Information Security Principle 2

Learn QHSE / Information Security / Information Security Principle 2

Principle 2 - Awareness of the need for information security

The second fundamental principle of information security is all about implementing and maintaining an effective programme for awareness, training and education of your information security management system (ISMS).

Steps to follow to achieve this:

  1. Inform & Motivate

    Ensure you inform all of your employees and any other relevant parties (such as customers, contractors, and partners) of their information security obligations that are set out in your information security policies, standards and procedures. You then need to motivate staff (and other relevant parties) to act in line with those policies, standards and procedures.
  2. Awareness

    Let’s go back to basics for a minute.  As it says in ISO 9000 Quality Management Systems - Fundamentals and Vocabulary, “awareness is attained when people understand their responsibilities and how their actions contribute to the achievement of the organisation’s objectives”.  Make sure that all of your employees and any other relevant parties are fully aware of their responsibilities. You can make this happen by beginning as you mean to go on.  In other words, awareness, training and education in your ISMS starts with recruitment.  Ask potential employees questions such as; “what information security protocols are you familiar with?” or “Are you aware of the requirements of ISO 27001?
  3. Set the Tone

    Once hired, induction is where you will continue to set the tone for your employees with regard to ISMS.  Send your new people a strong message right from the get-go by spending a lot of time providing a lot of detail about ISMS during induction and training. ISMS issues should also be a feature of all performance assessments.  Because data security is important to your business, it should be made important to every single one of your employees.  ISMS issues don’t end for an employee until that person’s relationship with your organisation ends.
  4. Make staff conscious of their responsibilities

    When staff are clearly made aware of their responsibilities, the next step is to make them conscious of how those responsibilities and their actions can contribute to the company meeting and achieving its information security objectives.  Remind all of your employees that the failure of your information security is a high risk to your business.  If only your IT department is aware of your ISMS, then it will fail.  If only your management team is aware of your ISMS, then it will fail.  If only one or two departments are aware of your ISMS, then it will fail.  It’s as simple as that.
  5. Ensure the awareness, training and education programme is organisation-wide and ongoing.

    This is an important step to ensuring the success of your ISMS.  As part of dealing with this you may need to break down silos between departments to ensure that each is aware of the other’s ISMS obligations.  One-off awareness programmes never work in the long-term.   If it’s a one-off, things will get forgotten about after a period of time and your ISMS will begin to fail. The amount of awareness, training and education that you deliver is up to you. 

The risk to your business of breaches of data security are real, on-going and ever-changing.  That’s why your response to them should be real, on-going and ever-changing.  Information security is a problem that never goes away, so your response to it should be ceaseless and all-encompassing.  If you start by making your people highly aware of ISMS issues, you’re halfway there already.


Learn More: