ISO 27001 Awareness Explained Simply

Home / ISO 27001 / ISO 27001 Awareness Explained Simply

Introduction

In this tutorial we are going to cover ISO 27001 Awareness.

You will learn

  • What it is ISO 27001 Awareness
  • How to implement ISO 27001 Awareness

Watch

If you prefer to watch rather than read you can watch: How to Implement ISO 27001:2022 Clause 7.3 Awareness | Step-by-Step Guide

What is ISO 27001 Awareness?

Before we start, so we understand what the problem is, what the thing is that we’re trying to tackle, I’m going to go through the definition for you then I’m going to give you the strategies and I’m going to give you the implementation guide to show you how to be successful.

So, we start off with the definition of ISO 27001 Clause 7.3 Awareness –  persons doing work under the organisations control shall be aware of the information security policy, their contribution to the effectiveness of the information security management system, including the benefits of improving information security performance and the implications of not conforming with information security management system requirements.

So, that is the definition.

DO IT YOURSELF ISO27001

Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition

Awareness

When it comes to awareness, awareness is going to be built into the organisational culture. It’s going to be built into the overall project and then it’s going to be built into the ongoing management of your information security management system (ISMS).

There are many different ways that you can approach this awareness and we will look at communication in ISO 27001 Clause 7.4 Communication but communication forms a big part of awareness.

What we need to put in place is we need our information security management policy, we need our high level information security policy and underneath that we need our topic specific policies but specifically for this we need the information security policy.

What we’re going to do is we’re going to follow the guide ISO 27001 Policies and the other tutorials on the implementation of that policy ISO 27001 Leadership and Commitment, where we’re going to distribute that. We’re going to put that in a place that is easily accessible. We’re going to communicate to people on a regular basis where it is, what it is, how it applies to them.

We’re going to include that in our training and our training modules and we’re going to include an annual acknowledgement and sign off of that information security policy because we’re looking at persons that work under the organisation’s control.

We’re also going to ensure that that is shared with, distributed to, any contractors, suppliers or third parties that are working with us as well and embed that in our onboarding processes for those.

Communication

When it comes to communicating the effectiveness, communicating the benefit, communicating the non-conformity aspect of that again there are a couple of ways that we can go about that.

The first one being, in every single policy, it has within it at the end a policy compliance section. So, every time everybody reads one of our policies they have the compliance section at the end that talks about the consequences of not adhering to that policy.

What we need as part of our overall implementation is we need a tie in with our HR teams. We need to ensure that our disciplinary processes are aligned with our information security policies and that breaches of those are aligned with the HR. Information security isn’t going to run its own disciplinary process. We’re going to rely on other functions, professionals, processes that exist and we are going to tie into those. Then we’re going to communicate that within the policy itself.

We’re then going to communicate that through regular communication, again when we look at ISO 27001 Clause 7.4 Communication and we’re going to include that as part of our overall campaigns and our awareness campaigns.

Awareness campaigns can take many different forms, they can be included in stand-ups, speeches, presentations, delivered in stand-up meetings, Town Hall meetings, annual meetings, quarterly meetings, team meetings. All the meetings that you have are all opportunities for you to raise awareness of information security.

You have formal meetings in place, things like audit committees, board meetings and then there are formal meetings that form part of ISO 27001 as well, where you will be raising awareness and you will be touching on the topics of the benefits, and of the consequences of not following along with information security.

We can see that there are lots of ways that we can raise awareness and opportunities for raising awareness with our staff.

Annual Training

Finally, I guess as part of that we also have our annual training. Now if I was going to say what is the bare minimum I need to get away with for this. The bare minimum that you can get away with for this particular Clause is to execute your annual information security training.

Your training actually should continue throughout the year, should be based on risk. You should have modules that address risk but at least annually you are going to be doing your overall information security awareness training.

You do it when you on board, you do it annually.

That would be the bare minimum evidence that you could show that you comply with this particular Clause, by showing that you communicated, that you trained people on information security and ideally that they took a test that could demonstrate their understanding of what it is that they’ve just read or been taken through.

My ISO 27001 Ninja top tip here is – get a tool. This is one of the areas where I would encourage you to get a tool. The reason being that they’re cost effective and they take care of all of that bureaucracy for you, the distribution of the content, the chasing up of people, the recording of the evidence that they did it. So, for me I would say the bare minimum you need would be an information security training tool. The bare minimum you need to pass this Clause will be to put everybody through that training.

Think about ISO 27001 Clause 7.3 Awareness in its wider context. Think about all of the ways in which you can create, creatively raise awareness around information security above and beyond the templates, the communication plans, the training.

What are the other creative ways that you can go about that? And be sure to record evidence that you did it.

Conclusion

My name is Stuart Barker. I am the ISO 27001 Ninja. That was ISO 27001 Clause 7.3 Awareness and for today, until the next tutorial, peas out.

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing