CALL US 1-888-553-2256

The ISO 27001 & ISO 22301 Blog

Dejan Kosutic

How to perform training & awareness for ISO 27001 and ISO 22301

Most of the information security/business continuity practitioners I speak with have the same problem: the employees in their companies don’t take them seriously – not only the top managers, but also their peers.

This is due to the fact that the employees usually do not understand what information security or business continuity is all about – in other words, you may have perfect policies and procedures, but simply pushing those to your internal email list won’t help. You need to explain to your colleagues why information security and business continuity are needed, and how to perform certain tasks – that’s the main purpose of awareness and training.

The training cycle

blogpost-banner-bia-en

Both ISO 27001 and ISO 22301 require you to deal with training in a systematic manner, i.e. to perform these steps:

Training_cycle
Figure: The training cycle

  1. Define which knowledge and skills are required for particular personnel who have a role in your information security management system (ISMS) or business continuity management system (BCMS) – basically, you need to go through every ISMS or BCMS document and see what knowledge and skills are required of every responsible person mentioned in the document.
  2. Perform trainings to reach the desired level of knowledge and skills – see below for methods.
  3. Measure whether each individual has achieved the desired level of knowledge and skills – through testing, interviews, etc. – once you know where the gaps are, you can start again with step #1.

And this is something that needs to be done continuously – either by the CISO / business continuity coordinator, or by the HR department.

Methods of training

Very often, the trainings are planned via the Training plan – for example, you can plan for the following:

Methods of awareness-raising

As opposed to trainings, which give an answer to the question “How?”, awareness must give an answer to the question “Why?” – that is, explain to your employees why they should accept information security or business continuity.

There are many methods you can use, for example:

  • Include employees in documentation development – before you publish the documents, ask your employees to give their inputs (see also: Seven steps for implementing policies and procedures).
  • Presentations – organize shorter meetings where you can explain what new policies and procedures are being published, ask your employees for opinions about them, clarify any misunderstandings.
  • Articles on your intranet or newsletter – simple stories (with as many examples as possible) that can help employees understand why information security / business continuity are important.
  • Discussions through internal forums – you can initiate and participate in concrete questions (and myths) arising from information security / business continuity.
  • E-learning – you can create short online trainings that explain the significance of these topics, as well as train your employees.
  • Videos – they are a very powerful presentation method – you can distribute them via email, through the intranet, etc.
  • Occasional messages (via email or via your intranet) – can be used not only to distribute videos, but also to send relevant news and tips for business continuity.
  • Gatherings – use some regular meetings that are organized in your company – e.g., parties, anniversaries, etc. to briefly present what you are doing and how it affects your colleagues.
  • And, above all – day-to-day in-person communication – everywhere you go, whomever you speak to – you have to sell the idea of information security / business continuity.

No matter which of these methods you use, the point is that you do them systematically – again, you should prepare some kind of a plan where you should define which of these methods you will perform, and how often.

The implementation myth

So, as I emphasized in this article: The documentation myth – Why the templates are not enough?, simply writing the policies and procedures won’t be enough – you need to use awareness and trainings as a helping tool to enable the documentation to be implemented.

However, the timing here is also crucial: many companies make the mistake of publishing all of their documents at once. For example, if you publish 30 policies and procedures at the same time, then unfortunately, not even the best awareness programs can help you – your employees will (very correctly) start to think of your information security / business continuity as overkill.

Therefore, you have to publish your documentation gradually – the speed of publishing your new documents must be not be the speed of developing them, but the speed by which your employees will be able to accept them via your training and awareness programs.

See here a series of 25 free security awareness videos that can be easily understood by any employee in your company.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

5 responses to “How to perform training & awareness for ISO 27001 and ISO 22301”

  1. Daniel Gnana says:

    hello Dejan
    where can I find any annals of the exam, otherwise where can I get exercices to warm up before the exam ?
    thanks for enlightening.

  2. not sure says:

    Why would anyone bother with this expensive and obscure cert? Is a $100,000 salary guaranteed?

  3. Ian C says:

    Not sure that I agree with your second paragraph. In my experience, the main reason that (some) staff don’t take Information Security seriously is because they never see any evidence of the need for it, or the results it achieves. (Unless their organisation suffers a major data breach! ) Typically, new business wins are loudly trumpeted throughout an organisation; also, the opening of a new office or other major internal project successes. But how often do InfoSec teams publish details of the numbers/types of external attacks thwarted? How can they expect to be appreciated by ordinary employees, if no-one ever sees the evidence of their (successful) work?

Leave a Reply

Your email address will not be published. Required fields are marked *

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.