ISO 27001 Information Security - Clause 7.3 Awareness

7.3 Awareness

The requirements of ISO 27001 clause 7.3 may be briefly summarised as: You should ensure that your workers (not just direct employees, but everyone doing work under your control), are aware of:

• Your information security policy
• How they can help to make the ISMS being effective
• Any implications of them not conforming with ISMS requirements

The above may be supplemented by promoting a general awareness of information security: What does it mean and how does it apply in your organization.

As we already seen in other articles in this series, ISO 27001 expresses a requirement, but is not prescriptive about how you must achieve it. Their approach allows for a great deal of flexibility but does lead to the question "OK, I get what's needed, but how should we implement it?". The following offers some practical options.

How to build awareness

Awareness of your information security policy

You can create an awareness of your information security policy by various means, including:

• For workers and visitors, putting one or more printed copies on display in prominent locations in your business premises e.g in reception, on notice boards etc.
• For new workers, it could be included in induction packs.
• For existing workers, a discussion on the policy could be included in a team meeting, a 'town hall', or a specific infosec awareness session.
• For anyone, by publishing it on your web site. That's an easy win for just about any organisation. You have the policy, you have the web site. So, why not? If you follow our advise of keeping the policy to the basics, it doesn't give away any secrets, it facilitates awareness and may also provide some assurance to clients (and potential clients) of your commitment to information security.

The requirements for an information security policy are discussed in an earlier article in this series - see clause 5.2 Policy.

Awareness of how they can contribute to the ISMS being effective

• All workers can be made aware of how they can contribute to the ISMS being effective by making relevant corporate infosec objectives known to them. That can be achieved by the same methods listed above, and by communications from top management and the IT / Compliance team. We will discuss communication futher in the next article in this series.
• Employees can be made aware of information security objectives that are specifically for them by reference in their own personal KPI's.
• Contractors may be made aware of relevant objectives by use of appropriate wording in requests for tenders or contract documents.

Awareness of any implications of them not conforming with ISMS requirements

• For workers, the Implications of not conforming with ISMS requirements can be expressed in policies, code of conduct, employment contract etc.
• For contractors, they may be made aware of such implications in contract documents.

The above are not the only methods of building awareness. The best options for your organisation will depend on a range of factors, but hopefully, our examples will give you some food for thought.