ISO 27001 Information Security Training Awareness Policy
The ISO 27001 Information Security Training Awareness Policy is the cornerstone of implementing and culture of information security into an organisation. It is also a requirement of the ISO 27001 standard.
In this guide you, you will learn what an ISO 27001 information security training awareness policy is, how to write it yourself and I give you a template you can download and use right away.
Table of contents
- ISO 27001 Information Security Training Awareness Policy
- What is an ISO 27001 Information Security Training Awareness Policy?
- How to write an ISO 27001 Information Security Awareness and Training Policy
- ISO 27001 Security Awareness Training Policy Template
- ISO 27001 Information Security Training Awareness Policy Example
- Why do we need a policy?
- The ISO 27001 requirement for information security training and awareness
- How to implement effective ISO 27001 training and awareness
- ISO 27001 Information Security Training Awareness Policy FAQ
What is an ISO 27001 Information Security Training Awareness Policy?
ISO 27001 Information Security Training Awareness Policy is to ensure all employees receive appropriate awareness, education and training in all aspects of information security. It ensures that they get regular updates in policies and procedures that are relevant to their role.
Consequently putting in place a security awareness training program is one of the easiest and most important things that you can do.
Indeed, there are many providers of training software to choose from that can help you.
The information security training and awareness policy covers:
- New starters
- In role employees
- Training plans
- Competency register
- Assessment
- Acceptance
How to write an ISO 27001 Information Security Awareness and Training Policy
Time needed: 1 hour and 30 minutes
How to write an ISO 27001 information security awareness and training policy
- Create your version control and document mark-up
ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.
- Write the policy purpose
The purpose of the Information Security Awareness Training policy is to protect against loss of data.
- Write the scope of the policy
It should really apply to all employees and third party staff working for your company. An example:
All employees and third-party users. - Write the principle on which the policy is based
The principle of the Information Security Awareness Training policy is the confidentiality, integrity and availability of data. Accordingly it is about the security and protection of confidential data. An example:
Management is committed to information security throughout the organisation and awareness, training, and education. - Write Information Security Awareness and Training Topics
Write a statement that lists out the topics that your plan will cover. Particularly phishing, general security awareness, data protection are all good base topics to include. An example:
The topics covered:
– stating management’s commitment to information security throughout the organization
– the need to become familiar with and comply with applicable information security rules and obligations, as defined in policies, standards, laws, regulations, contracts, and agreements
– personal accountability for one’s own actions and inactions, and general responsibilities towards securing or protecting information belonging to the organization and external parties.
– basic information security procedures (such as information security incident reporting) and baseline controls (such as password security, malware controls and clear desks)
– contact points and resources for additional information and advice on information security matters, including further information security education and training materials. - Describe what happens for new starters
New starters to the organisation will need training so set out on what and when. An example:
Information Security training is provided to new starters before they are provided access to systems that process, store of transmit confidential, personal or cardholder data.
The Information Security Policy is provided to new starters as part of the on-boarding process. - Describe what happens for in role employees
Training is not a one and done so the Information Security Awareness Training policy will cover continual training and annual reacknowledgment. An example:
General Information Security training is conducted for employees at least annually.
Information Security awareness is provided throughout the year utilising a wide range of media and techniques.
Information Security training is provided when roles significantly change or access to data types changes and based on risk and the needs of the role. - Implement a training and competency register
The standard and best practice require us to understand the competency of staff in relation to information security and any training requirements. Therefore implement a Competency Matrix. An example:
A register of information security training and competency is maintained for employees. - Create a training plan
To be effective it is best to plan training throughout the year and follow the plan. An example:
A communication plan includes training and awareness campaigns for the year.
The training and awareness plan is based on legal and regulatory requirements, business need and risk. - Include training assessment and acceptance
It is not enough to send out training, we also need to ensure people have understood it and accepted it. An example:
Employees are assessed on their understanding of information security and formally sign that they have received training. - Define policy compliance
Provide for how compliance to the policy will be achieved.
ISO 27001 Security Awareness Training Policy Template
The ISO 27001 Security Awareness Training Policy Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit.
ISO 27001 Information Security Training Awareness Policy Example
Below is an example ISO 27001 Information Security Training Awareness Policy
Why do we need a policy?
What is the biggest security risk? When asked most people will answer that it is people.
It isn’t people’s fault as people are busy.
Above all we want to do the best job that we can do.
As a result sometimes doing the best job we can do means cutting a few corners.
That is where an ISO 27001 Security Awareness Training Policy comes in.
We need to make people aware of the security risks in our organisation to better inform them. This will reduce risk and help them make the right decisions. As a result we want to formally train them with an information security overview and data protection training.
You cannot expect to achieve ISO 27001 certification without having staff who are part of that process.
The ISO 27001 requirement for information security training and awareness
ISO 27001 Clause 7.2 Competence
In the Essential Guide to ISO 27001 7.2 Competence we took a deep dive into the requirements for training as part of demonstrating competence. In summary:
The organisation shall:
a) determine the necessary competence of person(s) doing work under its control that affects its information security performance;
b) ensure that these persons are competent on the basis of appropriate education, training, or experience;
c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
d) retain appropriate documented information as evidence of competence.
