Inverifi logo

ISO 27001 Controls: Security Awareness

The importance of promoting security awareness within your organisation

ISO 27001 Controls: Security Awareness illustration image

If you want to ensure that your organisation handles its data securely, you should take steps to promote security awareness to all your employees.

 

ISO 27001 annex control A.7.2.2 requires regular security awareness training for all employees and contractors within compliant organisations.

 

We should note that even if the standard didn’t require promoting security awareness, we would still strongly recommend it.

Security Awareness Training

According to ISO 27001:2013 annex A.7, security awareness should be promoted within an organisation by means of regular education and training.

 

At Inverifi and its sister companies, each new employee receives security awareness training when they join.

 

The entire company is also required to attend a company-wide security awareness training session, every year.

 

Since we want our security awareness training sessions to be taken seriously, we try to make them engaging.

 

A few years ago, in one of our sessions, the company was shown a video demonstrating social engineering. The linked video contains a swear word.

Other Methods

Organisations may use other methods of promoting security awareness among employees.

 

At Inverifi and its sister companies, we bring attention to security blind spots as we see them, by actually exploiting those blind spots. We call this dishing.

 

We believe dishing is an excellent way of promoting security awareness.

 

Each time someone gets dished, not only does the victim receive a harsh reminder of the importance of operational security; the perpetrator themselves is made aware of just how easy it can be to steal sensitive information.

 

If an employee gets dished too many times within a short period, they are required to attend an individual security awareness training session.

Final Thoughts

Promoting security awareness is essential for any organisation that wants to keep its data secure. This is especially true for organisations that handle customer data.

 

As you now know, in addition to regular security awareness training, we have our own ways of actively promoting security awareness within our company.

 

Perhaps your organisation also has creative ways of promoting security awareness. If so, we’d love to hear about this on our socials, linked in the page footer.

More blogs you might like