Information Security Awareness and Training Policy

The Information Security Awareness and Training Policy (P08) establishes a formal, organization-wide framework to ensure all personnel, contractors, and third-party agents understand their information security responsibilities. It mandates comprehensive training that supports compliance with ISO/IEC 27001:2022 and other leading global frameworks. The document details a risk-informed approach, requiring that security awareness be continuously addressed through onboarding, periodic refreshers, and event-driven training tactics tailored to evolving threats and regulatory demands. This policy provides a clear scope, stipulating that all users with access to information systems or organizational facilities, whether internal employees, temporary workers, contractors, or vendors, must participate. The requirements specify initial security onboarding, role-specific modules for positions like developers or privileged users, and ongoing awareness campaigns. Delivery mechanisms encompass e-learning, instructor-led sessions, simulations, and multimedia assets, with mandatory annual refreshes or additional training triggered by incidents or major legal/technology changes. Detailed governance requirements ensure all users are guided by accessible, inclusive educational content covering essential themes such as phishing resistance, password hygiene, and regulatory obligations. The HR and CISO functions are central to maintaining training records, ensuring new hires and role changers meet deadlines, and tracking completion through learning management systems. Non-compliance leads to progressive disciplinary measures, from automated reminders up to access revocation and HR escalation. Periodic phishing simulations and awareness campaigns are mandated; their results guide the refinement of content and the escalation of targeted retraining where risks are repeatedly noted. Exception handling is defined through a documented, risk-based approval process, and the policy places strong emphasis on regular policy reviews, content updates, and audit readiness, ensuring continued alignment with ISO/IEC 27001, 27002, NIST SP 800-53, GDPR, NIS2, DORA, and COBIT 2019. Thus, the policy underpins a measurable, evolving defense against human-related vulnerabilities vital for maintaining organizational resilience.