Awareness Program Design Template
Document Control
| Field | Value |
|---|---|
| Document ID | ISMS-PLAN-AWARENESS |
| Version | 1.0 |
| Date | [DATE] |
| Owner | ISMS Manager |
| Review Frequency | Annual |
1. Program Overview
1.1 Purpose
This Information Security Awareness Program aims to:
- Build a security-conscious culture across the organization
- Ensure all personnel understand their security responsibilities
- Reduce security incidents caused by human error
- Support Clause 7.3 compliance with ISO 27001
- Enhance overall security posture and risk management
1.2 Scope
Applies to all individuals working under the organization's control:
- All employees (full-time, part-time, temporary)
- Contractors, consultants, and service providers
- Third-party personnel with access to organization resources
- Board members and executive management
1.3 Program Objectives
- 100% of staff complete annual security awareness training
- Achieve 90% or higher pass rate on awareness assessments
- Measurable reduction in security incidents year-over-year
- Increased voluntary security incident reporting
- Improved phishing simulation test results (target: <5% click rate)
- Positive security culture survey results
2. Awareness Requirements (Clause 7.3)
ISO 27001:2022 Clause 7.3 requires persons working under the organization's control to be aware of:
a) The information security policy
- What it says and why it matters
- Where to find it
- How it applies to their role
b) Their contribution to the effectiveness of the ISMS
- How their actions impact security
- Benefits of improved security performance
- Their role in maintaining certification
c) The implications of not conforming with ISMS requirements
- Potential consequences of non-compliance
- Impact on organization, customers, and colleagues
- Disciplinary procedures
3. Target Audiences and Content
3.1 All Personnel (Foundation Level)
Core Topics:
- Information security policy overview and key points
- Acceptable use of IT resources and equipment
- Password management and authentication
- Email security and phishing recognition
- Internet usage and safe browsing
- Physical security basics (badges, visitors, clean desk)
- Mobile device and remote working security
- Incident reporting procedures
- Data classification and handling
- Confidentiality and data protection principles
Delivery: E-learning module, 30-45 minutes, completed annually
Assessment: Online quiz with 80% pass requirement
3.2 People Managers
Additional Topics:
- Security responsibilities as a manager
- HR security procedures (onboarding, offboarding)
- Security aspects of performance management
- Disciplinary procedures for security violations
- Creating a security-positive team culture
Delivery: Workshop or webinar, 1 hour, annually
3.3 IT Personnel
Additional Topics:
- Technical controls implementation and maintenance
- Secure system configuration standards
- System and network monitoring procedures
- Vulnerability and patch management
- Incident response and escalation
- Backup and recovery procedures
Delivery: Technical training sessions, quarterly updates, ongoing
3.4 Software Developers
Additional Topics:
- Secure coding practices and standards
- OWASP Top 10 vulnerabilities
- Application security testing procedures
- Code review and quality assurance
- Security by design principles
- API and integration security
Delivery: Workshops, code reviews, and ongoing mentoring
3.5 Executive Management
Additional Topics:
- Strategic information security risks
- Compliance and regulatory requirements
- Security investment and ROI
- Incident impact and response oversight
- Third-party and supply chain risks
- Board-level reporting on security
Delivery: Executive briefings and board presentations, quarterly
4. Awareness Campaign Themes
Rotate focus areas throughout the year to maintain engagement:
| Month | Campaign Theme | Key Messages | Activities |
|---|---|---|---|
| January | Password Security Month | Strong passwords, MFA, password managers | Email tips, posters, password strength checker |
| February | Data Protection | Classification, handling, privacy | Data handling quiz, poster campaign |
| March | Training Month | Complete annual training | Training reminders, completion tracking |
| April | Phishing Awareness | Recognize and report phishing | Phishing simulations, real examples |
| May | Physical Security | Badge usage, visitor management, clean desk | Physical security audits |
| June | Mobile Security | Device security, public Wi-Fi, lost devices | Mobile security checklist |
| July | Social Engineering | Types of attacks, protection | Social engineering simulations |
| August | Incident Response | What to report, how to report | Incident reporting drill |
| September | Remote Working | VPN, home office security | Remote work security assessment |
| October | Cybersecurity Awareness Month | General security best practices | Organization-wide campaigns |
| November | Supplier Security | Third-party risks, vendor management | Supplier security review |
| December | Year in Review | Successes, lessons learned, preview next year | Annual security report |
