{"id":4540,"date":"2014-05-19T20:38:48","date_gmt":"2014-05-19T20:38:48","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/014\/05\/19\/how-to-perform-training-awareness-for-iso-27001-and-iso-22301\/"},"modified":"2026-01-16T08:01:11","modified_gmt":"2026-01-16T08:01:11","slug":"how-to-perform-training-awareness-for-iso-27001-and-iso-22301","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/05\/19\/how-to-perform-training-awareness-for-iso-27001-and-iso-22301\/","title":{"rendered":"How to perform training &#038; awareness for ISO 27001 and ISO 22301"},"content":{"rendered":"<p>Most of the information security\/business continuity practitioners I speak with have the same problem: the employees in their companies don\u2019t take them seriously \u2013 not only the top managers, but also their peers.<\/p>\n<p>This is due to the fact that the employees usually do not understand what information security or business continuity is all about \u2013 in other words, you may have perfect policies and procedures, but simply pushing those to your internal email list won\u2019t help. You need to explain to your colleagues why information security and business continuity are needed, and how to perform certain tasks \u2013 that\u2019s the main purpose of ISO 27001 awareness and training.<\/p>\n<div class=\"post-featured\">\n<div class=\"post-featured--title\">The training cycle in ISO 27001 and ISO 22301:<\/div>\n<div class=\"post-featured--content\">\n<ol>\n<li>Define which knowledge and skills are required.<\/li>\n<li>Perform trainings to reach the desired level.<\/li>\n<li>Measure whether each individual has achieved the desired level.<\/li>\n<\/ol>\n<\/div>\n<\/div>\n<h2>The training cycle<\/h2>\n<p>Both <a href=\"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a> and <a href=\"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-22301\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 22301<\/a> require you to deal with training in a systematic manner, i.e. to perform these steps:<br \/>\n<img decoding=\"async\" class=\"aligncenter size-full wp-image-21656\" src=\"\/wp-content\/uploads\/\/sites\/5\/2014\/05\/training-27001.jpg\" alt=\"ISO 27001 \/ ISO 22301 Awareness and Training: How to perform them\" width=\"1000\" height=\"628\" srcset=\"\/wp-content\/uploads\/sites\/5\/2014\/05\/training-27001.jpg 1000w, \/wp-content\/uploads\/sites\/5\/2014\/05\/training-27001-300x188.jpg 300w, \/wp-content\/uploads\/sites\/5\/2014\/05\/training-27001-768x482.jpg 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<ol>\n<li><strong>Define which knowledge and skills<\/strong><strong> are required<\/strong> for particular personnel who have a role in your information security management system (ISMS) or business continuity management system (BCMS) \u2013 basically, you need to go through every ISMS or BCMS document and see what knowledge and skills are required of every responsible person mentioned in the document.<\/li>\n<li><strong>Perform trainings<\/strong><strong> to reach the desired level<\/strong> of knowledge and skills \u2013 see below for methods.<\/li>\n<li><strong>Measure whether each individual has achieved the desired level<\/strong> of knowledge and skills \u2013 through testing, interviews, etc. \u2013 once you know where the gaps are, you can start again with step #1.<\/li>\n<\/ol>\n<p>And this is something that needs to be done continuously \u2013 either by the CISO \/ business continuity coordinator, or by the HR department.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>Methods of training<\/h2>\n<p>Very often, the trainings are planned via the Training plan \u2013 for example, you can plan for the following:<\/p>\n<ul>\n<li><strong>Courses<\/strong> \u2013 see this article for more information: <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2010\/11\/30\/how-to-learn-about-iso-27001-and-bs-25999-2\/\" target=\"_blank\" rel=\"noopener\">How to learn about ISO 27001<\/a> .<\/li>\n<li><strong>Reading literature<\/strong> \u2013 there are many <a href=\"https:\/\/staging.advisera.com\/books\/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own\/\" target=\"_blank\" rel=\"noopener\">information security<\/a> and <a href=\"https:\/\/staging.advisera.com\/books\/becoming-resilient-the-definitive-guide-to-iso-22301-implementation\/\" target=\"_blank\" rel=\"noopener noreferrer\">business continuity books<\/a> available, as well as magazines.<\/li>\n<li><strong>Participating in expert forums on the Internet<\/strong> \u2013 in some of those you can get very concrete answers to your questions \u2013 for example, <a href=\"https:\/\/community.staging.advisera.com\/discussion\/iso-27001-iso-22301\/\" target=\"_blank\" rel=\"noopener noreferrer\">Expert Advice Community<\/a> or <a href=\"https:\/\/groups.google.com\/forum\/#!forum\/iso27001security\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001 security<\/a>.<\/li>\n<li><strong>In-house trainings<\/strong> \u2013 delivered either by in-house experts, or by hiring consultants, certification bodies or similar.<\/li>\n<\/ul>\n<h2>Methods of awareness-raising<\/h2>\n<p>As opposed to trainings, which give an answer to the question \u201cHow?\u201d, awareness must give an answer to the question \u201cWhy?\u201d \u2013 that is, explain to your employees why they should accept information security or business continuity.<\/p>\n<p>There are many methods you can use, for example:<\/p>\n<ul>\n<li><strong>Include employees in documentation development<\/strong> \u2013 before you publish the documents, ask your employees to give their inputs (see also: <a title=\"Seven steps for implementing policies and procedures\" href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/seven-steps-for-implementing-policies-and-procedures\/\" target=\"_blank\" rel=\"noopener noreferrer\">Seven steps for implementing policies and procedures<\/a>).