The ISO/IEC 27001 family of standards outline hundreds of controls and mechanisms to help organizations protect information assets and keep themselves and customers secure. In addition to the many technical and process controls, cybersecurity awareness training naturally factors into compliance since employees represent the largest cyberattack surface and threat actors’ favorite attack point. Getting ISO 27001 certification entails a significant commitment of time, resources and effort, but doing so confers multiple advantages. This article will focus on how cybersecurity awareness training helps entities achieve and maintain compliance under ongoing third party audits.
ISO/IEC 27001 and awareness training
CISOs often call an organization’s critical data and information their “crown jewels.” The information age has digitized yesteryear’s castles and moats. Now, information security management systems (ISMS) protect modern crown jewels behind technical moats, process-fortresses… and a trained citizen guard. The ISO/IEC 27000 family of standards mandate requirements that define how to implement, monitor, maintain, and continually improve the ISMS. They include people in the grand security equation because that's where breaches most often happen. A cyber-aware workforce signifies a stronger and more secure organization.
What is ISO/IEC 27001?
ISO/IEC 27001 is the international standard for information security architecture and operations. Meant for companies of all types, from small enterprises to Microsoft and Google, these global standards define a framework of policies and procedures encompassing technical, legal, and physical security of an organization's information risk management processes.Facing mounting pressure from regulators, customers, and public scrutiny, more and more companies are opting for ISO 27001 certification to mitigate risk and demonstrate best practices for the protection and management of confidential and sensitive data. ISO 27001 is audited by an independent body, who certifies whether implementation satisfies standard requirements.The International Organization for Standardization (ISO) is an independent nongovernmental organization and the world's largest developer of voluntary international standards. The International Electrotechnical Commission (IEC) is the world's leading organization for the preparation and publication of international standards for electrical, electronic, and related technologies.ISO/IEC 27001 is a security standard that maps out an Information Security Management System (ISMS) designed to bring information security under explicit management control. It contains a set of best practices that include documentation requirements, divisions of responsibility, availability, access control, security, auditing, and corrective and preventive measures. Certification to ISO/IEC 27001 helps organizations comply with numerous regulatory and legal requirements that relate to the security of information.
Why do companies seek ISO 27001 certification?
- Regulatory compliance: From the White House to Downing Street, cybersecurity regulations and penalties for negligence are intensifying. Equifax settled with US state and federal authorities for an up-to $700 million payout for security negligence; the UK’s Information Commissioner’s Office can issue fines of up to 4% of annual turnover. Demonstrating compliance will help prevent breaches, and it could mitigate costs should a breach occur.
- Business advantage: Those who meet requirements may win business over those who do not. An increasing number of companies require their vendors to be ISO 27001 compliant in order to do business with them in this interconnected cloud environment, where one compromised vendor can infect hundreds of companies (as happened with Kaseya in July, 2021).
- Security and risk: The whole point is to protect your organization and your customers’ data. The ISO 27001 framework provides the moats and fortifications to protect the crown jewels and the people.
- Branding and customer trust: Certification functions as a badge of honor in today’s cybersecurity-aware business landscape.
Security awareness training and ISO/IEC 27001 ongoing compliance
Demonstrating that controls are in place to keep employees vigilant and aware of cyberattacks is an important component of compliance. People are by far the greatest attack surface in 99 percent of breaches, as reported in the Aug. 2021 HBR article, “Your Employees Are Your Best Defense Against Cyberattacks.” No matter how good the technical perimeter is, phishing attacks will always sneak into employee inboxes. From there, it just takes one wrong click to compromise an entire network via:
- Credential compromise
- Business Email Compromise/CEO attack
- Malware infection
- Ransomware
ISO/IEC 27001 contains Clause A.8.2, which states awareness training as a control: “All employees of the organization and, where relevant, contractors and third party users shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.”Neglecting security awareness isn’t an option. For a security system to be compliant with ISO 27001, ongoing security awareness training must be established. People are required to know the corporate security policies around handling sensitive information, and they must be equipped with the knowledge of how to spot and report an email attack.
