What is ISO 27001 Awareness?
ISO 27001 awareness is about communicating the requirements for information security to people in the organisation.
ISO 27001 expects that people in the organisation are aware of the information security policy and their contribution to the effectiveness of the information security management system. It wants people to know the benefits of improving information security performance and the implications of not conforming with information security management system requirements.
There are different techniques and approaches that can be used to make people aware and we will cover those below.
Approaches to awareness
Policies
Policies tell people what is expected of them. They are statements of what you do as an organisation and they guide people in how to approach key topics.
There are many policies in an organisation and the ones you will be most familiar with will be HR policies.
You can lean more about policies in this article, ISO 27001 Policies.
Policies will be structured in a way that explains what is expect and the consequences of not conforming to the requirements.
Operationally policies are placed somewhere that is easily accessible and then they are communicated to people on a regular basis. You tell people:
- where they are
- what they are
- how they apply to them.
Policies are included in training and training modules with an annual acknowledgement and sign off.
It is also required to ensure that policies are shared with, and distributed to any contractors, suppliers or third parties that are working with you.
Communication
There are several approaches that you can take to communication.
The first one being, in every single policy, it has within it at the end a policy compliance section. This means that every time someone reads one of our policies they have the compliance section at the end that talks about the consequences of not adhering to that policy.
Communication also requires a tie in with our HR teams to ensure that disciplinary processes are aligned with the information security policies and that breaches of those are aligned with HR processes. Information security isn’t going to run its own disciplinary process. It is going to rely on other functions, professionals, processes that exist and the communications for information security are going to tie into those.
Policies are going to be communicated. This is achieved via regular communication covered in ISO 27001 Clause 7.4 Communication.
Awareness Campaigns
Awareness campaigns can take many different forms. Examples of awareness campaigns include:
- stand-ups meetings
- speeches
- presentations
- Town Hall meetings
- annual meetings
- quarterly meetings
- team meetings.
All the meetings that you have are all opportunities for you to raise awareness of information security.
There are more formal meetings in place to consider
- audit committees
- board meetings
- management review meetings
- ISO 27001 project meetings
- ISO 27001 operational meetings
where you will be raising awareness and you will be touching on the topics of the benefits, and of the consequences of not following along with information security.
Here you can see that there are lots of ways that we can raise awareness and opportunities for raising awareness with our staff.
Annual Training
If I was going to say what is the bare minimum you need to do for awareness, then annual training would be it.
Training should actually continue throughout the year and it should be based on risk.
You should have modules that address the risks that you have but at least annually you are going to be doing overall information security awareness training.
There are two touch points for the annual training. You do it when you on board someone and you do it annually.
Evidence of training is required that shows that you trained people on information security and that they took a test that could demonstrate their understanding of what it is that they’ve just read or been taken through.
My ISO 27001 Ninja top tip here is – get a tool. This is one of the areas where I would encourage you to get a tool. The reason being that they’re cost effective and they take care of all of that bureaucracy for you, the distribution of the content, the chasing up of people, the recording of the evidence that they did it. For me I would say the bare minimum you need would be an information security training tool. The bare minimum you need to pass this requirement will be to put everybody through that training.
Think about ISO 27001 Clause 7.3 Awareness in its wider context. Think about all of the ways in which you can creatively raise awareness around information security above and beyond the templates, the communication plans and the training.
What are the other creative ways that you can go about that? And be sure to record evidence that you did it.