This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.6.3 Information security awareness, education and training.
ISO 27001: 2022 Control Description
Personnel of the organisation and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organisation's information security policy, topic-specific policies and procedures, as relevant for their job function.
Purpose
To ensure that staff and relevant interested parties are aware of and fulfil their information security responsibilities.
Guidance on implementation
An information security awareness, education, and training programme should be established in accordance with the organisation’s information security policy, topic-specific policies, and relevant procedures on information security. This programme should consider the information to be protected and the information security controls implemented to safeguard it.
Information security awareness, education, and training should occur periodically. Initial awareness, education, and training should be provided to new staff and those who move to new positions or roles with significantly different information security requirements.
Staff's understanding should be assessed at the conclusion of awareness, education, or training activities to evaluate knowledge transfer and the effectiveness of the programme.
Awareness
An information security awareness programme should aim to make staff aware of their responsibilities and how to fulfil them.
The awareness programme should be planned with consideration of the roles of staff in the organisation, including both internal and external staff (e.g. external consultants, supplier staff). Awareness activities should be scheduled regularly to ensure they are repeated and cover new staff, and should incorporate lessons learned from information security incidents.
The programme should include various awareness-raising activities through appropriate physical or virtual channels such as campaigns, booklets, posters, newsletters, websites, information sessions, briefings, e-learning modules, and emails.
Information security awareness should address general aspects such as: a) Management’s commitment to information security throughout the organisation; b) Familiarity with and compliance requirements concerning applicable information security rules and obligations, including information security policies, topic-specific policies, standards, laws, statutes, regulations, contracts, and agreements; c) Personal accountability for one’s own actions and inactions, and general responsibilities for securing or protecting information belonging to the organisation and interested parties; d) Basic information security procedures (e.g. information security event reporting) and baseline controls (e.g. password security); e) Contact points and resources for additional information and advice on information security matters, including further awareness materials.
Education and Training
The organisation should identify, develop, and implement an appropriate training plan for technical teams whose roles require specific skill sets and expertise. Technical teams should possess the skills needed to configure and maintain the required security level for devices, systems, applications, and services. If there are gaps in skills, the organisation should take action to address them.
The education and training programme should consider various methods (e.g. lectures, self-study, mentoring by expert staff or consultants (on-the-job training), staff rotation for different activities, recruiting skilled individuals, and hiring consultants). It may utilise different delivery methods including classroom-based, distance learning, web-based, and self-paced formats. Technical staff should keep their knowledge current by subscribing to newsletters and magazines or by attending conferences and events aimed at technical and professional development.
Other Information
When designing an awareness programme, it is important to focus not only on the ‘what’ and ‘how’ but also on the ‘why’ whenever possible. It is crucial for staff to understand the purpose of information security and the potential effects—both positive and negative—of their actions on the organisation.
Information security awareness, education, and training can be integrated with or conducted alongside other activities, such as general information management, ICT, security, privacy, or safety training.