The BSI offers an online course on IT-Grundschutz at https://www.bsi.bund.de/grundschutzkurs, which introduces the methodology of IT-Grundschutz.
The BSI offers a two-stage training concept on the subject of IT-Grundschutz. In this training concept, participants can acquire an IT-Grundschutz practitioner certificate and be further certified as an IT-Grundschutz consultant by the BSI.
A list of training providers that offer BSI training to become an IT-Grundschutz practitioner and an IT-Grundschutz consultant can be found at https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzSchulung/ITGrundschutzBerater/itgrundschutzberater_node.html. " />
+ORP.3 Awareness and Training in Information Security
---+ORP.3.G1. Insufficient Knowledge of Rules and Procedures
---+ORP.3.G2. Insufficient Awareness of Information Security
---+ORP.3.G3. Ineffective Awareness and Training Activities
---+ORP.3.G4. Insufficient Employee Training Regarding Security Functions
---+ORP.3.G5. Undetected Security Incidents
---+ORP.3.G6. Non-Compliance with Security Safeguards
---+ORP.3.G7. Carelessness in Handling Information
---+ORP.3.G8. Lack of Acceptance of Information Security Policies
---+ORP.3.G9. Social Engineering
---+ORP.3.A1 Top Management Awareness of Information Security Issues [Supervisor, Top Management] (B)
---+ORP.3.A3 Training Employees in the Secure Handling of IT [Supervisor, Human Resources Department, IT Operation Department] (B)
---+ORP.3.A4 Designing and Planning an Information Security Awareness and Training Program (S)
---+ORP.3.A6 Implementation of Information Security Awareness and Training Measures (S)
---+ORP.3.A7 Training in the IT-Grundschutz Methodology (S)
---+ORP.3.A8 Measurement and Evaluation of Training Success [Human Resources Department] (S)
---+ORP.3.A9 Special Training for Exposed Persons and Organisations (H)

