Awareness with Regards to the ISMS

00:01

Listen 5.3 awareness

00:06

In this video we will cover awareness and what the standard requires with regards to awareness

00:12

awareness regarding nonconformity, ease

00:15

and the required documentation for awareness.

00:22

So in the previous section we spoke about competence and one of the ways to achieve this was through information security awareness sessions.

00:31

No.

00:32

My personal point of view is that there could be two flavors of information security awareness within a nice mess. Aligned to Isis 27,001,

00:41

there would be your usual information security awareness training

00:45

and then the standard requires specific activities to be performed with regards to maintaining awareness

00:51

with regards to the isthmus. Specifically,

00:55

the lines in this can, of course, be blurred.

00:58

And awareness on risks and controls can most certainly also cover elements off the ice mess.

01:03

It is up to you how you want to split up your awareness training.

01:07

The auditor, if you're going for certification ordered,

01:11

would want to see evidence that staff are being made aware of your information security controls in general,

01:18

as well as progress on

01:19

key items in your isom s implementation and maintenance.

01:26

For example,

01:27

communication to your staff regarding the SMS at regular intervals is a good way to demonstrate this

01:34

training and discussions of staff on how to perform their responsibilities with regards to the ice mess is another example.

01:42

For example,

01:44

if your Finance Department has given specific goals to achieve with regards to information security,

01:49

it is important that they firstly understand what these girls mean.

01:53

That they understand how to implement and enforce these goals within their processes

01:59

and that they are equipped with the knowledge of how to monitor the achievement of these goals.

02:05

This touches on many other closes to,

02:07

but it is important that personal design

02:12

designated story with reporting the up was supporting the ice mess in some or other way or made aware of what this entails,

02:19

as well as how to practically deliver on this.

02:23

It is also important that personal understand where the information security policy is located,

02:28

what the policy entails,

02:30

and that they must also sign some form of document either people Elektronik,

02:35

which shows that the user has confirmed understanding off the policy content.

02:40

Just to recap on the two types of awareness,

02:44

there is awareness regarding the information security in general.

02:47

For example, fishing risks

02:51

malicious software.

02:52

Your controls in place risks, policies, etcetera

02:55

and more specialized awareness sessions relating to the ice, a mist directly

03:00

in ways in which personal are required to support the achievement of ice mess goals and objectives.

03:09

There is also awareness regarding nonconformity.

03:14

It is important to ensure that the audience understands. Firstly, when a non conformity is,

03:21

you would then want them to understand what a nonconformity means to them as an individual.

03:25

This would generally be handled by your disciplinary procedures related to the nature of the non conformity.

03:32

It is important to make users and participants in the ice melts away. That nonconformity is have ripple effects greater than just disciplinary action.

03:42

Major nonconformity is can put the information security posture off the organization at risk.

03:50

So nonconformity is basically an instance where a requirement off the ice miss specifically the ice or 27,001 standard

03:59

or a specific control has not been met.

04:03

Non conformity is can occur simply by people not doing their jobs, not communicating When delays with it, things have occurred

04:12

or not maintaining appropriate documentation.

04:15

Often they would be disciplinary actions for nonconformity, ease

04:20

relevant to the level of non conformity

04:25

that occurred.

04:28

It is also important for people to understand what the repercussions of non conformity

04:33

for the organization as a whole law.

04:40

What documentation is required

04:43

for clothes? 7.3

04:46

wireless specific document is not specified as mandatory.

04:49

It is generally mandatory to keep information on the activity that demonstrates some form of awareness training.

04:56

In terms of the SMS in information, security in general is taking place.

05:00

The information must be sufficient in nature that it will provide your certification auditors with comfort that you're performing This required task

05:09

as per your documented frequency

05:11

evidence of attendance and that there is some form of off assessment at intervals that demonstrates verification and understanding off the knowledge and participants after the training or awareness session.

05:24

So again,

05:26

you need evidence of your training material. Whether this was a presentation, poster, Web page, online video,

05:33

whatever it WAAS

05:35

attendance registers or some other form off

05:40

verification of attendance online or in classroom based trainings

05:46

matrix associated with awareness training, such as assessment results, feedback scores and so forth

05:51

as well as budgets and plans for ongoing awareness and training activities

06:00

to summarize

06:00

in this lesson recovered the requirements of awareness that this extends to not just general information, security awareness and training, but also awareness specific to the ice. Um, s

06:13

we discussed awareness regarding nonconformity ease.

06:16

We also examine some examples of documentation that could support the awareness activities