To ensure personnel and relevant interested parties are aware of and fulfil their information security responsibilities, you need to do several things. But of all the ISO27001 controls, this is possibly the most misunderstood and poorly executed controls within the entire list of 93 Annex A controls.  This is because there’s more to this control that first meets the eye.

What does the standard require?

The standard states that “Personnel of the organisation and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organisations information security policy, topic-specific policies and procedures, as relevant for their job function.” (A6.3 – Information security awareness, education and training).

Looking closely at this ISO27001 control you can see that the focus is on three topics;

• Awareness

• Education

• Training

These are three different, but inter-related topics, but each needs to be considered in relation to information security.

It may sound obvious, but you need to make people aware that a policy or procedure exists, but also educate them on why a policy or procedure is required. You might also educate people on specific information security related topics, such as phishing, or malware prevention. Finally, consider what training they need, which might include training on how to follow specific procedures. Training might also include formal training on information security controls, such as firewalls, networks, coding, and log management.

Finally, note that this control isn’t just about your personnel, it’s also about the interested parties you defined when putting your management system together. For example, this can include customers, contractors, regulators, and suppliers.

Why is this required?

Without being aware of your policies or other security requirements, personnel and interested parties won’t know what is expected of them, which could lead to a data breach further down the road.

We worked with a client that was repeatedly suffering from violations of its policies and procedures, because people didn’t know what they contained. Employees were repeatedly sending confidential data to the wrong recipients which was causing a lot of complaints, including complaints to the Information Commissioners Office (ICO).  We worked with the client to help;

• Make people aware of the procedures and where to find help

• Educated them on the importance of following the procedures

• Trained them on how to follow the procedures

By looking at all three aspects of the issue we were able to reduce incidents and saved the company a lot of money and improved their reputation with their clients.

What the auditor is looking for

The auditor will want to see that you have a process for managing awareness, education and training both internally and externally with interested parties.

Evidence can include

• Training records (including evidence of future training and attending training)

• Induction process that includes awareness, education and training

• Management Review Meetings

• Awareness, education and training materials (e.g. newsletters, videos, presentations)

• Contracts with suppliers that include Information Security (See A6.2 - Terms and conditions of employment for more information)

• Communication to interested parties about information security

• Privacy Notice on your website (making visitors aware of how you approach security)

Additionally, the auditor will want to see evidence that the organization updates and completes awareness, education, and training on an ongoing basis.   

What do you need to do?

Before we begin, please remember this is a big topic, so we should keep it simple. Start by focusing on making people aware of ISO27001 and where to find the policies and procedures they need in order to perform their role.

Ensure documentation they need is located somewhere personnel can easily find it, such as the employee handbook, on an intranet site or in a shared folder.  Ask the most senior person in your business to explain to personnel where to find the policies, and why they are there.  This is a great demonstration of leadership (for the management system), but also sends a strong message to your business.

Again, speak to your HR specialist about what training an education takes place in your business. If there a specific tool in place that includes mandatory training? Do you have a training programme for Health and Safety? Is this something you can replicate for Information Security?  Are there newsletters that you can contribute to? Are there ‘town hall’ or ‘All Hands’ meetings where everyone comes together, which you can provide regular updates to?

We suggest you sit with a spreadsheet and outline a comms plan which defines what you will communicate, when and to whom. It is also a good idea to identify what you want the outcome of the communication to be too. Do you want them to take action or simply to be aware?

As a minimum, make sure that some form of information security training is available in the induction process, so that new starters know where to find information they need, and why it’s important and relevant to their role. 

Keep in mind that Clause 7.3, of the Management System states that personnel doing work under the your control must be aware of:

1. the information security policy;

2. their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and

3. the implications of not conforming with the information security management system requirements.

There are so many different ways you can raise awareness, educate and train your personnel, and it depends on the culture of your business that will help determine the way to approach this topic.

This is a significant topic, so work with others in your business, including your Management Review Team (MRT) who can help you shape this awareness, training and education programme.

Q & A

How often do I need to do training?

ISO27001 doesn’t specify how often you should carry out awareness, education and training. However, ISO27002 states that “Information security awareness, education, and training should take place periodically”.

We would suggest that you consider doing something small and often, so that it isn’t forgotten. This is a better approach than running an annual awareness training day, which people are forced to attend.

Is there a way to get this wrong?

Sadly, yes.  If you make Information Security boring, people will disengage and you will fail.  Ok, so having all the evidence above will help you pass ISO27001 certification, but you will fail in terms of making your business more secure.  If you approach Information Security as if it’s a ‘necessary evil’ or say it’s ‘boring’ then those you wish to engage with will also feel the same. 

How many times did you sit down to watch a movie and hear the announcer say “Tonight's show is boring. But we need to do this…”?!  Would you watch? Would you engage? Of course not.

Now is the time to get creative. Make Information Security awareness, education and training something people enjoy – it is possible! If you don’t believe me, take a look at the last 3 James Bond movies – they are all about Cybersecurity and Data! Look at Netflix and see how many shows are related to online scammers and cyber.  Information Security is an incredibly important and interesting topic – don’t fall into the trap of telling people it’s not!

Difficulty rating

We rate this a 2.5 out of 5 difficulty rating. This shouldn’t be a hard control to implement, but it can be because it will require some creative thinking. It will require you to develop your presentation skills, as you’ll need to ‘sell’ Information Security into your business, and that doesn’t come naturally to many people. There is a lot to do in relation to this control, and we would urge you to research the topic further or get some help from Consultants Like Us.

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.