The ISO/IEC 27001 family of standards outline hundreds of controls and mechanisms to help organizations protect information assets and keep themselves and customers secure. In addition to the many technical and process controls, cybersecurity awareness training naturally factors into compliance since employees represent the largest cyberattack surface and threat actors’ favorite attack point. Getting ISO 27001 certification entails a significant commitment of time, resources and effort, but doing so confers multiple advantages. This article will focus on how cybersecurity awareness training helps entities achieve and maintain compliance under ongoing third party audits.
CISOs often call an organization’s critical data and information their “crown jewels.” The information age has digitized yesteryear’s castles and moats. Now, information security management systems (ISMS) protect modern crown jewels behind technical moats, process-fortresses… and a trained citizen guard. The ISO/IEC 27000 family of standards mandate requirements that define how to implement, monitor, maintain, and continually improve the ISMS. They include people in the grand security equation because that's where breaches most often happen. A cyber-aware workforce signifies a stronger and more secure organization.
ISO/IEC 27001 is the international standard for information security architecture and operations. Meant for companies of all types, from small enterprises to Microsoft and Google, these global standards define a framework of policies and procedures encompassing technical, legal, and physical security of an organization's information risk management processes.Facing mounting pressure from regulators, customers, and public scrutiny, more and more companies are opting for ISO 27001 certification to mitigate risk and demonstrate best practices for the protection and management of confidential and sensitive data. ISO 27001 is audited by an independent body, who certifies whether implementation satisfies standard requirements.The International Organization for Standardization (ISO) is an independent nongovernmental organization and the world's largest developer of voluntary international standards. The International Electrotechnical Commission (IEC) is the world's leading organization for the preparation and publication of international standards for electrical, electronic, and related technologies.ISO/IEC 27001 is a security standard that maps out an Information Security Management System (ISMS) designed to bring information security under explicit management control. It contains a set of best practices that include documentation requirements, divisions of responsibility, availability, access control, security, auditing, and corrective and preventive measures. Certification to ISO/IEC 27001 helps organizations comply with numerous regulatory and legal requirements that relate to the security of information.
Demonstrating that controls are in place to keep employees vigilant and aware of cyberattacks is an important component of compliance. People are by far the greatest attack surface in 99 percent of breaches, as reported in the Aug. 2021 HBR article, “Your Employees Are Your Best Defense Against Cyberattacks.” No matter how good the technical perimeter is, phishing attacks will always sneak into employee inboxes. From there, it just takes one wrong click to compromise an entire network via:
ISO/IEC 27001 contains Clause A.8.2, which states awareness training as a control: “All employees of the organization and, where relevant, contractors and third party users shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.”Neglecting security awareness isn’t an option. For a security system to be compliant with ISO 27001, ongoing security awareness training must be established. People are required to know the corporate security policies around handling sensitive information, and they must be equipped with the knowledge of how to spot and report an email attack.