A high-level map of regulations and standards that mandate security awareness training

OutThink Product Update

The best way to mitigate cyber security risk is to raise employees’ awareness and educate them so that they exhibit positive security behaviours.

Challenges – why Information Security Awareness is important

Employees’ behaviour is the primary source of most data breaches. In fact, UK’s National Cyber Security Programme Cyber Security Breaches Survey 2017 states that 68% of large organisations had a security breach in the last 12 months.

The four most common types of breaches can be linked to human factors, such as unwittingly clicking on a malicious link or succumbing to impersonation. This highlights that staff awareness and vigilance represent the first and most important line of defence of business’s cyber security, alongside any technical and software protections.

The human factor is the biggest threat to organization’s information assets, and the best way to mitigate this threat is to raise employees’ awareness and educate them in order to make sure that their behaviour promotes information security.

It doesn’t come as a surprise that the compliance and regulatory requirements are becoming more prescriptive on security training activities that have to be performed by organization.

Below we make a summary of mandates that require employees to be trained in and/or “informed” about information security awareness:


The Article 34 – Tasks of the data protection officer, include to:

(b) to monitor compliance with this Directive, with other Union or Member State data protection provisions and with the policies of the controller in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

EU Data Protection Directive (replaced by GDPR from May 2018)

The European Union has directed all European member countries to develop and define laws regarding the protecting of personal privacy of the citizens of their respective country. While each country’s implementation of this directive is different and unique, many of them require security awareness training to educate people on how to protect individual privacy.

The UK Data Protection Act (replaced by GDPR from May 2018):

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

This is the seventh data protection principle. In practice, it means you must have appropriate information security to prevent the personal data you hold being accidentally or deliberately compromised.

It is vital that your staff understand the importance of protecting personal data; that they are familiar with your organisation’s security policy; and that they put its security procedures into practice. So you must provide appropriate initial and refresher training, and this should cover:

– your organisation’s duties under the Data Protection Act and restrictions on the use of personal data;

– the responsibilities of individual staff members for protecting personal data, including the possibility that they may commit criminal offences if they deliberately try to access, or to disclose, information without authority;

– the proper procedures to use to identify callers;

– the dangers of people trying to obtain personal data by deception (for example, by pretending to be the person whom the information is about or by making “phishing” attacks) or by persuading you to alter information when you should not do so; and

– any restrictions your organisation places on the personal use of its computers by staff (to avoid, for example, virus infection or spam).

The effectiveness of staff training is dependent on the individuals concerned being reliable in the first place. The Data Protection Act requires you to take reasonable steps to ensure the reliability of any staff who have access to personal data.

ISO/IEC 27001 & 27002:

A 8.2.2 – All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.


12.6 – Make all employees aware of the importance of cardholder information security. Educate employees (for example, through posters, letters, memos, meetings and promotions). Require employees to acknowledge in writing that they have read and understood the company’s security policy and procedures.

PAS555 Cyber Security Risk – Governance & Mgmt.

PAS 555 is a UK standard which offers a framework that defines the outcomes of good cyber security practice. It extends beyond the technical aspects of cyber security risk to encompass physical and people (behavioural) security aspects as well.

Clause 4 – Commitment to a Cyber Security Culture: The organization’s top management shall define and demonstrate how it engenders a culture of cyber security within the organization. (Note – A cyber security culture is one where values, attitudes and behaviours are the foundation of day-to-day life in the organization. It is one where being careless about (cyber) security is not acceptable. It is recognized that it will take time to achieve a culture change and cannot be immediate)

Clause 7 – Capability Development Strategy: The organization shall have cyber security awareness programs, training and development so that all individuals in the extended enterprise have the awareness and competence to fulfil their cyber security role and contribute to an effective cyber security culture

Federal Information Security Management Act (FISMA):

3544.(b).(4).(A),(B) – Securing awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks.

Gramm-Leach Bliley Act:

6801.(b).(1)-(3) – In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical and physical safeguards –

– To insure the security and confidentiality of customer records and information;

– To protect against any anticipated threats or hazards to the security or integrity of such records;

– To protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

Health Insurance Portability & Accountability Act (HIPAA):

164.308.(a).(5).(i) – Implement a security awareness and training program for all members of its workforce (including management).

Red Flags Rule:

16 CFR 681.1(d)-(e). Employees should be trained about the various red flags to look out for, and/or any other relevant aspect of the organization’s Identity Theft Prevention Program.


PO 7.4 – Personnel Training – Provide IT employees with appropriate orientation when hired and ongoing training to maintain their knowledge, skills, abilities, internal controls and security awareness at the level required to achieve organizational goals.

DS 7 – Management of the process of Educate and train users that satisfies the business requirement for IT of effectively and efficiently using applications and technology solutions and ensuring user compliance with policies and procedures is: […] 3 Defined when a training and education program is instituted and communicated, and employees and managers identify and document training needs. Training and education processes are standardized and documented. Budgets, resources, facilities and trainers are being established to support the training and education program. Formal classes are given to employees on ethical conduct and system security awareness and practices. Most training and education processes are monitored, but not all deviations are likely to be.

NERC CIP The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Standard:

CIP-004-3(B)(R1) – The Responsible Entity shall establish, document, implement, and maintain a security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets receive on-going reinforcement in sound security practices. The program shall include security awareness reinforcement on at least a quarterly basis using mechanisms such as:

– Direct communications (e.g., emails, memos, computer based training, etc.);

– Indirect communications (e.g., posters, intranet, brochures, etc.);

– Management support and reinforcement (e.g., presentations, meetings, etc.).

US State Privacy Laws

Many states in the United States have their own individual privacy laws. You can find a listing of most of those state privacy laws at the Morrison & Foerster’s Privacy Library. Many of these privacy laws require some type of awareness training, or at a minimum that the privacy requirements are communicated to employees in that state.

Australian Government InfoSec Manual

0252 – Information security awareness and training: Revision: 2; Updated: Nov-10; Applicability: U, IC, R/P, C, S/HP, TS; Compliance: must

Agencies must provide ongoing information security awareness and training for personnel on information security policies including topics such as responsibilities, consequences of non-compliance, and potential security risks and counter-measures.

The Cyber Security Breaches Survey 2017 states however that of all businesses, only five per cent (22% among large businesses) include cyber security training as part of an induction process, and 11 per cent (41% among large businesses) offer it as a regular training activity, which is unchanged from the 2016 results, and is clearly not sufficient. The risk of non-compliance is only heightened by GDPR coming into force in May 2018, that can make companies processing PII liable to significant fines if they will not act with due diligence in regard to employees’ cyber security education.

Even if your company operates in a currently unregulated industry, we recommend that a company-wide security awareness program should be part of your overall information security strategy. This is the most efficient way in which you can mitigate against inadvertent actions of employees.