Table of contents
- What is the ISO 27001 Information Security Training Policy?
- ISO 27001 Security Awareness Training Policy Template
- Why do we need a policy?
- The ISO 27001 requirement for information security training and awareness
- ISO 27001 Information Security Training Policy Example
- How to write an information security awareness and training policy
- How to implement effective ISO 27001 training and awareness
- Awareness and Training Policy Mapped to ISO 27001 Controls
- Information Security Training Policy FAQ
In this ultimate guide to ISO 27001 Security Awareness and Training I am going to cover
- the 2022 update to the ISO 27001 standard and what has changed for security awareness
- the basics of what the policy is
- what the policy should include
- how you can create the policy yourself from scratch
- answers to common questions
- show you how to implement effective training awareness into your organisation
- give you a simple yet effective ISO 27001 Security Awareness Training policy template that you can download and use immediately.
I show you exactly what changed in the ISO 27001:2022 update.
I am Stuart Barker the ISO 27001 Ninja and this is the ultimate guide to the ISO 27001 Security Awareness Training Policy.
What is the ISO 27001 Information Security Training Policy?
The purpose of the ISO 27001 Security Awareness Training Policy is to ensure all employees receive appropriate awareness education and training in all aspects of information security. It ensures that they get regular updates in policies and procedures that are relevant to their role.
Consequently putting in place a security awareness training program is one of the easiest and most important things that you can do.
Indeed, there are many providers of training software to choose from that can help you.
The information security training and awareness policy covers:
- New starters
- In role employees
- Training plans
- Competency register
ISO 27001 Security Awareness Training Policy Template
Wish there was a quicker way to complete your ISO 27001 Security Awareness Training Policy? There is.In fact, I’ve written it for you. (Thank me later!) Save yourself 8 hours of work …
Why do we need a policy?
What is the biggest security risk? When asked most people will answer that it is people.
It isn’t people’s fault as people are busy.
Above all we want to do the best job that we can do.
As a result sometimes doing the best job we can do means cutting a few corners.
That is where an ISO 27001 Security Awareness Training Policy comes in.
We need to make people aware of the security risks in our organisation to better inform them. This will reduce risk and help them make the right decisions. As a result we want to formally train them with an information security overview and data protection training.
You cannot expect to achieve ISO 27001 certification without having staff who are part of that process.
The ISO 27001 requirement for information security training and awareness
ISO 27001 Clause 7.2 Competence
In the Essential Guide to ISO 27001 7.2 Competence we took a deep dive into the requirements for training as part of demonstrating competence. In summary:
The organisation shall:
a) determine the necessary competence of person(s) doing work under its control that affects its information security performance;
b) ensure that these persons are competent on the basis of appropriate education, training, or experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
d) retain appropriate documented information as evidence of competence.
ISO 27001 Clause 7.3 Awareness
In the Essential Guide to ISO 27001 7.3 Awareness we took a deep dive into what the actual requirement of the ISO 27001 standard is and how to comply with it. In summary the ISO 27001 standard states:
Persons doing work under the organisation’s control shall be aware of:
a) the information security policy;
b) their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and
c) the implications of not conforming with the information security management system requirements.
ISO 27001 Annex A 6.3 Information security awareness, education and training
The updated control for Information Security training is now ISO 27001 Annex A 6.3 Information Security Awareness, Education and Training. The following is an extract:
Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function.
Information Security Culture
You will often hear the term ‘information security culture’ or having a ‘culture of information security’.
On the whole this just means having an awareness of the risks that are out there and what simple measures you can do to protect yourself.
The policy is the company’s statement about what it is doing about training with the result that it can demonstrate that it is taking it seriously.
ISO 27001 Policies are statements of intent that describe what we do but not how we do it. If people want us to demonstrate what we are doing to ensure our staff are trained then they would look to this policy.
ISO 27001 Information Security Training Policy Example
You can download the free ISO 27001 Information Security Training Policy Example PDF and view an extract below.
How to write an information security awareness and training policy
It is straightforward to write the policy yourself. As a result make sure to include the following points and topics:
Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
Write the document purpose
The purpose of the Information Security Awareness Training policy is to protect against loss of data.
Write the scope of the policy
It should really apply to all employees and third party staff working for your company.
Write the principle on which the policy is based
The principle of the Information Security Awareness Training policy is the confidentiality, integrity and availability of data. Accordingly it is about the security and protection of confidential data.
Write Information Security Awareness and Training Topics
Write a statement that lists out the topics that your plan will cover. Particularly phishing, general security awareness, data protection are all good base topics to include.
Describe what happens for new starters
New starters to the organisation will need training so set out on what and when.
Describe what happens for in role employees
Training is not a one and done so the Information Security Awareness Training policy will cover continual training and annual reacknowledgment.
