How to perform training & awareness for ISO 27001 and ISO 22301
Most of the information security/business continuity practitioners I speak with have the same problem: the employees in their companies don’t take them seriously – not only the top managers, but also their peers.
This is due to the fact that the employees usually do not understand what information security or business continuity is all about – in other words, you may have perfect policies and procedures, but simply pushing those to your internal email list won’t help. You need to explain to your colleagues why information security and business continuity are needed, and how to perform certain tasks – that’s the main purpose of awareness and training.
The training cycle
- Define which knowledge and skills are required for particular personnel who have a role in your information security management system (ISMS) or business continuity management system (BCMS) – basically, you need to go through every ISMS or BCMS document and see what knowledge and skills are required of every responsible person mentioned in the document.
- Perform trainings to reach the desired level of knowledge and skills – see below for methods.
- Measure whether each individual has achieved the desired level of knowledge and skills – through testing, interviews, etc. – once you know where the gaps are, you can start again with step #1.
And this is something that needs to be done continuously – either by the CISO / business continuity coordinator, or by the HR department.
Methods of training
Very often, the trainings are planned via the Training plan – for example, you can plan for the following:
- Courses – see this article for more information: How to learn about ISO 27001 and BS 25999-2.
- Reading literature – there are many information security and business continuity books available, as well as magazines.
- Participating in expert forums on the Internet – in some of those you can get very concrete answers to your questions – for example, Expert Advice Community or ISO 27001 security.
- In-house trainings – delivered either by in-house experts, or by hiring consultants, certification bodies or similar.
Methods of awareness-raising
As opposed to trainings, which give an answer to the question “How?”, awareness must give an answer to the question “Why?” – that is, explain to your employees why they should accept information security or business continuity.
There are many methods you can use, for example:
- Include employees in documentation development – before you publish the documents, ask your employees to give their inputs (see also: Seven steps for implementing policies and procedures).
- Presentations – organize shorter meetings where you can explain what new policies and procedures are being published, ask your employees for opinions about them, clarify any misunderstandings.
- Articles on your intranet or newsletter – simple stories (with as many examples as possible) that can help employees understand why information security / business continuity are important.
- Discussions through internal forums – you can initiate and participate in concrete questions (and myths) arising from information security / business continuity.
- E-learning – you can create short online trainings that explain the significance of these topics, as well as train your employees.
- Videos – they are a very powerful presentation method – you can distribute them via email, through the intranet, etc.
- Occasional messages (via email or via your intranet) – can be used not only to distribute videos, but also to send relevant news and tips for business continuity.
- Gatherings – use some regular meetings that are organized in your company – e.g., parties, anniversaries, etc. to briefly present what you are doing and how it affects your colleagues.
- And, above all – day-to-day in-person communication – everywhere you go, whomever you speak to – you have to sell the idea of information security / business continuity.
No matter which of these methods you use, the point is that you do them systematically – again, you should prepare some kind of a plan where you should define which of these methods you will perform, and how often.
The implementation myth
So, as I emphasized in this article: The documentation myth – Why the templates are not enough?, simply writing the policies and procedures won’t be enough – you need to use awareness and trainings as a helping tool to enable the documentation to be implemented.
However, the timing here is also crucial: many companies make the mistake of publishing all of their documents at once. For example, if you publish 30 policies and procedures at the same time, then unfortunately, not even the best awareness programs can help you – your employees will (very correctly) start to think of your information security / business continuity as overkill.
Therefore, you have to publish your documentation gradually – the speed of publishing your new documents must be not be the speed of developing them, but the speed by which your employees will be able to accept them via your training and awareness programs.
See here a series of 25 free security awareness videos that can be easily understood by any employee in your company.