<\/li>\n<li><strong>Presentations<\/strong> \u2013 organize shorter meetings where you can explain what new policies and procedures are being published, ask your employees for opinions about them, clarify any misunderstandings.<\/li>\n<li><strong>Articles on your intranet or newsletter<\/strong> \u2013 simple stories (with as many examples as possible) that can help employees understand why information security \/ business continuity are important.<\/li>\n<li><strong>Discussions through internal forums<\/strong> \u2013 you can initiate and participate in concrete questions (and myths) arising from information security \/ business continuity.<\/li>\n<li><strong>E-learning<\/strong> \u2013 you can create short online trainings that explain the significance of these topics, as well as train your employees.<\/li>\n<li><strong>Videos<\/strong> \u2013 they are a very powerful presentation method \u2013 you can distribute them via email, through the intranet, etc.<\/li>\n<li><strong>Occasional<\/strong> <strong>messages <\/strong>(via email or via your intranet) \u2013 can be used not only to distribute videos, but also to send relevant news and tips for business continuity.<\/li>\n<li><strong>Gatherings<\/strong> \u2013 use some regular meetings that are organized in your company \u2013 e.g., parties, anniversaries, etc. to briefly present what you are doing and how it affects your colleagues.<\/li>\n<li>And, above all \u2013 day-to-day <strong>in-person communication<\/strong> \u2013 everywhere you go, whomever you speak to \u2013 you have to sell the idea of information security \/ business continuity.<\/li>\n<\/ul>\n<p>No matter which of these methods you use, the point is that you do them systematically \u2013 again, you should prepare some kind of a plan where you should define which of these methods you will perform, and how often.<\/p>\n<div class=\"responsive-video-wrapper\"><iframe loading=\"lazy\" title=\"How to Organize ISO 27001 Training &amp; Awareness\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/rWye8Hvf6sI?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/div>\n<h2>The implementation myth<\/h2>\n<p>So, as I emphasized in this article: <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2012\/04\/24\/the-documentation-myth-why-the-templates-are-not-enough\/\" target=\"_blank\" rel=\"noopener noreferrer\">The documentation myth \u2013 Why the templates are not enough?<\/a>, simply writing the policies and procedures won\u2019t be enough \u2013 you need to use awareness and trainings as a helping tool to enable the documentation to be implemented.<\/p>\n<p>However, the timing here is also crucial: many companies make the mistake of publishing all of their documents at once. For example, if you publish 30 policies and procedures at the same time, then unfortunately, not even the best awareness programs can help you \u2013 your employees will (very correctly) start to think of your information security \/ business continuity as overkill.<\/p>\n<p>Therefore, you have to publish your documentation gradually \u2013 the speed of publishing your new documents must be not be the speed of developing them, but the speed by which your employees will be able to accept them via your ISO 27001 awareness and training programs.<\/p>\n<h2>Benefits of security awareness training for companies<\/h2>\n<p>Security awareness, and especially training, are not (always) free though, so how do we justify the expense? Let\u2019s examine the five potential business benefits.<\/p>\n<p><img decoding=\"async\" class=\"alignleft size-full wp-image-18759\" src=\"\/wp-content\/uploads\/\/sites\/5\/2019\/03\/security-awareness-benefits.jpg\" alt=\"Security Training &amp; Awareness for ISO 27001 \/ ISO 22301\" width=\"1000\" height=\"628\" srcset=\"\/wp-content\/uploads\/sites\/5\/2019\/03\/security-awareness-benefits.jpg 1000w, \/wp-content\/uploads\/sites\/5\/2019\/03\/security-awareness-benefits-300x188.jpg 300w, \/wp-content\/uploads\/sites\/5\/2019\/03\/security-awareness-benefits-768x482.jpg 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<ol>\n<li><strong>Reducing resistance to information security <\/strong><br \/>\nGiven sufficient awareness and\/or training, employees make better, more effective, and more efficient use of security controls. For starters, they appreciate that the controls are there for good reason; hence, they are less likely to ignore, bypass, or disable them. Understanding <em>why<\/em> we need long passwords, for instance, and <em>how<\/em> to choose strong, yet memorable passwords or passphrases, makes it easier to be secure. Employees refusing to disclose or share their passwords is another control bolstered through awareness and training.<\/li>\n<li><strong>Improved information security, privacy, and compliance<\/strong><br \/>\nThe most immediate benefit of awareness and training arises from improvements to the organization\u2019s information security arrangements. A <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2016\/03\/14\/clear-desk-and-clear-screen-policy-what-does-iso-27001-require\/\" target=\"_blank\" rel=\"noopener\">clear desk policy<\/a>, for instance, is almost worthless if employees don\u2019t know about it, don\u2019t care, and can\u2019t be bothered to comply. Awareness to the rescue! The mere existence of the policy is, in itself, a sign that management appreciates the need, while its clarity, focus, and motivational effectiveness depend on the author\/s being sufficiently clued up. As an integral part of an organization-wide approach to information risk management, security awareness and training enable all the other security controls, and support the achievement of a wide range of business objectives \u2013 including compliance with privacy, accounting, governance, and other laws and regulations.