The information security training is an integral part of the overall ISMS implementation as it plays a key role in fulfilment of continuous improvement in information security of an organization.
The awareness of an organization's information security policies and related guidelines to its employees is critical in building an - “always aware, always secure” information security approach. This approach helps to imbibe a better information security-aware organization culture which seamlessly helps to uncover more security incidents to security implementers. Practicing operational Information security is not a domain of a select few but a core responsibility of every employee / vendor / partner.
It takes a constant effort to ensure employees / vendors / partners are made aware, trained and refreshed to the new information security requirements/guidelines for the business, of the business and by the business. The information security training need not just remain a mere compliance requirement or a yearly routine affair. The information security training/refreshers need to be part of operational behaviour and can be directly linked to the employee key performance indicators. The linkage to the employee KPI’s ensures the information security gets some focus and weightage else the awareness training loses their sheen
The employees / vendors / partners have to successfully complete mandatory training. Generally these are conducted as per a training calendar and are clubbed with the information security awareness trainings. It has been a long tradition to meet the compliance requirement and tick all the boxes to remain compliant. It is forgotten that information security training/refreshers need to be more frequently done with new content that coincides to meet the regulatory requirements as well as the ever-changing information security threat landscape for the organization.
Although there is no rule as to how frequently the information security training programmes need to be organised, however a good measure is how many employees report information security incidents or how many bring to the IT team's notice about an unpatched system or unstable system.
Although there is no “one size fits all” rule as to how frequently the information security training programmes need to be organised, one reliable indicator is the success of the infosec incident program. Above all however, it is important that the infosec team keeps their ears to the ground and spends time being “Aware” of their internal and external threat environments to fine tune the training program for best results.