**Information security awareness, education and training**\\

^ Control type  ^ Information Security Properties  ^ Cybersecurity concepts  ^ Operational capabilities  ^ Security domains  ^
| Preventative  |  Confidentiality\\ Integrity\\ Availability\\ | Protect  | HR security  | Governance and ecosystem  |

**Definition**

Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organizations information security policy, topic-specific policies and procedures, as relevant for their job function.

**General Guidance**

You are going to have to:

  * decide what information security training and awareness to do based on organization risk and needs
  * plan your training and awareness for the next 12 months
  * develop, build and implement your training and awareness materials
  * deliver your training and awareness to those that need it
  * verify that people understand it
  * keep records of all training and awareness

**Training requirements**

The list to consider including:

  * Leadership and management commitment to information security – it is top down after all
  * Requirements of relevant laws and regulations
  * People’s own accountability and responsibility for information security
  * How to report an event of incident
  * Where the information security policies are
  * Who you speak to if you have a question on information security

**When to do information security awareness and training**

The guidance is periodically but the best approach is:

  * conduct annual awareness training in information security
  * conduct annual awareness training in data protection
  * conduct initial awareness training either pre employment or as part of the onboarding process
  * as things change or new things are introduced make people aware and train them
  * in response to incidents and as part of continual improvement you may require additional training or awareness

**Approaches to information security training**

Actual training is something you implement based on need. You identify who needs training and provide it to them. Some training is for everyone, and some training is a little more targeted and specific to certain people and roles.

It is good practice to consider different types of training, such as

  * emails,
  * web pages,
  * stand up meetings,
  * classroom based

most people opt for an off the shelf training package that makes most of the problem go away.

//**There is a requirement to verify understanding that most people interpret as taking a test of some sort. These are usually built into the off the shelf training packages.**//