Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Learn more about the connected frameworks

29
GDPR

Processing under the authority of the controller or processor

32
GDPR

Security of processing

4 §

Tiedonhallinnan järjestäminen tiedonhallintayksikössä

5.10
ISO 27001

Acceptable use of information and other associated assets

5.37
ISO 27001

Documented operating procedures

5.4
ISO 27001

Management responsibilities

6.3
ISO 27001

Information security awareness, education and training

7.2.1
ISO 27001

Johdon vastuut

7.2.2
ISO 27001

Tietoturvatietoisuus, -opastus ja -koulutus

7.3
ISO 27001

Awareness

7.5
ISO 27001

Requirements for documented information

8.2 (MIL1)
C2M2

Increase Cybersecurity Awareness

PR.AT-1
NIST CSF

Awareness

T11

Turvallisuuskoulutus ja -tietoisuus

Other tasks from the same security theme

Staff guidance and training procedure in cyber security

Critical
High
Normal
Low

Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:

  • staff receive instructions describing the general guidelines of digital security related to their job role
  • staff receive training to maintain the appropriate digital and cyber security skills and knowledge required for the job role
  • staff demonstrate through tests that they have the security skills and knowledge required for the job role

Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:

  • employee's personal security responsibilities (e.g. for devices and processed data)
  • policies relevant for everyone (e.g. security incident reporting)
  • guidelines relevant for everyone (e.g. clean desk)
  • organization's security roles (who to contact with problems)
29. Processing under the authority of the controller or processor
GDPR
32. Security of processing
GDPR
7.2.1: Management responsibilities
ISO 27001
7.2.2: Information security awareness, education and training
ISO 27001
2 luku, 4 §: Tiedonhallinnan järjestäminen tiedonhallintayksikössä

Maintaining a log of cyber security trainings

Critical
High
Normal
Low

A log is kept of the cyber security training events provided by the organization to its staff. The log can be used to show what kind of specific investments the organization has made towards staff's cyber security expertise.

For each training the documentation should include:

  • Time
  • Topics and duration of the training
  • Training method and trainer
  • Staff involved in the training
7.2.2: Information security awareness, education and training
ISO 27001
T11: Turvallisuuskoulutus ja -tietoisuus
PR.AT-1: Awareness
NIST CSF
6.3: Information security awareness, education and training
ISO 27001
8.4 (MIL1): Develop Cybersecurity Workforce
C2M2

Ensuring coverage of relevant topics on personnel training and guidance processes

Critical
High
Normal
Low

The organisation should have a procedure for training and guidance of its personnel. These procedures should include and cover at least the following topics:

  • Information security policies.
  • Reporting of security incidents.
  • Response to malware incidents.
  • User account and login information policies (e.g., password policies).
  • Compliance with information security regulations.
  • Use of non-disclosure agreements (NDAs) when sharing sensitive information.
  • Use of external IT services.

The training program should identify specific groups of employees who require this training, such as administrators, those with access to customer networks, and manufacturing personnel.

The training concept must be approved by responsible management. Conduct training and awareness programs regularly and in response to specific events. Ensure that employees know who to contact for information security concerns.

No items found.

Arranging specific data protection training for personnel

Critical
High
Normal
Low

The organization must have a training program defined for personnel regarding data protection. The trainings should take into account the protection need of data when determining the scope, frequency and content of the training.

Personnel who work in critical areas (e.g. IT administrators) must be trained and instructed taking into account their work. They should have specific training courses and instructions.

No items found.

Reminding personnel about their cyber security responsibilities

Critical
High
Normal
Low

The organization needs to remind employees of their roles and security responsibilities. The reminder reinforces staff security awareness, safe practices and compliance with guidelines and legal requirements related to their job role.

No items found.

Arranging training and guidance during orientation (or before granting access rights)

Critical
High
Normal
Low

Before granting access rights to data systems with confidential information employees have:

  • received appropriate guidance on their security responsibilities (including reporting responsibilities and responsibility for their own devices)
  • received appropriate guidance on their security roles related to their own role (including digital security rules related to their role and information systems and their acceptable use)
  • received information from cyber security contacts who can be asked for more information
7.3: Termination and change of employment
ISO 27001
7.3.1: Termination or change of employment responsibilities
ISO 27001
9.2.2: User access provisioning
ISO 27001
2 luku, 4 §: Tiedonhallinnan järjestäminen tiedonhallintayksikössä
PR.IP-11: Cybersecurity in human resources
NIST CSF

Evaluating the efficiency of arranged training

Critical
High
Normal
Low

The effectiveness of cyber security training is regularly evaluated. The evaluation may include e.g. the following perspectives:

  • Is the competence of the staff deep enough?
  • Are the training methods and amounts correct?
  • Are different units trained in the right things?
  • Is the staff motivated to learn?
  • Does the staff understand the reasons for the training (e.g. what kind of negative effects can a cyber security breach have?


7.2.2: Information security awareness, education and training
ISO 27001
6.3: Information security awareness, education and training
ISO 27001

Regular unit-based cyber security communication

Critical
High
Normal
Low

By informing the units on the most important cyber security issues for them and in the language they understand, great strides can be made at the level of cyber security as staff have a better understanding of why different policies and rules apply. Informing can include distributing cyber guidelines in small chunks, various campaigns (e.g. “Security Day”), leaflets, newsletters, competitions or other similar elements.

Security informing may also be referred to as an "awareness program".

7.2.2: Information security awareness, education and training
ISO 27001

Training personnel with a changed role

Critical
High
Normal
Low

Training arranged before granting access rights applies not only to new employees but also to those who move to new tasks or roles, especially when the data systems used by the person and the security requirements related to the job role change significantly with the change of job role. The training is arranged before the new job role becomes active.

7.3: Termination and change of employment
ISO 27001
7.3.1: Termination or change of employment responsibilities
ISO 27001
PR.IP-11: Cybersecurity in human resources
NIST CSF
6.5: Responsibilities after termination or change of employment
ISO 27001

Training the use of security systems and reporting of malware attacks

Critical
High
Normal
Low

Our organization has defined procedures and responsibilities for protecting systems from malware and trains staff to use the protections and to report and recover from malware attacks.

12.2: Protection from malware
ISO 27001
7.2.2: Information security awareness, education and training
ISO 27001
12.2.1: Controls against malware
ISO 27001
8.7: Protection against malware
ISO 27001