Introduction
In this tutorial we are going to cover ISO 27001 Awareness.
You will learn
- What it is ISO 27001 Awareness
- How to implement ISO 27001 Awareness
Watch
If you prefer to watch rather than read you can watch: How to Implement ISO 27001:2022 Clause 7.3 Awareness | Step-by-Step Guide
What is ISO 27001 Awareness?
Before we start, so we understand what the problem is, what the thing is that we’re trying to tackle, I’m going to go through the definition for you then I’m going to give you the strategies and I’m going to give you the implementation guide to show you how to be successful.
So, we start off with the definition of ISO 27001 Clause 7.3 Awareness – persons doing work under the organisations control shall be aware of the information security policy, their contribution to the effectiveness of the information security management system, including the benefits of improving information security performance and the implications of not conforming with information security management system requirements.
So, that is the definition.
DO IT YOURSELF
ISO 27001
Awareness
When it comes to awareness, awareness is going to be built into the organisational culture. It’s going to be built into the overall project and then it’s going to be built into the ongoing management of your information security management system (ISMS).
There are many different ways that you can approach this awareness and we will look at communication in ISO 27001 Clause 7.4 Communication but communication forms a big part of awareness.
What we need to put in place is we need our information security management policy, we need our high level information security policy and underneath that we need our topic specific policies but specifically for this we need the information security policy.
What we’re going to do is we’re going to follow the guide ISO 27001 Policies and the other tutorials on the implementation of that policy ISO 27001 Leadership and Commitment, where we’re going to distribute that. We’re going to put that in a place that is easily accessible. We’re going to communicate to people on a regular basis where it is, what it is, how it applies to them.
We’re going to include that in our training and our training modules and we’re going to include an annual acknowledgement and sign off of that information security policy because we’re looking at persons that work under the organisation’s control.
We’re also going to ensure that that is shared with, distributed to, any contractors, suppliers or third parties that are working with us as well and embed that in our onboarding processes for those.
Communication
When it comes to communicating the effectiveness, communicating the benefit, communicating the non-conformity aspect of that again there are a couple of ways that we can go about that.
The first one being, in every single policy, it has within it at the end a policy compliance section. So, every time everybody reads one of our policies they have the compliance section at the end that talks about the consequences of not adhering to that policy.
What we need as part of our overall implementation is we need a tie in with our HR teams. We need to ensure that our disciplinary processes are aligned with our information security policies and that breaches of those are aligned with the HR. Information security isn’t going to run its own disciplinary process. We’re going to rely on other functions, professionals, processes that exist and we are going to tie into those. Then we’re going to communicate that within the policy itself.
We’re then going to communicate that through regular communication, again when we look at ISO 27001 Clause 7.4 Communication and we’re going to include that as part of our overall campaigns and our awareness campaigns.
Awareness campaigns can take many different forms, they can be included in stand-ups, speeches, presentations, delivered in stand-up meetings, Town Hall meetings, annual meetings, quarterly meetings, team meetings. All the meetings that you have are all opportunities for you to raise awareness of information security.
You have formal meetings in place, things like audit committees, board meetings and then there are formal meetings that form part of ISO 27001 as well, where you will be raising awareness and you will be touching on the topics of the benefits, and of the consequences of not following along with information security.
We can see that there are lots of ways that we can raise awareness and opportunities for raising awareness with our staff.
Annual Training
Finally, I guess as part of that we also have our annual training. Now if I was going to say what is the bare minimum I need to get away with for this. The bare minimum that you can get away with for this particular Clause is to execute your annual information security training.
Your training actually should continue throughout the year, should be based on risk. You should have modules that address risk but at least annually you are going to be doing your overall information security awareness training.
You do it when you on board, you do it annually.
That would be the bare minimum evidence that you could show that you comply with this particular Clause, by showing that you communicated, that you trained people on information security and ideally that they took a test that could demonstrate their understanding of what it is that they’ve just read or been taken through.
My ISO 27001 Ninja top tip here is – get a tool. This is one of the areas where I would encourage you to get a tool. The reason being that they’re cost effective and they take care of all of that bureaucracy for you, the distribution of the content, the chasing up of people, the recording of the evidence that they did it. So, for me I would say the bare minimum you need would be an information security training tool. The bare minimum you need to pass this Clause will be to put everybody through that training.
Think about ISO 27001 Clause 7.3 Awareness in its wider context. Think about all of the ways in which you can create, creatively raise awareness around information security above and beyond the templates, the communication plans, the training.
What are the other creative ways that you can go about that? And be sure to record evidence that you did it.
Conclusion
My name is Stuart Barker. I am the ISO 27001 Ninja. That was ISO 27001 Clause 7.3 Awareness and for today, until the next tutorial, peas out.