5. Delivery Methods
5.1 Onboarding (First Week of Employment)
- Information security handbook provided
- Policy acknowledgment form signed
- Initial awareness presentation (30-60 minutes)
- Quiz assessment to verify understanding
- Introduction to reporting procedures
5.2 Annual Training (All Staff)
- Interactive e-learning module (30-45 minutes)
- Updated content reflecting current threat landscape
- Real-world examples and case studies
- Assessment quiz (80% pass required, unlimited attempts)
- Certificate of completion issued
5.3 Ongoing Communications
- Monthly: Security newsletter or email security tips
- Quarterly: Security topic in all-hands or team meetings
- As needed: Security alerts for emerging threats or incidents
5.4 Simulations and Testing
- Monthly: Phishing simulation tests (varying difficulty)
- Quarterly: Social engineering tests (phone, email, physical)
- Annual: Comprehensive security awareness assessment
5.5 Visual Reminders and Reinforcement
- Posters in common areas (breakrooms, restrooms, elevators)
- Digital signage with rotating security messages
- Screen savers with security tips
- Desk stickers (password tips, clean desk reminders)
- Email signature banners during awareness campaigns
- Intranet security page with resources
6. Measurement and Effectiveness
6.1 Participation Metrics
- Training completion rate (target: 100%)
- Average time to complete training
- Assessment pass rate (target: 90%+)
- First-time pass rate
- Repeat training requirements
6.2 Behavioral Metrics
- Phishing simulation click rates (target: decreasing trend, goal <5%)
- Phishing reports by staff (target: increasing trend)
- Security incident reports initiated by staff
- Clean desk audit compliance rates
- Password policy violation rates
- Physical security compliance observations
6.3 Outcome Metrics
- Total number of security incidents
- Incidents caused by human error (target: decreasing)
- Time to detect and report incidents (target: decreasing)
- Repeat incidents by same individual
- Audit findings related to awareness
6.4 Satisfaction Metrics
- Post-training satisfaction surveys
- Feedback on awareness campaigns
- Annual culture survey security questions
- Staff suggestions for improvements
6.5 Reporting
- Monthly: Training completion dashboard
- Quarterly: Awareness metrics report to management
- Annually: Comprehensive awareness program evaluation
7. Roles and Responsibilities
| Role | Responsibility |
|---|---|
| ISMS Manager | Program oversight, content approval, metrics reporting, budget management |
| HR Department | Onboarding coordination, training tracking, competence records |
| IT Department | Technical content development, phishing simulations, platform management |
| Communications Team | Newsletter creation, campaign design, materials production |
| Line Managers | Ensure team participation, reinforce messages, provide time for training |
| All Staff | Complete training, follow policies, report incidents, provide feedback |
8. Resources Required
8.1 Budget
- E-learning platform/LMS: $_____
- Phishing simulation tool: $_____
- Content development/procurement: $_____
- Awareness materials (posters, stickers, etc.): $_____
- Campaign resources and tools: $_____
- Total Annual Budget: $_____
8.2 Personnel Time
- ISMS Manager: ___% FTE
- Training coordinator: ___% FTE
- Content creator/designer: ___% FTE
- Technical support: ___ hours/month
8.3 Technology and Tools
- Learning Management System (LMS)
- Phishing simulation platform
- Email communication tools
- Survey/feedback tools
- Content creation tools (video, graphics)
9. Program Review and Improvement
Quarterly Review:
- Review completion rates and trends
- Analyze assessment scores and problem areas
- Evaluate phishing test results
- Review incident metrics
- Gather and analyze feedback
- Identify emerging threats requiring awareness
Annual Review:
- Comprehensive program effectiveness evaluation
- Budget review and next year's planning
- Content refresh based on threat landscape
- Survey staff for satisfaction and suggestions
- Update delivery methods based on effectiveness
- Set goals and objectives for coming year
Continuous Improvement:
- Incorporate lessons learned from incidents
- Update content based on audit findings
- Respond to staff feedback and suggestions
- Adopt new awareness techniques and tools
- Benchmark against industry practices
10. Implementation Checklist
- Obtain executive management approval and budget
- Select and implement e-learning platform/LMS
- Develop or procure core training content
- Create awareness campaign materials
- Set up phishing simulation tool
- Create tracking and reporting mechanisms
- Establish feedback channels
- Schedule annual awareness calendar
- Launch onboarding program for new hires
- Roll out annual training to all staff
- Begin ongoing campaigns and communications
- Monitor participation and metrics monthly
- Conduct quarterly and annual reviews
Next Lesson: Develop a Communication Strategy to ensure security information reaches all stakeholders effectively.