INFORMATION SECURITY: PRINCIPLES
ISO 27001 Information Security Principles
Principle 2: Information security awareness.
Implementing and maintaining an effective programme for information security management system (ISMS) awareness, training and education is the second fundamental principle of information security.
Steps to follow to achieve this:
1. Engage and Motivate
Ensure the information security procedures, standards, and policies you have implemented are communicated to all of your employees, customers, contractors, and partners. In the next step, you must motivate staff (as well as other relevant parties) to follow those policies, standards, and procedures.
2. Awareness
Take a minute to review the basics. According to ISO 9000 Quality Management Systems – Fundamentals and Vocabulary, “awareness is reached when people understand their responsibilities and how their actions contribute to the organization’s goals”. Ensure that your employees and any other relevant parties are aware of their responsibilities. By beginning with the end in mind, you can accomplish this. Therefore, training, education, and awareness in your ISMS begin with recruitment. Consider asking prospective employees, “What information security protocols are you familiar with?” or “Are you aware of the requirements of ISO 27001?”
3. Decide what tone you want to set
Induction is where you continue to set the tone for your employees regarding ISMS once they are hired. During inductions and training, provide a lot of detail about ISMS to your new employees. All performance assessments should include ISMS issues as well. Your employees should be made aware of the importance of data security because it is important to your business. An employee’s relationship with your company does not end when ISMS issues arise for him or her.
4. Consciousness of responsibilities among the employees is key
Following a clear definition of your staff’s responsibilities, you should make sure they understand how they can play a role in helping your organization achieve its information security objectives. Make sure that all your employees are aware that the failure of your information security program poses a high risk to your business. If only your IT department knows about your information security program, then you will fail. If only your management team knows about your information security program, then you will fail. Simply put, an ISMS that is only known to one or two departments will not work.
5. Develop an organization-wide, ongoing awareness, training, and education program.
Adding this step to your ISMS’s success is paramount to ensuring it’s success. As part of this process, you will need to break down silos within departments to ensure they are aware of each other’s ISMS obligations. One-time training programmes will not suffice in the long run. Eventually, your ISMS will be rendered ineffective if it’s a one-off. You determine the level of training, education, and awareness you provide.
Breach of data security poses a real, ongoing and ever-changing risk to your business. It’s because of this that your response to them should be genuine, ongoing and ever-changing. You should respond to information security continually and comprehensively because it’s not going away. The key to success is making your people aware of ISMS issues from the start.
Use SHEQ software
To design and implement a Quality Management System, SRM and many of our clients use Mango Compliance Software – www.mangolive.com Mango makes it easier to obtain and maintain ISO 9001:2015 certification.
SRM is ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018 certified. Contact our consultants today. Let us know if we can help you with the development and implementation of your Quality Management System.