High Table ISO 27001 Logo

ISO 27001 Awareness – Tutorial

Home / ISO 27001 Tutorials / ISO 27001 Awareness – Tutorial
ISO 27001 Awareness Tutorial

Introduction

In this tutorial we are going to cover ISO 27001 Awareness.

You will learn

  • What it is ISO 27001 Awareness
  • How to implement ISO 27001 Awareness

Table of contents

ISO 27001 Awareness

When it comes to awareness, ISO 27001 expects that people doing work under the organisations control to be aware of the information security policy and their contribution to the effectiveness of the information security management system. It wants people to know the benefits of improving information security performance and the implications of not conforming with information security management system requirements.

Implementation Guide

Policies

Awareness is going to be built into the organisational culture. It’s going to be built into the overall project and then it’s going to be built into the ongoing management of your information security management system (ISMS).

There are many different ways that you can approach this awareness. Communication plays a part and we will look at communication in ISO 27001 Clause 7.4 Communication.

You are going to need policies. Policies tell people what is expected of them and what you do.

You will put in place an information security management policy. This is supplemented by topic specific policies.

For policies you can lean more and follow the guide ISO 27001 Policies

Policies are placed somewhere that is easily accessible and then they are communicated to people on a regular basis. You tell people:

  • where they are
  • what they are
  • how they apply to them.

Policies are included in training and training modules with an annual acknowledgement and sign off.

It is also required to ensure that policies are shared with, and distributed to, any contractors, suppliers or third parties that are working with us.

Communication

There are several approaches that you can take to communication.

The first one being, in every single policy, it has within it at the end a policy compliance section. This means that every time someone reads one of our policies they have the compliance section at the end that talks about the consequences of not adhering to that policy.

Communication also requires a tie in with our HR teams to ensure that disciplinary processes are aligned with the information security policies and that breaches of those are aligned with HR processes. Information security isn’t going to run its own disciplinary process. It is going to rely on other functions, professionals, processes that exist and the communications for information security are going to tie into those.

Policies are going to be communicated. This is achieved via regular communication covered in ISO 27001 Clause 7.4 Communication.

Awareness Campaigns

Awareness campaigns can take many different forms. Examples of awareness campaigns include:

  • stand-ups meetings
  • speeches
  • presentations
  • Town Hall meetings
  • annual meetings
  • quarterly meetings
  • team meetings.

All the meetings that you have are all opportunities for you to raise awareness of information security.

There are more formal meetings in place to consider

  • audit committees
  • board meetings
  • management review meetings
  • ISO 27001 project meetings
  • ISO 27001 operational meetings

where you will be raising awareness and you will be touching on the topics of the benefits, and of the consequences of not following along with information security.

Here you can see that there are lots of ways that we can raise awareness and opportunities for raising awareness with our staff.

Annual Training

If I was going to say what is the bare minimum you need to do for awareness, then annual training would be it.

Training should actually continue throughout the year and it should be based on risk.

You should have modules that address the risks that you have but at least annually you are going to be doing overall information security awareness training.

There are two touch points for the annual training. You do it when you on board someone and you do it annually.

Evidence of training is required that shows that you trained people on information security and that they took a test that could demonstrate their understanding of what it is that they’ve just read or been taken through.

My ISO 27001 Ninja top tip here is – get a tool. This is one of the areas where I would encourage you to get a tool. The reason being that they’re cost effective and they take care of all of that bureaucracy for you, the distribution of the content, the chasing up of people, the recording of the evidence that they did it. For me I would say the bare minimum you need would be an information security training tool. The bare minimum you need to pass this requirement will be to put everybody through that training.

Think about ISO 27001 Clause 7.3 Awareness in its wider context. Think about all of the ways in which you can creatively raise awareness around information security above and beyond the templates, the communication plans and the training.

What are the other creative ways that you can go about that? And be sure to record evidence that you did it.

DO IT YOURSELF ISO 27001

All the templates, tools, support and knowledge you need to do it yourself.

The Ultimate ISO 27001 Toolkit
ISO 27001 Toolkit Business Edition

ISO 27001 Awareness – Training Video

If you prefer to watch rather than read you can watch: How to Implement ISO 27001:2022 Clause 7.3 Awareness | Step-by-Step Guide