Information Security Awareness and Training Policy - SME

The Information Security Awareness and Training Policy (document number: P08S) is specifically crafted for small and medium-sized enterprises (SMEs), with adaptation to their organizational structure and simplified roles, such as the General Manager and Office Manager/HR, rather than dedicated security or IT teams. Despite these simplified roles, the policy fully aligns with international standards, including ISO/IEC 27001:2022, NIS2, EU DORA, and GDPR, ensuring high compliance and effective implementation. The purpose of this policy is to make information security a core, organization-wide responsibility. It mandates that every employee, contractor, and third party with system or data access understands their security responsibilities. The policy's aims are to minimize human error, the leading vector for cybersecurity incidents, enhance incident detection and reporting capacity, and cultivate an ongoing security-aware culture. Staff must engage in initial onboarding training, annual refreshers, and receive ad hoc or event-driven updates, ensuring security practices remain prominent and timely across all ranks and departments. A key strength of this SME policy is the emphasis on role-adapted governance. The General Manager approves training requirements and escalates compliance issues, while the HR or Office Manager coordinates the delivery and documentation of training, tracks completion, and ensures all staff acknowledge core policies and NDAs. Department Managers reinforce these efforts at the team level, and every employee or contractor is explicitly responsible for participation and for adopting the security behaviors taught (such as proper password hygiene and prompt incident reporting). The governance section outlines practical requirements, including what must be covered during onboarding (e.g., password practices, acceptable use, incident reporting, remote work security), how annual refreshers are delivered (through flexible formats like online modules or in-person sessions), and the need for immediate communication and training following a significant security event. All training activity and acknowledgments are logged centrally, providing a robust audit trail for compliance reviews, ISO or GDPR certification, or insurance requirements. Risk mitigation is systematically addressed: the policy identifies common causes of breaches (such as phishing or mismanagement of sensitive data) and prescribes mandatory training, regular reminders, and use of engaging materials. Procedures for exceptions, for example, when employees are on leave, are defined to avoid lapses in awareness. The consequences of non-compliance are clear, ranging from reminders for first failures to access restrictions or disciplinary action for repeat offenders. Audit-readiness and continual improvement are built in through required annual and post-incident reviews, versioning, and policy acknowledgment steps, all reflecting the evolving risk landscape and regulatory changes. This creates a defensible, compliant, and effective framework for instilling security awareness in SMEs, regardless of their size or in-house expertise.