When you work in a business that uses data, especially personal data, you are faced with what seems like an onslaught of certification, standards, legislation, and frameworks on securing that data. It may seem at times like just an extra hurdle in your business that you have to take on. But these frameworks can add significant value to an organisation and demonstrate compliance as well as good practice. One such framework is ISO 27001.
ISO 27001 is a framework and certified standard that covers the management of information security risk. It is overseen by the International Organisation for Standardisation (ISO) and is designed to work as a cross-organisation certification. The framework gives you the foundations for building an information security management system (ISMS).
It is a popular certification, with a 20% increase in companies going through certification, each year.
This article will look at what ISO 27001 is and how employee security awareness training is an intrinsic part of the overall structure of the standard.
What is ISO 27001 anyway?
ISO 27001 was brought in to consolidate information security efforts around the confidentiality, integrity, and availability of information. The main areas it covers are in managing risk, so include:
- Continuous analysis of security risks and needs in the business
- The design and implementation of security controls
- How risk is managed
- The overarching management process that controls information security risk
One thing that ISO 27001 makes clear, is that information security is not just about having the right technology in place. ISO 27001 is about people and processes as much as technology.
The certification audit is carried out by 3rd party specialists. They audit all of the processes that are involved in meeting the framework requirements. The certification audit you go through will look at your:
- Technical measures
…used in protecting information.
The certification can be applied to any or all parts of a business/processes. For example, you may have an identity access management system that services internal employees and customers; ISO 27001 can be used to certify the system.
The people part of ISO 27001
Clause A.8.2 sets out a number of areas that cover the ‘people’ aspects of ISO 27001, this includes:
“8.2.2. Information security awareness, education and training
All employees of the organisation and, where relevant, contractors and third party users shall receive appropriate awareness training and regular updates in organisational policies and procedures, as relevant for their job function”
ISO 27001 is about the entire lifecycle of security; this begins with your people. The process to achieve certification must include bringing your staff into the equation. You can do this using security awareness training. Well trained, security-aware staff are the backbone of risk management. They act as a frontline defence against some of the most pervasive and successful cybersecurity issues including:
- Phishing and malware infection
- Security leaks caused by password sharing
- Accidental data disclosure
You cannot expect to achieve ISO 27001 certification without having staff who are part of that process. Staff need to have awareness of the sensitivity of data to understand why it needs protection. Security awareness training provides the system to train staff in all aspects of security, including improving security behaviour. As part of ISO 27001 you need to show how your employees apply the tenets of the certification to protect information in their area of work/responsibility.
Some staff members, mainly those who implement security or who work on security policies, may also need to be trained on the specifics of ISO 27001. In this case, you should provide extended security awareness training.
All security awareness training courses should provide metrics to show engagement or that allow for retraining/tailoring of modules.
Why become ISO 27001 certified?
One of the best features of ISO 27001 is that you get a certificate of proof that you meet the criteria. This is important. It stands as a test of your integrity in carrying out the framework requirements to mitigate information security risk. You can use this to demonstrate your information security measures are fit for purpose. This is useful, for example, when putting in bids for tenders/work or to show customers that you take security seriously. In fact, some tenders require that you are ISO 27001 certified.
ISO 27001 can be used as a way to evaluate the effort that an organisation has gone to, to secure information. With an ISO 27001 certificate in place you can:
- Help with data protection regulations: More and more regulations are expecting proof of compliance around data security. You can use ISO 27001 as part of your compliance proof and checklist.
- Meet bid requirements: Many tenders will require you have proof of your information security efforts.
- Reduce security impact and costs: If you make solid effort to secure data you are less likely to be involved in a data security incident and the associated costs.
Using ISO 27001 and security awareness training in harmony
Being ISO 27001 is a way to show that you have your information security ducks in a row.To get there, you need to make sure your staff are security aware.
The two, ISO 27001 and security awareness, go hand in hand. Mitigating information security risk is a holistic exercise that covers all touch points in the information lifecycle. Your staff are likely to be involved across this lifecycle so need to understand the impact their actions and behaviour have on the risk to that information. Security awareness training is an intrinsic part of the ‘people’ aspect in the ISO 27001 certification process. As such, having a cybersecurity aware workforce can help you on the road to ISO 27001 success.
Security awareness training can be easily implemented and help to ensure you meet part of your ISO 27001 requirements. Why not sign up for a free demo and find out how we’re already helping organisations not only meet their ISO 27001 staff training requirements. but to dramatically improve the awareness of their employees and boost defences.