How you can meet ISO 27001’s staff awareness training requirements

Staff awareness training an essential component of ISO 27001, the international standard for information security. Any organisation that wants to certify to the Standard needs to complement its technological defences and information security policies with a comprehensive awareness programme. 

What you should be doing 

There are three steps that all organisations should follow: 

1) Identify what staff need to learn: sensitive information is accessed and used in a variety of ways. You need to account for each of these and make a note of the knowledge and skills that are required to stay secure. 

2) Train your staff: what you teach your staff – and how those lessons are delivered – will depend on what they need to know. Organisations have several options, which are covered below. 

3) Measure the training’s effectiveness: it’s no good training staff if they don’t retain the information. Any training course should conclude with some form of test to measure the outcome. Informal tests or interviews will suffice in most circumstances, but professional courses will typically end with a formal exam and the possibility of accredited certification. 

How to deliver training 

Effective staff awareness should begin with broad training courses covering the essentials of the topic. These don’t have to be particularly long – for example, our Information Security & ISO27001 Staff Awareness E-Learning Course can be completed in 45 minutes – but they should provide enough information to prevent staff from making basic mistakes. 

The aim of these courses is to make employees realise that information security is everybody’s responsibility, and that staying secure doesn’t have to be complicated. 

Those who require in-depth knowledge of ISO 27001 should commit to extended training sessions. The starting point for all prospective ISO 27001 project managers and auditors is the ISO27001 Certified ISMS Foundation Online, which explains: 

  • The benefits of ISMS certification; 
  • The core elements of an ISMS; 
  • The key steps when planning an ISMS implementation project; 
  • How to conduct an ISO 27001 risk assessment; and 
  • ISO 27001’s Annex A controls. 

Once you understand the essentials of the Standard, you can move on to more advanced courses. IT Governance offers a range of options for those looking to further their careers.