The first stage of developing an awareness-training workshop requires an understanding of the challenges faced by the organization. An awareness of the risk issues facing an organization is essential to develop action plans to address the challenges that they face.
Goals are set for all stages of the program. There should be goals for security awareness, security training, education, and maybe even certification within the organization. ISO 17799 (and hence ISO 2700x) has a mandatory requirement for periodic training in information security awareness. The scope and goals of this program, and thus the objectives need to take into account this mandate.
The goal of this program is to “raise the bar” of awareness and knowledge of information security concerns across the entire organization.
The primary objective of this program is to create and then maintain an appropriate level of protection for all the information resources within the organization by the dissemination of information to all corners of the organization. It is crucial that the awareness of information security processes, controls and responsibilities be improved and constantly maintained. Individual objectives need to be set on a business unit and a departmental level as well.
Training requirements for the implementation of any security program within an organization include the development of an information security awareness program as well as training and education programs. The scope of this process encompasses all staff within the organization with access to IT information assets. This ranges from employees up to executive management and all levels in between.
Figure 1 - Plan Do Check Act (PDCA) process
This process does not end at awareness training alone, but includes the necessary education and training requirements of staff within the organization. The continuing development of individuals within the organization, their education within their roles (especially within IT itself) and the topic of certification are all within the scope of this program.
The continued success of the organization's overall information security process depends on all members of an organization and requires that all members understand the security requirements.