Options for delivering NIS 2, DORA, and ISO 27001 training

All cybersecurity standards and regulations, including NIS 2, DORA, and ISO 27001, require companies to deliver continuous training and awareness for their employees. Some of them, like NIS 2 and DORA, require all company employees, including the senior management, to be included in such training.

So, what are the most effective and efficient ways to deliver company-wide training?

Company-wide compliance training for, e.g., NIS 2, DORA, and ISO 27001, can be delivered in three different ways: (a) instructor-led classroom training, (b) instructor-led online training, or (c) pre-recorded online training via LMS.

To learn which training topics to include see these articles: How to organize DORA training and awareness and How to perform training and awareness according to NIS 2.

Options for delivering NIS 2, DORA, and ISO 27001 training - Advisera

Options for delivering company-wide training

Essentially, you have three potential options for delivering training to a group of people:

1) Instructor-led in-classroom training

This is the traditional way of delivering training — you place everyone in a room, and the instructor presents all the relevant topics face to face. This enables attendees to ask questions and allows for some interactivity through shorter workshops, but organizing such training is difficult.

Pros:

  • Training can be adapted according to the needs of the company
  • Higher engagement

Cons:

  • Probably the most expensive
  • Cannot be delivered very often
  • Hard to deliver separate training for different target groups

3 options to deliver ISO 27001, DORA, or NIS 2 training

2) Instructor-led online training

This is similar to instructor-led in-classroom training; however, the main difference is that there is no physical classroom — the training is delivered through online tools like MS Teams, Zoom, or similar. This still enables attendees to ask questions and organize short workshops; while organizing such training is easier, there are still challenges because all attendees must be present at the same time.

Pros:

  • Training can be adapted according to the needs of the company
  • Easier to organize than in-classroom training

Cons:

  • Lower engagement, because attendees tend to ask fewer questions through online tools
  • All attendees must be present at the same time

3) Pre-recorded online training delivered via learning management system (LMS)

This approach is different from the first two options — here, all the videos are pre-recorded and uploaded to LMS software that distributes the videos to attendees and tracks their attendance (and test results, if needed). This disables direct engagement with the instructor (although some AI solutions are now addressing this problem), but organizing such training is far easier.

Pros

  • Easy tracking of attendance and test results
  • Employees can watch videos at their convenience
  • The most budget-friendly option

Cons

  • Attendees cannot ask questions, at least not directly to the instructor

Which option to choose?

The choice really depends on the type of training:

Regular vs. one-time training. If the training happens only once, then instructor-led classroom training or instructor-led online training is something that can be organized, as opposed to training that needs to be delivered regularly (e.g., monthly, quarterly, annually). For such regular training, pre-recorded online training via LMS is a more appropriate solution.

Required engagement. If the training covers some very in-depth topics that require high engagement with the instructor, then instructor-led classroom training or instructor-led online training is probably a better solution. If the training covers some more general topics that do not require high engagement, then pre-recorded online training via LMS will be a more practical solution.

Number of attendees. If the training involves a smaller group of people, then instructor-led classroom training or instructor-led online training will be manageable. If the training involves a larger number of people, then pre-recorded online training via LMS will be easier.

Time zones. If all attendees are in the same time zone, then instructor-led classroom training or instructor-led online training will be feasible; however, if the attendees are scattered across different time zones, pre-recorded online training via LMS is a more viable solution.

A mixed approach might work the best

Ultimately, you might end up with a mix of the approaches described above — for selected employees that require one-time training with in-depth knowledge, you might go with instructor-led training, whereas for regular training that has to be delivered to a larger number of employees and that does not go into too much depth, pre-recorded online training via LMS will probably do a good job.

To see examples of pre-recorded online training programs, sign up for a free trial of the Company Training Account to access a series of videos that are designed for company-wide ISO 27001, and NIS 2 training.

Advisera Dejan Kosutic

Dejan Kosutic

Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001, NIS 2, and DORA expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Read more articles by Dejan Kosutic