ISO 27001 Information Security Management Standard - Principle 2

Posted by Craig Thornton

Part 3 - Awareness of the need for information security

This fundamental principle is all about implementing and maintaining an effective programme for awareness, training and education of your information security management system (ISMS). 

In this programme you inform all of your employees and any other relevant parties (such as customers, contractors, and partners) of their information security obligations that are set out in your information security policies, standards and procedures.  You then need to motivate them to act in line with those policies, standards and procedures.

PRINCIPLE 2.png

Let’s go back to basics for a minute.  As it says in ISO 9000 Quality Management Systems - Fundamentals and Vocabulary, “awareness is attained when people understand their responsibilities and how their actions contribute to the achievement of the organisation’s objectives”.  Obviously the key here is to make sure that all of your employees and any other relevant parties are fully aware of their responsibilities.

How do you make this happen?

Well, you begin as you mean to go on.  In other words, awareness, training and education in your ISMS starts with recruitment.  Ask potential employees questions such as, “what information security protocols are you familiar with?” or “are you aware of the requirements of ISO 27001?”. 

Once hired, induction is where you will continue to set the tone for your employees with regard to ISMS.  Send your new people a strong message right from the get-go by spending a lot of time providing a lot of detail about ISMS during induction and training. 

ISMS issues should also be a feature of all performance assessments.  Because data security is important to your business, it should be made important to every single one of your employees.  ISMS issues don’t end for an employee until that person’s relationship with your organisation ends. 

When staff are clearly made aware of their responsibilities, the next step is to make them conscious of how those responsibilities and their actions can contribute to the company meeting and achieving its information security objectives.  Remind all of your employees that the failure of your information security is a high risk to your business.  If only your IT department is aware of your ISMS, then it will fail.  If only your management team is aware of your ISMS, then it will fail.  If only one or two departments are aware of your ISMS, then it will fail.  It’s as simple as that.  

There are two important keys to ISMS success – first, awareness, training and education programme must be organisation-wide.  As part of dealing with this you may need to break down silos between departments to ensure that each is aware of the other’s ISMS obligations.  And second, your awareness, training and education programme must be on-going.  In my time I have seen dozens of one-off awareness programmes.  This approach never works in the long-term.  If it’s a one-off, things will get forgotten about after a period of time and your ISMS will begin to fail.

The amount of awareness, training and education that you deliver is up to you.  However, it needs to be sufficient to ensure that your organisation’s objectives are met.  There are lots of ways to make this happen, such as:

  • Documented policies and procedures – be sure to include records in your skills matrices of ISMS awareness occurring.
  • Training sessions – update your current training plans to include ISMS.
  • Meetings - a great way to keep up the momentum. Don’t just create meetings for ISMS, instead use your existing meeting structure and just add ISMS as a permanent agenda item.
  • Assessments – of staff around their knowledge and competency of the ISMS.

The risk to your business of breaches of data security are real, on-going and ever-changing.  That’s why your response to them should be real, on-going and ever-changing.  Information security is a problem that never goes away, so your response to it should be ceaseless and all-encompassing.  If you start by making your people highly aware of ISMS issues, you’re halfway there already.


Integrated_Management_System_manuel.jpg

 

View previous blogs in this series "ISO 27001 Information Security Management Standard":

 

ISO 27001 Information Security Management Standard: Principle 1 - Analysing the Protection of Your Information and then Applying Controls

Tags: Cybersecurity, ISO 27001, information security, ISO 27001 Certification