In A6.3 of the ISO27001 standard, there is a clear requirement for "Information security awareness, education and training".
In fact the requirement of the standard states that
"Personnel of the organisation and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organisations information security policy, topic-specific policies and procedures, as relevant for their job function."
But how much? And what first?!
These are questions that could easily be answered with “It depends”. But that would be far too easy, right?!
There are many aspects of ISO27001 that confuses people, but knowing what to do in relation to training and awareness requirements is one that not only confuses people, it scares them too!
Before I discuss in detail the needs of the standard, please don't over complicate this topic.
There are plenty of FREE training resources around, such as those offered by the National Cyber Security Centre (NCSC) so check these out and see what you need.
I will also be discussing this control in a future blog where we discuss what is needed, and how to evidence controls are in place.
Awareness, education and training
Within this crucial domain, there are three elements to consider: training, awareness, and education. While often used interchangeably, understanding their distinct roles and synergies is key to building an our defense against the threats and vulnerabilities we face.
Training equips individuals with the specific knowledge and practical skills to handle security-related situations effectively.
Think of it as arming your staff with the tools and techniques to identify phishing emails, configure secure passwords, or respond to data breaches. It could also be very specific training for your development team on how to review code for bugs, threats and vulnerabilities.
It's hands-on, targeted, and often role-specific, providing the know-how to navigate security challenges encountered in daily work.
The UK Government has provided some great FREE resources specifically on Cyber Security for businesses.
Here we need to raise general consciousness about information security risks and threats. It paints a broader picture, emphasizing the importance of data protection, the prevalence of cyberattacks, and the potential consequences of security negligence.
Think of it as a constant drumbeat reminding everyone that security is not an IT issue, but a shared responsibility across the organization.
This is about cultivating a deeper understanding of the principles and concepts underlying information security. It delves into the "why" behind secure practices, exploring cyber threats in detail, analysing incident case studies, and promoting critical thinking about security protocols.
This fosters a long-term commitment to security, not just compliance, empowering individuals to make informed decisions and adapt to evolving threats.
Why is this important?
Consider the analogy of a castle under siege. Training equips the guards with the weapons and tactics to repel immediate attacks. Awareness acts as the lookout, sounding the alarm and keeping everyone vigilant. Education, however, empowers the castle builders to understand the vulnerabilities in the fortress walls, constantly update defenses, and build a more resilient structure in the long run.
The differences between these elements also shape their implementation:
Training tends to be targeted and shorter-term, focusing on specific skills like password management or incident response procedures.
Awareness campaigns are broader and ongoing, utilizing posters, internal communication channels, and regular security newsletters.
Education often takes the form of workshops, seminars, and even university-level courses, providing a deeper theoretical and practical understanding of security concepts.
But their true power lies in synergy:
Awareness can motivate individuals to seek training: When people understand the importance of security, they're more likely to actively participate in training programs.
Training reinforces awareness: Practical skills learned in training solidify the abstract concepts presented in awareness campaigns.
Education informs both training and awareness: A strong foundation in security principles guides the development of effective training programs and awareness campaigns.
By neglecting any one of these elements, your security posture remains vulnerable. A trained but unaware employee might still fall victim to phishing attacks. An aware but untrained individual might lack the skills to handle a security incident effectively. And an educated but untrained or unaware workforce might not see the practical application of their knowledge.
Knowledge is NOT power.
There is a LOT to this topic that we can't include here, but if you want more information you can go to our FAQ page for more information on the standard. Or simply get in touch to have a free consultation where we'll help you identify areas to improve.
Just keep in mind that investing in all three areas of this control, you can cultivate a security-conscious culture. You'll empower your employees to become active defenders, and build a resilient information security landscape that can withstand even the most sophisticated attacks.
Knowledge is NOT power. It is latent possibility. Knowing and not doing, or applying isn’t much use to anyone!