ISO 27001 Clause 7.3 Awareness
In the Essential Guide to ISO 27001 7.3 Awareness we took a deep dive into what the actual requirement of the ISO 27001 standard is and how to comply with it. In summary the ISO 27001 standard states:
Persons doing work under the organisation’s control shall be aware of:
a) the information security policy;
b) their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and
c) the implications of not conforming with the information security management system requirements.
ISO 27001 Annex A 6.3 Information security awareness, education and training
The updated control for Information Security training is now ISO 27001 Annex A 6.3 Information Security Awareness, Education and Training. The following is an extract:
Personnel of the organisation and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organisation’s information security policy, topic-specific policies and procedures, as relevant for their job function.
Information Security Culture
You will often hear the term ‘information security culture’ or having a ‘culture of information security’.
On the whole this just means having an awareness of the risks that are out there and what simple measures you can do to protect yourself.
The policy is the company’s statement about what it is doing about training with the result that it can demonstrate that it is taking it seriously.
ISO 27001 Policies are statements of intent that describe what we do but not how we do it. If people want us to demonstrate what we are doing to ensure our staff are trained then they would look to this policy.
How to implement effective ISO 27001 training and awareness
When it comes to implementing effective ISO 27001 training and awareness into your organisation the following is considered best practice.
1. Write your information security training and awareness policy
You need an information security and awareness training policy that is based on the needs of the business, the risks that the business faces and that fully satisfies the requirements of ISO 27001 and ISO 27002. The quickest way is to download the ISO 27001 Security Awareness Training Policy Template.
2. Review and approve the policy
The policy should be reviewed and approved by senior management to ensure there is full buy in and to make the policy as effective as possible. If you are doing an ISO 27001 implementation then the management review team will sign off the the policy.
3. Communicate the policy to everyone
A policy is a statement of what you do for information security and what is expected. If you do not communicate then people cannot be expect to know what is expected of them. How you communicate is down the to the culture and communication style of the organisation but getting approval from each person that they have read it, understand it and accept it is a key step. Be sure to update your communication plan so that it forms and appropriate part of your on going communicate.
4. Have a communication plan
A communication plan is plan for the year that covers
- What we will communicate
- Who will communicate
- Who will they communicate it to
- How will they communicate it
- When will they communicate it
- Evidence that it was communicated
As above, the Information Security Awareness Training Policy is part of that plan but it goes wider. Based on the risks to the business and the needs of the business there are other communications that should be factored in that implement further training and further awareness. You will want to communicate on topics such as data protection, you will want to have regular management review meetings, you may have security operational meetings. Specific topics such as phishing attacks, backups, anti virus may all require their own communication. Consider what is important, what is a risk and let people know about it.
5. Implement Information Security Training
This is one of the few areas where a tool is highly recommended. You have to implement specific training throughout the year on information security and data protection. Part of that training is to ensure that people understand what they have been trained in and keeping a record that the training took place. It can be done manually, but tools are designed to take care of this for you. They often come with prebuilt modules and content so you don’t have to worry about it and they automate the process of getting people training, getting the confirmation of understanding via quizzes and tests and they include valuable reporting so you can track who has and who has not completed the training.
ISO 27001 Information Security Training Awareness Policy FAQ
Information security awareness covers communicating a basic understanding of information security issues, risks and threats. Markedly it is a more formal structured approach for staff. That is to say that it follows allocated and dedicated time to train on an aspect of information security with a test at the end to verify understanding. Additionally it covers the security measures that you are taking as well as the threats those measures address.
As rule yes because a test is a way for the trainer to verify that the training was affective and a basic level of understanding has been reached.
There are 2 reasons. Firstly to show that you have the required level of understanding as a result of the training materials. Secondly so that the company can evidence that it provided you with training and that you took it.
At least once in every 12 months as a minimum. So information security training modules are taken on an annual basis. In addition these are supplemented with training modules that are specific to your organisation and the risks it faces. Subsequently it is not unusual for these to include modules such as Phishing, Data Protection and more.
The ISO 27001 Security Awareness Training Policy Template can be found at High Table: The ISO 27001 Company.
When starting with an organisation and at least every 12 months.
By having a communication plan and communication record for information security. Likewise by having a formal training plan with training records. Additionally you can consider a controlled phishing training campaign.
A great sample of the Information Security Training Policy can be download from High Table: The ISO 27001 Company.
The purpose of security training is to make people aware of the the security threats that they face and what to do about them. The more informed that people are the more likely they are to be able to keep themselves and company data safe.
The world can be a very bad place and people want what you have. Generally there are times you aren’t aware that what you have has any value. Nonetheless to protect what is important to us, our data, our company data and our finances it is important that we are aware of the risks we face so we can make informed choices about addressing them.
No, the principles are the same and the threats are the same. Given these points there may be slight differences in legal implementations and laws but the basics of training are consistent across the globe.
