information_security_awareness_education_and

Information security awareness, education and training

Control type	Information Security Properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventative	Confidentiality Integrity Availability	Protect	HR security	Governance and ecosystem

Definition

Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organizations information security policy, topic-specific policies and procedures, as relevant for their job function.

General Guidance

You are going to have to:

decide what information security training and awareness to do based on organization risk and needs
plan your training and awareness for the next 12 months
develop, build and implement your training and awareness materials
deliver your training and awareness to those that need it
verify that people understand it
keep records of all training and awareness

Training requirements

The list to consider including:

Leadership and management commitment to information security – it is top down after all
Requirements of relevant laws and regulations
People’s own accountability and responsibility for information security
How to report an event of incident
Where the information security policies are
Who you speak to if you have a question on information security

When to do information security awareness and training

The guidance is periodically but the best approach is:

conduct annual awareness training in information security
conduct annual awareness training in data protection
conduct initial awareness training either pre employment or as part of the onboarding process
as things change or new things are introduced make people aware and train them
in response to incidents and as part of continual improvement you may require additional training or awareness

Approaches to information security training

Actual training is something you implement based on need. You identify who needs training and provide it to them. Some training is for everyone, and some training is a little more targeted and specific to certain people and roles.

It is good practice to consider different types of training, such as

emails,
web pages,
stand up meetings,
classroom based

most people opt for an off the shelf training package that makes most of the problem go away.

There is a requirement to verify understanding that most people interpret as taking a test of some sort. These are usually built into the off the shelf training packages.