18 January 2024 • General
An ISO27001 certification is a badge of honor that shows how much your organization cares for the management and protection of sensitive information.
The standard outlines a framework for security management, including a commitment to employee awareness and training.
But getting a complete understanding of exactly what is expected of your organization can be tricky. The ISO27001 directive consists of a lot of text. And even after reading it a couple of times over, you may still be left with questions.
In this article, we’ll explain what ISO27001 states about security awareness and how you can implement ISO27001 security awareness training within your organization.
In a nutshell: what is ISO27001?
ISO27001 is a standard for information security management systems (often referred to as ISMS). The goal of this standard is to provide an approach to manage and protect sensitive information.
Key components of ISO27001 are:
- Risk assessment
- Policy development
- Clear roles and responsibilities
- Awareness training
Organizations that choose to adhere to this standard are often government agencies, healthcare organizations, financial institutions, and any other organization that handles sensitive information.
Getting certified isn’t a walk in the park. It involves a rigorous audit process to check if your organization complies with the standard.
What does the ISO27001 standard state about security awareness?
The ISO27001 standard mentions the importance of security awareness in multiple clauses.
- Clause 7.2 – Competence: The standard requires organizations to determine the necessary competence of employees involved in information security.
- Clause 7.3 – Awareness: Organizations need to ensure that employees are aware of the information security policy, relevant objectives, and their roles and responsibilities in achieving these objectives.
- Clause 8.2 – Communication: ISO 27001 emphasizes the importance of internal communication regarding the information security management system, including promoting awareness of information security.
- Clause 8.2.2 – Information Security Awareness, Education, and Training: Organizations need to ensure that personnel are aware of the information security policy and are competent in the areas of their work that relate to information security.
How to implement ISO27001 security awareness training
ISO27001 provides a clear framework to help organizations manage information security management. However, it doesn’t explicitly state how to implement those security awareness programs within your organization.
So how do you know if your ISO27001 security awareness training program is up to par?
We can first take a look at what ISO27001 auditors look at. During audits, the organization’s compliance with ISO27001 requirements is assessed, including those related to security awareness.
Auditors often look for the following:
- Documentation: Have you documented your security policy, objectives, roles, and specific requirements related to awareness and training?
- Communication: Can you provide evidence that your employees are aware of your security policy, objectives, and their specific roles in achieving them?
- Training programs: Can you prove that your organization has implemented training programs?
- Monitoring and measurement: Can you show that you are monitoring and measuring the effectiveness of your security awareness programs?
You can either decide to set up your own training program or use a security awareness training platform like Guardey.
With Guardey, your employees take on weekly cyber security challenges that take up to three minutes to complete. The challenges cover all relevant topics such as spear phishing, CEO fraud, password security, and more. By learning small pieces of information every week, employees slowly build up knowledge and security awareness peaks.
In the reporting section, you can monitor how employees are performing and which security topics may need more attention. This makes Guardey the perfect fit for security awareness training compliant with the ISO27001 standard.
How to introduce ISO27001 security awareness training to your employees
Once you have decided on an ISO27001 security awareness training solution, it’s time to introduce it to your employees. This isn’t always an easy task. Not everybody may immediately grasp the importance of security awareness training, which is why simply sending them their logins may not suffice.
That’s why you need a strong introduction. Below, we’ve added two examples.
EyeOn organized a cyber security week to kick off their ISO27001 certification process. During this week, they started every day with an interview of 15 minutes, which they called the safety catch-up. Each day had a specific cyber security theme, and during challenges (both in Guardey and in real life), employees could score points. At the end of the week, the best-performing employees were rewarded with a trophy and a small gift.
Delta Wines first arranged a spear phishing simulation. During this simulation, employees got a phishing email to test if they would click the link and leave personal information. And it turns out that many of the employees did just that. The IT manager shared the final results of the phishing test during a quarterly meeting, which shocked quite a few of his colleagues. This made introducing Guardey as their security awareness training solution much easier.
How Fendix gets organizations ISO27001 certified with the help of Guardey
Fendix helps companies get ISO27001 certified. Killian Houthuijzen, information security consultant at Fendix, explains what role Guardey’s security awareness solution plays in this process: “An important part of getting an ISO27001 certification is investing in the security awareness of your employees. A while back, we were trying to set up our own version of a security awareness training in preparation for that. But creating all that new content would have taken us at least 8 hours every single month. That’s just not efficient.”
He continues: “With Guardey, security awareness training becomes affordable and you don’t need to invest any time in setting it up. All you need to do is monitor the performance of your team, which is easy in Guardey’s learning management system. That’s why we often advise our clients to simply use Guardey instead of doing all the heavy lifting of setting up their own training.”
Try out Guardey’s ISO27001 security awareness training solution
Security awareness plays a significant role in protecting your organization from cyber attacks and complying with ISO27001. If you’re looking for a training solution that is implemented within hours, consider using Guardey.
With Guardey’s gamified learning process, your employees will get 3-minute micro-learnings every single week. Over time, they learn how to recognize cyber threats and act accordingly.