Listen 5.3 awareness
In this video we will cover awareness and what the standard requires with regards to awareness
awareness regarding nonconformity, ease
and the required documentation for awareness.
So in the previous section we spoke about competence and one of the ways to achieve this was through information security awareness sessions.
My personal point of view is that there could be two flavors of information security awareness within a nice mess. Aligned to Isis 27,001,
there would be your usual information security awareness training
and then the standard requires specific activities to be performed with regards to maintaining awareness
with regards to the isthmus. Specifically,
the lines in this can, of course, be blurred.
And awareness on risks and controls can most certainly also cover elements off the ice mess.
It is up to you how you want to split up your awareness training.
The auditor, if you're going for certification ordered,
would want to see evidence that staff are being made aware of your information security controls in general,
as well as progress on
key items in your isom s implementation and maintenance.
communication to your staff regarding the SMS at regular intervals is a good way to demonstrate this
training and discussions of staff on how to perform their responsibilities with regards to the ice mess is another example.
if your Finance Department has given specific goals to achieve with regards to information security,
it is important that they firstly understand what these girls mean.
That they understand how to implement and enforce these goals within their processes
and that they are equipped with the knowledge of how to monitor the achievement of these goals.
This touches on many other closes to,
but it is important that personal design
designated story with reporting the up was supporting the ice mess in some or other way or made aware of what this entails,
as well as how to practically deliver on this.
It is also important that personal understand where the information security policy is located,
what the policy entails,
and that they must also sign some form of document either people Elektronik,
which shows that the user has confirmed understanding off the policy content.
Just to recap on the two types of awareness,
there is awareness regarding the information security in general.
For example, fishing risks
Your controls in place risks, policies, etcetera
and more specialized awareness sessions relating to the ice, a mist directly
in ways in which personal are required to support the achievement of ice mess goals and objectives.
There is also awareness regarding nonconformity.
It is important to ensure that the audience understands. Firstly, when a non conformity is,
you would then want them to understand what a nonconformity means to them as an individual.
This would generally be handled by your disciplinary procedures related to the nature of the non conformity.
It is important to make users and participants in the ice melts away. That nonconformity is have ripple effects greater than just disciplinary action.
Major nonconformity is can put the information security posture off the organization at risk.
So nonconformity is basically an instance where a requirement off the ice miss specifically the ice or 27,001 standard
or a specific control has not been met.
Non conformity is can occur simply by people not doing their jobs, not communicating When delays with it, things have occurred
or not maintaining appropriate documentation.
Often they would be disciplinary actions for nonconformity, ease
relevant to the level of non conformity
It is also important for people to understand what the repercussions of non conformity
for the organization as a whole law.
What documentation is required
wireless specific document is not specified as mandatory.
It is generally mandatory to keep information on the activity that demonstrates some form of awareness training.
In terms of the SMS in information, security in general is taking place.
The information must be sufficient in nature that it will provide your certification auditors with comfort that you're performing This required task
as per your documented frequency
evidence of attendance and that there is some form of off assessment at intervals that demonstrates verification and understanding off the knowledge and participants after the training or awareness session.
you need evidence of your training material. Whether this was a presentation, poster, Web page, online video,
attendance registers or some other form off
verification of attendance online or in classroom based trainings
matrix associated with awareness training, such as assessment results, feedback scores and so forth
as well as budgets and plans for ongoing awareness and training activities
in this lesson recovered the requirements of awareness that this extends to not just general information, security awareness and training, but also awareness specific to the ice. Um, s
we discussed awareness regarding nonconformity ease.
We also examine some examples of documentation that could support the awareness activities
and be used as evidence during an audit.