Competence of personnel

Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:

• staff receive instructions describing the general guidelines of digital security related to their job role
• staff receive training to maintain the appropriate digital and cyber security skills and knowledge required for the job role
• staff demonstrate through tests that they have the security skills and knowledge required for the job role

Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:

• employee's personal security responsibilities (e.g. for devices and processed data)
• policies relevant for everyone (e.g. security incident reporting)
• guidelines relevant for everyone (e.g. clean desk)
• organization's security roles (who to contact with problems)

Top management must ensure clear responsibilities / authority on at least the following themes:

• who is primarily responsible for ensuring that the information security management system complies with the information security requirements
• who act as ISMS theme owners responsible for the main themes of the information security management system
• who has the responsibility and authority to report to top management on the performance of the information security management system
• who is authorized to carry out internal audits

The ISMS theme owners are presented on the desktop of the management system and in the Information security policy report.

In addition, top management shall ensure that all roles relevant to information security, as well as related responsibilities and authorities, are defined and communicated. It is also important to recognize the roles and responsibilities of external partners and providers.

At the very least, job applicants applying for key cyber security roles should be subject to background checks, taking into account relevant laws and regulations.

The check may include:

• review of recommendations
• verification of CV accuracy
• verification of educational qualifications
• verification of identity from an independent source
• other more detailed checks (e.g. credit information, review of previous claims or criminal record)

The background check may also be extended to, for example, teleworkers, contractors or other third parties. The depth of the background check can be related to the category of the accessed data.

A log is kept of the cyber security training events provided by the organization to its staff. The log can be used to show what kind of specific investments the organization has made towards staff's cyber security expertise.

For each training the documentation should include:

• Time
• Topics and duration of the training
• Training method and trainer
• Staff involved in the training

Personnel under the direction of the entire organization must be aware:

• how they can contribute to the effectiveness of the information security management system and the benefits of improving the level of information security
• the consequences of non-compliance with the requirements of the information security management systemwhich roles in the personnel have effects to the level of security

In addition, top management has defined ways in which personnel are kept aware of security guidelines related to their own job role.