Information security is a crucial issue in today’s digital age. Yet we often only realize its importance after we’ve been the victim of a cyber-attack or security incident.
Clause 7.3 of ISO27001 requires that not only employees, but all stakeholders in an organization, are made aware of the importance of information security.
First of all, teams need to understand the basics of information security in the broadest sense. It’s not just about avoiding clicking on phishing emails or keeping our passwords up to date. It’s also about understanding how security standards, such as ISO 27001, play a vital role in protecting sensitive information.
However, for these security measures to be effective, all members of the organization need to be aware of their role. Everyone has an important contribution to make, whether by reporting security incidents, identifying non-conformities or simply ensuring that security policies and procedures are followed on a daily basis.
What’s more, it’s essential to consider the consequences of non-compliance with security policies. These can range from the loss of sensitive data to legal fines, not to mention the potential damage to the organization’s reputation.
Therefore, team members must be trained on hiring and throughout the year on items appropriate to their job versus company policy, as well as the consequences of non-compliance.
Raising awareness of information security and ISO 27001 is not just a task for the IT team. It’s a collective effort that requires everyone’s participation.
I have no choice but to use the overused formula that a chain is only as strong as its weakest link, and in the field of information security, every member of the organization is part of that chain.
Awareness topics
Information security training and awareness for new employees should ideally cover the following items:
- Introduction to information security: Explain the concept of information security, why it is important and how it affects day-to-day business operations.
- Information security policies and guidelines: Present policies. This could include password policy, e-mail policy, remote access policy, etc.
- Individual responsibilities: Explain each employee’s role in information security and their individual responsibility to comply with policies and the consequences of non-compliance.
- Security threats: Provide information on common security threats, such as phishing, malware, denial-of-service attacks, etc., and how to recognize them.
- Response to security incidents: Explain what an employee should do in the event of an incident or breach of information security, including who to contact and what information to provide.
- Data management: Provide guidelines for secure data storage, data sharing and data destruction, especially for sensitive data such as personal information.
- Physical security: Explain protocols related to physical security, such as locking computer screens when not in use, secure storage of printed documents, secure access to buildings, etc.
- Legislation: Inform employees of laws concerning information security and privacy (Act respecting the protection of personal information in the private sector, particularly here in Quebec).
Success criteria
In order to determine whether we have complied with clause 7.3 of ISO27001, here are a few questions an auditor might ask:
- What type of information security training or awareness-raising is provided to employees? How often is this training provided?
- How does the organization measure the effectiveness of its information security awareness programs? What indicators are used?
- What action is taken if an employee fails to comply with the organization’s information security policies and procedures? How are such incidents recorded and handled?
- How does the organization ensure that employees are informed of changes or updates to information security policies and procedures?
- How does the organization engage employees to be proactive in reporting security incidents or potential non-conformities?
I invite you to click on “Follow” to continue learning more about the field of information security.
