies and procedures. Much of this information will be included in employees’ contracts.

Those who require in-depth knowledge of ISO 27001 should commit to extended training sessions. The starting point for all prospective ISO 27001 project managers and auditors is the ISO27001 Certified ISMS Foundation Training Course, which explains:

  • The benefits of ISMS certification;
  • The core elements of an ISMS;
  • The key steps when planning an ISMS implementation project;
  • How to conduct an ISO 27001 risk assessment; and
  • ISO 27001’s Annex A controls.

Once you understand the essentials of the Standard, you can move on to more advanced courses. IT Governance offers a range of options for those looking to further their careers.