It is also the case that when progressing with a security improvement programme, industry recognised Security Standards are often used as a yardstick with which to measure improvement. Many of these Standards such as the PCI DSS, ISO 27001, CESG’s Ten Steps to Cyber Security and The CIS Critical Security Controls for Cyber Defence include security awareness training as a valuable control.

Whether an organisation has a compliance requirement or not these standards act as a good baseline to help businesses determine which controls to consider.

Of course, there are some differences between the standards. Some of this is down to the different approaches taken in each standard, i.e. whether they are prescriptive or whether they are a framework within which the apply good practice.

Each sets out a requirement for a security awareness programme and then has further references throughout to ensure that common threats are addressed.

For example, the PCI DSS requirement 12.6 states “Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures”. While the testing procedures for requirement 9.9 includes “Training personnel to be aware of suspicious behaviour and to report tampering or substitution of devices”.

In ISO 27002 which details the controls that may be applicable in support of the Information Security Management System (ISMS) requirements in ISO 27001 states in 7.2.2 “All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.” This is supported by further specific requirements such as awareness training for the risks associated with mobile devices in control 6.2.1.

Whether an organisation has a compliance requirement or not these standards act as a good baseline to help businesses determine which controls to consider.

Our view is that when planning a security improvement programme security managers should choose to implement security awareness sooner than is often the case; if staff are exhibiting better behaviours sooner then risk can be reduced more quickly from threats like phishing, social engineering and accidental data loss while appropriate technical controls are being rolled out.

Regardless of your view on Standards, security awareness training for your staff and other cultural engagement activities isn’t just a nice to have, it is a key area for mitigating risk recognised by its inclusion in industry standards.

 If you enjoyed this post please come back regularly for further updates including upcoming information of security awareness events across Scotland and further afield. @adv_engage