M3.2.1 - AWARENESS AND TRAINING PROGRAM Implementation Program
The entity shall develop an awareness and training program.
Back to M3.2.1 - P2 - AWARENESS AND TRAINING PROGRAM
Critical entities shall also take into account NESA’s national awareness and capability building issuances, guidance, and activities.
The entity should develop a program that ensures continued adequate awareness and competence for all persons doing work under the control of the entity. This does include not only entity personnel but also any outsiders with access to information. Please note that the implementation of the awareness and training program might not be carried out by the entity and can, for example, be ensured contractually.
The first step in the program is the evaluation of the competencies required for the job function. The Information Security Manager, for example, should have a good understanding of the controls contained in this standard, and should know how to implement them and to maintain them effectively.
The entity should ensure that trainings take place as planned, and are not pushed off, e.g. due to work overload. If such problems recur, it might be a sign for inadequate resourcing. If trainings continue not to take place in the time frame planned, it is a non-conformity to sub-control 2- mentioned above.
The awareness and training program should ensure that records of all trainings are generated. These records should regularly be reviewed to ensure that all personnel have received the training that they require.
Whatever training is conducted, it is important that the effectiveness of this training is assessed. An easy way of such as assessment is to select trainings that include an exam at the end. Whenever this is not possible, interviews of feedback form should be used that provide enough information to be able to evaluate the effectiveness of the training.
