ISO27001 Security Awareness Training Policy Beginner’s Guide

In this article we lay bare ISO27001 Security Awareness Training Policy. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO27001 certification. We show you exactly what changed in the ISO27001:2022 update.

Introduction

Hello, I am Fay and in this essential guide to ISO27001 Security Awareness and Training I am going to cover

• the 2022 update to the ISO27001 standard and what has changed for security awareness
• the basics of what the policy is
• what the policy should include
• how you can create the policy yourself from scratch
• answers to common questions
• show you how to implement effective training awareness into your organisation
• give you a simple yet effective policy template that you can download and use immediately.

What is the ISO27001 Information Security Training Policy?

The ISO27001 Security Awareness Training Policy is to ensure all employees receive appropriate awareness education and training in all aspects of information security. It ensures that they get regular updates in policies and procedures that are relevant to their role.

Consequently putting in place a security awareness training program is one of the easiest and most important things that you can do.

Indeed, there are many providers of training software to choose from that can help you.

The information security training and awareness policy covers:

Why do we need a policy?

What is the biggest security risk? When asked most people will answer that it is people.

It isn’t people’s fault as people are busy.

Above all we want to do the best job that we can do.

As a result sometimes doing the best job we can do means cutting a few corners.

That is where an ISO27001 Security Awareness Training Policy comes in.

We need to make people aware of the security risks in our organisation to better inform them. This will reduce risk and help them make the right decisions. As a result we want to formally train them with an information security overview and data protection training.

You cannot expect to achieve ISO27001 certification without having staff who are part of that process.

• New starters
• In role employees
• Training plans
• Competency register
• Assessment
• Acceptance

The ISO27001 requirement for information security training and awareness

In the Essential Guide to ISO27001 7.3 Awareness we took a deep dive into what the actual requirement of the ISO27001 standard is and how to comply with it. In summary the ISO27001 standard states:

Persons doing work under the organisation’s control shall be aware of:
a) the information security policy;
b) their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and
c) the implications of not conforming with the information security management system requirements.

ISO27002 Clause 6.3 Information security awareness, education and training

ISO27001, the international standard for information security also includes an Annex A which is a list of actual controls that a business must comply with. In 2022 the list of controls for ISO27001 Annex A / ISO27002 changed. The updated control for Information Security training is now:

Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function.

Information Security Culture

You will often hear the term ‘information security culture’ or having a ‘culture of information security’.

On the whole this just means having an awareness of the risks that are out there and what simple measures you can do to protect yourself.

The policy is the company’s statement about what it is doing about training with the result that it can demonstrate that it is taking it seriously.

Policies are statements of intent that describe what we do but not how we do it. If people want us to demonstrate what we are doing to ensure our staff are trained then they would look to this policy.

Information Security Training Policy FAQ

How to write an information security awareness and training policy

It is straightforward to write the policy yourself. As a result make sure to include the following points and topics:

Create your version control and document mark-up

ISO27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.

Write the document purpose

The purpose of the Information Security Awareness Training policy is to protect against loss of data.

Write the scope of the policy

It should really apply to all employees and third party staff working for your company.

Write the principle on which the policy is based

The principle of the Information Security Awareness Training policy is the confidentiality, integrity and availability of data. Accordingly it is about the security and protection of confidential data.

Write Information Security Awareness and Training Topics

Write a statement that lists out the topics that your plan will cover. Particularly phishing, general security awareness, data protection are all good base topics to include.

Describe what happens for new starters

New starters to the organisation will need training so set out on what and when.

Describe what happens for in role employees

Training is not a one and done so the Information Security Awareness Training policy will cover continual training and annual reacknowledgment.

Have a training and competency register

The standard and best practice require us to understand the competency of staff in relation to information security and any training requirements. Therefore implement a Competency Matrix.

Have a training plan

To be effective it is best to plan training throughout the year and follow the plan.

Cover assessment and acceptance

It is not enough to send out training, we also need to ensure people have understood it and accepted it.

Define policy compliance

Provide for how compliance to the policy will be acheived.

How to implement effective ISO27001 training and awareness

When it comes to implementing effective ISO27001 training and awareness the following is considered best practice.

Write your information security training and awareness policy

You need an information security and awareness training policy that is based on the needs of the business, the risks that the business faces and that fully satisfies the requirements of ISO27001 and ISO27002. The quickest way is to download the Training and Awareness Policy Template.

Review and approve the policy

The policy should be reviewed and approved by senior management to ensure there is full buy in and to make the policy as effective as possible. If you are doing an ISO27001 implementation then the management review team will sign off the the policy.

Communicate the policy to everyone

A policy is a statement of what you do for information security and what is expected. If you do not communicate then people cannot be expect to know what is expected of them. How you communicate is down the to the culture and communication style of the organisation but getting approval from each person that they have read it, understand it and accept it is a key step. Be sure to update your communication plan so that it forms and appropriate part of your on going communicate.

Have a communication plan

A communication plan is plan for the year that covers

• What we will communicate
• Who will communicate
• Who will they communicate it to
• How will they communicate it
• When will they communicate it
• Evidence that it was communicated

As above the Information Security Awareness Training Policy is part of that plan but it goes wider. Based on the risks to the business and the needs of the business there are other communications that should be factored in that implement further training and further awareness. You will want to communicate on topics such as data protection, you will want to have regular management review meetings, you may have security operational meetings. Specific topics such as phishing attacks, backups, anti virus may all require their own communication. Consider what is important, what is a risk and let people know about it.

Implement Information Security Training

This is one of the few areas where a tool is highly recommended. You have to implement specific training throughout the year on information security and data protection. Part of that training is to ensure that people understand what they have been trained in and keeping a record that the training took place. It can be done manually, but tools are designed to take care of this for you. They often come with prebuilt modules and content so you don’t have to worry about it and they automate the process of getting people training, getting the confirmation of understanding via quizzes and tests and they include valuable reporting so you can track who has and who has not completed the training.

Awareness and Training Policy Mapped to ISO27001 Controls

See Also

• The Ultimate Reference Guide to ISO27001 Policies
• Guaranteed ISO27001 Certification up to 10x Faster and 30x Cheaper
• The Ultimate ISO27001 TOOLKIT so you can do it yourself 
• ISO27001 Exposed: The facts you must know (Not knowing these could cost you $10,000s!) 
• 25 Things You Must Know Before Going for ISO27001 Certification (Number 3 will blow your mind!)

Reference

ISO/IEC 27001 Information Security Management