The organisation has a coherent awareness program that identifies the knowledge relevant to information security various stakeholders must have, the ways to measure the current level of knowledge, and includes planning and organisation of interventions to maintain and increase the knowledge to desired levels.
Specification
Awareness programs cover: appropriate handling of information, how to detect and respond to potential incidents, secure working practices, information security policies.
Simulated attacks, such as phishing emails, can be used to measure awareness and as a form of intervention to improve knowledge at the same time. Training is given at least once during onboarding of new hires and periodically depending on the role and risks involved. Secure working training is, as much as feasible, tailored to the target audience.
Training is given at least once during onboarding of new hires and periodically depending on the role and risks involved. Secure working training is, as much as feasible, tailored to the target audience.
ISO 27001 & 27002:2022
A5.27,
A5.4,
A6.3,
A6.4,
A6.6,
A7.7,
A8.1,
7.2
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
HR.02 Certification, training and education
HR.06 Security awareness