1. Overview

ORP.3 Awareness and Training in Information Security

1. Description
1.1. Introduction
Employees are a crucial factor in ensuring a high level of information security in an organisation. It is therefore important that each and every one of them know their organisation's security objectives, understand the corresponding security safeguards, and be willing to implement them. This requires security awareness within the organisation in question. Furthermore, a culture of security should be established that forms an active part of employees' everyday work.
Employees should be made aware of relevant risks and know how they may affect their organisation. They must know what is expected of them in terms of information security and how they should respond in situations critical to security.
1.2. Objective
This module describes how to establish and maintain an effective program for raising awareness and conducting training on information security. The aim of the program is to raise employees' awareness of security risks and provide them with the knowledge and skills required to act in a security-conscious manner.
1.3. Scoping and Modelling
Module ORP.3 Awareness and Training in Information Security must be applied once to the entire information domain under consideration.
This module formulates requirements for information security awareness and training which relate to the working environment not only within an organisation, but in teleworking and mobile working settings, as well.
Module ORP.3 Awareness and Training in Information Security describes process-related, technical, methodological, and organisational requirements for information security awareness and training. An organisation's human resources department or training management department typically plans, manages, and implements other training topics, as well.
Specific training content for these topics is covered in many of the other IT-Grundschutz modules. This module deals with how a planned approach can be efficiently structured with regard to information security awareness and training.
4. Additional Information
4.1. Useful Resources
The International Organization for Standardization (ISO) provides requirements for training employees and raising their awareness in the ISO/IEC 27001:2013 standard, section 7.2.
The Information Security Forum (ISF) defines various requirements for training employees and raising their awareness in "The Standard of Good Practice for Information Security", section PM2.
The BSI offers an online course on IT-Grundschutz at https://www.bsi.bund.de/grundschutzkurs, which introduces the methodology of IT-Grundschutz.
The BSI offers a two-stage training concept on the subject of IT-Grundschutz. In this training concept, participants can acquire an IT-Grundschutz practitioner certificate and be further certified as an IT-Grundschutz consultant by the BSI.
A list of training providers that offer BSI training to become an IT-Grundschutz practitioner and an IT-Grundschutz consultant can be found at https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzSchulung/ITGrundschutzBerater/itgrundschutzberater_node.html.
ORP.3.A1 Top Management Awareness of Information Security Issues [Supervisor, Top Management] (B) An organisation's Top Management MUST be sufficiently aware of security issues. Security campaigns and training activities MUST be supported by the Top Management. The support of the Top Management MUST be obtained before the start of an information security awareness and training program.
All Supervisors MUST support information security by setting a good example. Managers MUST implement their organisation's security requirements. In addition, they MUST make their staff aware of their compliance obligations.
ORP.3.A3 Training Employees in the Secure Handling of IT [Supervisor, Human Resources Department, IT Operation Department] (B) All employees and external users MUST be trained in and made aware of the secure handling of IT, ICS, and IoT components insofar as this is relevant to their work. To this end, binding, clear, and up-to-date policies for the use of the respective components MUST be available. If IT, ICS, or IoT systems or services are used in a manner that runs counter to the interests of the respective organisation, this MUST be communicated.
ORP.3.A4 Designing and Planning an Information Security Awareness and Training Program (S) Awareness and training programs for information security SHOULD be designed for the appropriate target groups. A requirements analysis should be carried out for this purpose. Training measures SHOULD be able to focus on the specific requirements and different backgrounds.
A target-group-oriented awareness and training program SHOULD be created on the topic of information security. This training program SHOULD provide employees with all the information and skills necessary to implement the security rules and safeguards applicable within the organisation in question. It SHOULD be checked and updated regularly.
ORP.3.A6 Implementation of Information Security Awareness and Training Measures (S) All employees SHOULD receive information security training in line with their tasks and responsibilities.
ORP.3.A7 Training in the IT-Grundschutz Methodology (S) Chief Information Security Officers SHOULD be familiar with the IT-Grundschutz methodology. Once a need for training has been identified, a suitable IT-Grundschutz training course SHOULD be planned. The BSI's online course on IT-Grundschutz SHOULD be taken into account when planning a training course. Within the training, the approach SHOULD be drilled using practical examples. It SHOULD be examined whether Chief Information Security Officers should be qualified as BSI IT-Grundschutz practitioners.
ORP.3.A8 Measurement and Evaluation of Training Success [Human Resources Department] (S) The success of information security training SHOULD be measured and evaluated according to the target groups at hand in order to determine the extent to which the objectives set out in awareness and training programs on information security are achieved. The measurements SHOULD consider both quantitative and qualitative aspects of awareness and training programs for information security. The results SHOULD be used appropriately to improve the respective awareness and training program.
The Chief Information Security Officer SHOULD exchange information regularly with the Human Resources Department and the other contacts relevant to security (data protection, health and safety, fire prevention, etc) on the effectiveness of training and further development activities.
ORP.3.A9 Special Training for Exposed Persons and Organisations (H) Particularly exposed persons SHOULD receive in-depth training with regard to possible hazards and appropriate behaviour and precautions.

1.1 References

1.2 Identified Requirements

1.2 Related Regulation

2. Identified Requirements

Requirements

3. Related Regulations

Regulations

Linked Issues

Issuelinks
includes ORP.3.G1. Insufficient Knowledge of Rules and Procedures
includes ORP.3.G2. Insufficient Awareness of Information Security
includes ORP.3.G3. Ineffective Awareness and Training Activities
includes ORP.3.G4. Insufficient Employee Training Regarding Security Functions
includes ORP.3.G5. Undetected Security Incidents
includes ORP.3.G6. Non-Compliance with Security Safeguards
includes ORP.3.G7. Carelessness in Handling Information
includes ORP.3.G8. Lack of Acceptance of Information Security Policies
includes ORP.3.G9. Social Engineering
Impressum