We use cookies to analyze our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information you have provided to them or that they have collected based on your use of their services. Read how we use cookies and how you can manage them by clicking on "Preferences".

Preferences Accept

Privacy Preferences

When you visit our website, the website may store or retrieve information via your browser, usually in the form of cookies. Since we respect your right to privacy, you can choose not to allow the collection of data from certain types of services. However, not allowing these services may affect your experience.

Privacy policy

You have read and agreed to our Privacy policy

REQUIRED
LinkedIn & Twitter

We use the LinkedIn and Twitter services to enable social networking content on this site.

Google Analytics

We use Google Analytics to analyze website traffic.

Privacy policy
  • Home
  • News
  • Government Baseline Information Security
2 Feb

Government Baseline Information Security

What do you need to do to comply with BIO 7.2.2 or ISO27001 A.7.2.2 Information security awareness education and training? The description of the BIO states that: All employees of the organization and to the extent relevant contractors should receive appropriate awareness education and training and regular updating of the organization's policies and procedures as relevant to their position.

Include the security awareness program in the information security plan

In practice, it is expected that a security awareness program has been included in the information security plan and that this is implemented throughout the organization. It is important that the goal (KPI) is described and how you are going to measure it. You will probably use several measurements to arrive at your main goal. When you do this and carry out all kinds of security awareness activities such as phishing campaigns, workshops, training courses and lectures, you are already fairly close to level three maturity. This requires that your security awareness program is documented, implemented in a formal manner and that it is demonstrable and effective.

Above a hundred employees you cannot escape an online e-learning program

An improvement is expected for maturity level four. After all, you have done your measurement for level three and assessed the effectiveness. And it turns out that not everyone has participated in the program and for level four it is necessary that everyone has successfully completed the security awareness activities in which the knowledge has been tested. Plus, that this is monitored and reported to senior management. In an organization with fewer than 100 employees, you could do this by providing physical training at the departments, but above 100 you cannot avoid an online e-learning program including tests. Try to include physical contact moments in your program in addition to the online training, for example by visiting the departments, organizing lectures and workshops, or holding the security week.

Demonstrate effectiveness

It would be great if you could regularly measure and adjust the effect of your security awareness program. Not only the effect on knowledge about security risks and the policies and procedures of the organization, but also the effect on security incidents. The correlation of these incidents and your program takes some time and thought, but you will quickly see that you can demonstrate the effectiveness of the program across the organization.