Human resource training is a powerful information security measure. The annual training plan, the design of the training modules and the monitoring of skills must be implemented in the 27001 management system
To fulfill the requirements 7.2 and 7.3 relating respectively to the competence and awareness of people, in the information security management system, it is necessary to use a procedure that includes at least the following work phases:
- Formation
- Training evaluation
- Monitoring of competence and awareness
The people integrated into the organization must begin to carry out their work only following initial training sessions which aim to:
- To make people understand the context of the organization
- Illustrate the organizational part (roles and duties)
Initial training
It is important to underline that the procedure that manages the training must necessarily integrate the control of Annex A [control 7.2.2] Awareness, education, training and information security training. In fact, for this control, all the staff of the organization and, when relevant, the collaborators, must receive adequate awareness, education, training and periodic updates on organizational policies and procedures, in a manner relevant to their work.
Periodic training
After the initial phase, during the work activities, the new resources, in order to make a valid and significant contribution to the functioning of the management system, are trained (and periodically updated) on:
- The risks to the security of the information present in the organization
- The assets made available by the organization to carry out operational activities in safe conditions
- The objectives for information security and their planning
- Management procedures and information security procedures
The training
Training is an activity organized in the same way as training but the aim is to provide the worker with the operational-methodological skills necessary to perform their duties in accordance with the procedures and any work instructions contemplated in the system documentation. management.
For the purposes of the effectiveness of the prevention measures for the risks related to information security, we suggest to orient the training activities towards practical applications such as:
- Access control
- The login and logout operations
- Individual cryptographic operations
- Use of permissions in the execution of work on the operating system
- Use of security forms
- The use of a clean desk
- Individual backup tasks
- The operation of alternative power supply devices
- The setting of the air conditioner
- Relations with security staff (presentation and identification of security guards)
- Individual checks on antivirus
The evaluation of training
Training must be assessed on the basis of the theoretical knowledge actually acquired by the learner and the methodological operational skills acquired through training. However, the training activity must be subjected to a double evaluation:
- By the trainer towards the learners
- By the learners towards the trainer
Monitoring of competence and awareness
The company, through the implementation of the information security management system, must not go in search of a generic improvement of the potential and abilities of human resources but must focus on the development of competence and awareness in such a way that the contents administered in the training activity are closely related:
- To information security policies
- To the risks of the organization
- To the objectives of the organization
- To the operational activities performed in the processes
The training results relating to the development of competence and awareness must necessarily be expressed through quantitative indicators whose progress the company must monitor, ensuring compliance with the established objectives.
