196028_388219694546440_755335974_n

This post is the continuation of our previous post on this topic Human Resources Security and ISO 27001, where we discussed some HR misconceptions and ISO 27001 controls related to pre-employment, in this post we will address the importance of ISO 27001 controls during employment.

Control 8.2 states that the organization should make sure employees, contractors and vendors are well aware of information security controls related to HR and how these controls relate to them and more specifically what are they responsible and liable for when security threats materialized. The users who have assigned responsibilities to manage the Information Security Management System (ISMS) are aware of the threats and vulnerabilities related to their assigned controls.

Control 8.2.1 requires management to ensure that everyone in an organization if following the security policies and procedures in their area of responsibility. This control also ensures that staff are properly trained and briefed on their responsibilities before they are granted an access to classified information.

Control 8.2.2 is related to information security awareness and training, which is basically an extension of previous control. All employees who are responsible of maintaining, managing and improving of ISMS must receive appropriate awareness training. Make sure you keep the records of all these training for the auditors to verify later.

Here are the general areas which should be included in the awareness training:

  • General ISMS awareness – importance of maintain and improving ISMS
  • Asset classification and information assets within the scope
  • How to report an incident and difference between event and an incident
  • User access controls and procedures
  • Business continuity and procedures
  • Related legal compliance
  • Internal audit and certification audit schedule