Let us take a look at what the most relevant standards say about training your personnel.
Ensure your people are competent!
ISO 27001:2022
7.2 Competence
The organization shall:
- determine the necessary competence of person(s) doing work under its control that affects its information security performance;
- ensure that these persons are competent on the basis of appropriate education, training, or experience;
- where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; and
- retain appropriate documented information as evidence of competence.
NOTE Applicable actions can include, for example: the provision of training to, the mentoring of, or the re-assignment of current employees; or the hiring or contracting of competent persons.
Brief your staff on responsibilities and train them
ISO 27002:2022
5.4 Management responsibilities
Management should require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.
Management responsibilities should include ensuring that personnel:
1. a) are properly briefed on their information security roles and responsibilities prior to being granted access to the organization’s information and other associated assets;
[…]
1. f) continue to have the appropriate information security skills and qualifications through ongoing professional education;
6.3 Information security awareness, education and training
Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function.
An information security awareness programme should aim to make personnel aware of their responsibilities for information security and the means by which those responsibilities are discharged.
The awareness programme should be planned taking into consideration the roles of personnel in the organization, including internal and external personnel (e.g. external consultants, supplier personnel). The activities in the awareness programme should be scheduled over time, preferably regularly, so that the activities are repeated and cover new personnel. It should also be built on lessons learnt from information security incidents.
The awareness programme should include a number of awareness-raising activities via appropriate physical or virtual channels such as campaigns, booklets, posters, newsletters, websites, information sessions, briefings, e-learning modules and e-mails.
When composing an awareness programme, it is important not only to focus on the ’what’ and ’how’, but also the ’why’, when possible. It is important that personnel understand the aim of information security and the potential effect, positive and negative, on the organization of their own behaviour.
Personnel and partners are trained
NIST CSF V1.1
Awareness and Training (PR.AT)
The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements.
- All users are informed and trained
- Privileged users understand their roles and responsibilities
- Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities
- Senior executives understand their roles and responsibilities
- Physical and cybersecurity personnel understand their roles and responsibilities
Not just a canned, once-a-year training video.
CIS Critical Security Controls v8
14. Security Awareness and Skills Training
Establish and maintain a security awareness program to influence behaviour among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
An effective security awareness training program should not just be a canned, once-a-year training video coupled with regular phishing testing. While annual training is needed, there should also be more frequent, topical messages and notifications about security. This might include messages about: strong password-use that coincides with a media report of password dump, the rise of phishing during tax time, or increased awareness of malicious package delivery emails during the holidays.
Aware of suspicious behaviour and attempted tampering
PCI DSS v3.2.1
9.9 – Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.
[…] procedures […] include […] Training personnel to be aware of suspicious behavior and to report tampering or substitution of devices.
9.9.3 – Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following:
- Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
- Do not install, replace, or return devices without verification.
- Be aware of suspicious behaviour around devices (for example, attempts by unknown persons to unplug or open devices).
Report suspicious behaviour and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).
All staff complete annual training (including classroom)
SWIFT CSCF v2023
7.2 Security Training and Awareness
Annual security awareness sessions are conducted for all staff members with access to SWIFT-related systems. All staff with privileged access maintain knowledge through specific training or learning activities when relevant or appropriate (at management’s discretion).
All staff with access to SWIFT-related systems complete annual security awareness or training. Topics may include:
[list deleted]
In addition, all staff with privileged access maintain their knowledge and expertise in line with their role and responsibilities by considering training or other learning activities that may include topics like:
[list deleted]
Training is delivered through the most appropriate channel, including computer-based training, classroom training, and webinars.
Privacy awareness education
NIST Privacy Framework
Awareness and Training (GV.AT-P)
The organization’s workforce and third parties engaged in data processing are provided privacy awareness education and are trained to perform their privacy-related duties and responsibilities consistent with related policies, processes, procedures, and agreements and organizational privacy values.
Training as a binding corporate rule
Regulation (EU) 2016/679 – GDPR
Art. 47 – Binding corporate rules
- The binding corporate rules […] shall specify at least:
[…] (n) the appropriate data protection training to personnel having permanent or regular access to personal data.
Need a concept for awareness and training
VDA ISA 5.0.4
2.1.3 To what extent is staff made aware of and trained with respect to the risks arising from the handling of information?
+ A concept for awareness and training of employees is prepared. At least the following aspects are considered:
- Information security policy
- Reporting of information security events
- Reaction to occurrence of malware
- Policies regarding user accounts and login information (e.g. password policy)
- Compliance issues of information security
- Requirements and procedures regarding the use of non-disclosure agreements when forwarding information requiring protection
- Use of external IT services
Image credits: Koto Amatsukami/stock.adobe.com