ISO/IEC 17799:2005(E) (“Information technology – Security techniques – Code of practice for information security management”) is a widely-used guide to information security management that reflects accepted best practice, and which is used in businesses and government organizations around the world.
Security awareness training is a key component of the ISO 17799 overall management system. It’s listed as one of the 7 “common practices for information security”, and it’s also one of 10 factors that are highlighted as “critical” for the successful implementation of information security processes within an organization.
The core recommendations that relate to information security awareness and training are encapsulated in §8.2.2 of the standard where it says:
Control
All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.
Implementation Guidance
Awareness training should commence with a formal induction process designed to introduce the organization’s security policies and expectations before access to information or services is granted.
Ongoing training should include security requirements, legal responsibilities and business controls, as well as training in the correct use of information processing facilities e.g. log-on procedure, use of software packages and information on the disciplinary process (see 8.2.3).
Other Information
The security awareness, education, and training activities should be suitable and relevant to the person’s role, responsibilities and skills, and should include information on known threats, who to contact for further security advice and the proper channels for reporting information security incidents (see also 13.1).
In addition to this section, security awareness is also referenced in the standard in §0.6, §0.7, §5.1.1, §6.1.1, §6.1.2, and §6.2.3. The special cases of training related to mobile computing and business continuity are referenced in §11.7.1 and §14.1.4.