<\/li>\n<li><strong>Avoided or reduced costs from information security incidents, breaches, etc.<\/strong><br \/>\nCompared to the average organization, a security-aware workforce, supported and guided by highly trained security professionals, is less likely to suffer information security incidents, privacy breaches, unplanned downtime, and so forth. Employees who know what to look out for are less likely to fall for obvious scams or to ignore the early signs of trouble. They are the equivalent of skilled drivers, being <em>extra<\/em> cautious when appropriate and able to make good progress when the road conditions are favorable. What\u2019s more, any incidents that do occur are likely to be shorter and more limited due to employees\u2019 spotting and reacting appropriately. Incident response can\u2019t start until an incident is recognized and reported, both of which depend on employees knowing what to do, without delay.<\/li>\n<li><strong>Improved reputation and greater trustworthiness<\/strong><br \/>\nIf a majority of the workforce is security-aware, outsiders and visitors perceive an organization that clearly takes security and privacy seriously. From the moment someone arrives at the premises or visits the corporate website, there are clues \u2013 some obvious, such as warning signs and security certificates, and others that are more subtle, such as efficiently following structured processes. Differences in how people and organizations interact affect the extent to which they are willing to depend on each other. Trust is a major factor in commerce, and a significant part of an organization\u2019s reputation and brands. Consider the differences between shopping at a temporary street market compared to, say, a department store, or a backstreet car lot compared to a major dealer. In business, impressions matter!<\/li>\n<li><strong>Situational awareness<\/strong><br \/>\n\u201cSituational awareness\u201d is almost a sixth sense. It\u2019s hard to explain precisely why an email or phone call \u201cdoesn\u2019t seem quite right,\u201d especially as each situation is different; hence, it is impossible to define precise rules on what to look out for. It is true that many phishing emails start with a nonspecific greeting such as \u201cDear customer,\u201d but some don\u2019t: spear-phishing attacks commonly use the recipient\u2019s name, often with other information intended to give the appearance that the sender is a colleague, acquaintance, or friend. What\u2019s more, that inkling of something wrong achieves nothing unless the employee reacts appropriately, <em>not<\/em> opening the attachment or clicking the link, for instance, and perhaps seeking help to check out the message.<\/li>\n<\/ol>\n<div class=\"responsive-video-wrapper\"><iframe loading=\"lazy\" title=\"How Cybersecurity Training Reduces the Risk of Failure at the ISO 27001 Certification\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/4IXNKRK2SjQ?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/div>\n<h2><strong>Better safe than sorry<\/strong><\/h2>\n<p>Besides being a long-term investment in the overall business success, awareness and training are an integral and essential part of any sensible approach to information security. If you are still not convinced of its purpose and value, consider the alternative: sure, the organization won\u2019t have to pay for security awareness materials and training activities, but employees will be na\u00efve, uninformed, and unmotivated. Security controls will be neglected, forgotten, and sometimes disabled or bypassed for the sake of convenience. The organization will appear untrustworthy, its reputation and bottom line both tarnished by incidents and breaches that should have been prevented or mitigated.<\/p>\n<p><em>If you want to organize an ISO 27001 training &amp; awareness program for your employees,<\/em> <a href=\"https:\/\/staging.advisera.com\/training-account\/iso-27001-training-awareness\/\" target=\"_blank\" rel=\"noopener\">sign up for a free trial<\/a> <em>of the Company Training Academy &#8211; it will provide you with a series of short videos and enable progress reports.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Most of the information security\/business continuity practitioners I speak with have the same problem: the employees in their companies don\u2019t take them seriously \u2013 not only the top managers, but also their peers. This is due to the fact that the employees usually do not understand what information security or business continuity is all about &#8230;<\/p>\n","protected":false},"author":26,"featured_media":21656,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[380,381,474,500,520],"class_list":["post-4540","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-22301","tag-iso-27001","tag-training-awareness","tag-ciso","tag-hr-management"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4540","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4540"}],"version-history":[{"count":6,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4540\/revisions"}],"predecessor-version":[{"id":104956,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4540\/revisions\/104956"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/21656"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4540"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4540"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4540"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}