Have a training and competency register
The standard and best practice require us to understand the competency of staff in relation to information security and any training requirements. Therefore implement a Competency Matrix.
Have a training plan
To be effective it is best to plan training throughout the year and follow the plan.
Cover assessment and acceptance
It is not enough to send out training, we also need to ensure people have understood it and accepted it.
Define policy compliance
Provide for how compliance to the policy will be acheived.
How to implement effective ISO 27001 training and awareness
When it comes to implementing effective ISO 27001 training and awareness the following is considered best practice.
Write your information security training and awareness policy
You need an information security and awareness training policy that is based on the needs of the business, the risks that the business faces and that fully satisfies the requirements of ISO 27001 and ISO 27002. The quickest way is to download the Training and Awareness Policy Template.
Review and approve the policy
The policy should be reviewed and approved by senior management to ensure there is full buy in and to make the policy as effective as possible. If you are doing an ISO 27001 implementation then the management review team will sign off the the policy.
Communicate the policy to everyone
A policy is a statement of what you do for information security and what is expected. If you do not communicate then people cannot be expect to know what is expected of them. How you communicate is down the to the culture and communication style of the organisation but getting approval from each person that they have read it, understand it and accept it is a key step. Be sure to update your communication plan so that it forms and appropriate part of your on going communicate.
Have a communication plan
A communication plan is plan for the year that covers
- What we will communicate
- Who will communicate
- Who will they communicate it to
- How will they communicate it
- When will they communicate it
- Evidence that it was communicated
As above the Information Security Awareness Training Policy is part of that plan but it goes wider. Based on the risks to the business and the needs of the business there are other communications that should be factored in that implement further training and further awareness. You will want to communicate on topics such as data protection, you will want to have regular management review meetings, you may have security operational meetings. Specific topics such as phishing attacks, backups, anti virus may all require their own communication. Consider what is important, what is a risk and let people know about it.
Implement Information Security Training
This is one of the few areas where a tool is highly recommended. You have to implement specific training throughout the year on information security and data protection. Part of that training is to ensure that people understand what they have been trained in and keeping a record that the training took place. It can be done manually, but tools are designed to take care of this for you. They often come with prebuilt modules and content so you don’t have to worry about it and they automate the process of getting people training, getting the confirmation of understanding via quizzes and tests and they include valuable reporting so you can track who has and who has not completed the training.
Awareness and Training Policy Mapped to ISO 27001 Controls
ISO 27001 Annex A / ISO 27002:2022
- ISO 27001:2022 Annex A 5 Organisational Controls
- ISO 27001:2022 Annex A 5.1 Policies for information security
- ISO 27001:2022 Annex A 5.36 Compliance with policies, rules, and standards for information security
- ISO 27001:2022 Annex A 5.4 Management Responsibilities
- ISO 27001:2022 Annex A 6 People Controls
- ISO 27001:2022 Annex A 6.3 Information security awareness, education, and training
- ISO 27001:2022 Annex A 6.4 Disciplinary process
Information Security Training Policy FAQ
Information security awareness covers communicating a basic understanding of information security issues, risks and threats. Markedly it is a more formal structured approach for staff. That is to say that it follows allocated and dedicated time to train on an aspect of information security with a test at the end to verify understanding. Additionally it covers the security measures that you are taking as well as the threats those measures address.
As rule yes because a test is a way for the trainer to verify that the training was affective and a basic level of understanding has been reached.
There are 2 reasons. Firstly to show that you have the required level of understanding as a result of the training materials. Secondly so that the company can evidence that it provided you with training and that you took it.
At least once in every 12 months as a minimum. So information security training modules are taken on an annual basis. In addition these are supplemented with training modules that are specific to your organisation and the risks it faces. Subsequently it is not unusual for these to include modules such as Phishing, Data Protection and more.
The information security awareness and training policy template can be found at High Table: The ISO 27001 Company.
When starting with an organisation and at least every 12 months.
By having a communication plan and communication record for information security. Likewise by having a formal training plan with training records. Additionally you can consider a controlled phishing training campaign.
A great sample of the Information Security Training Policy can be download from High Table: The ISO 27001 Company.
The purpose of security training is to make people aware of the the security threats that they face and what to do about them. The more informed that people are the more likely they are to be able to keep themselves and company data safe.
The world can be a very bad place and people want what you have. Generally there are times you aren’t aware that what you have has any value. Nonetheless to protect what is important to us, our data, our company data and our finances it is important that we are aware of the risks we face so we can make informed choices about addressing them.
No, the principles are the same and the threats are the same. Given these points there may be slight differences in legal implementations and laws but the basics of training are consistent across the globe.