A.6.3 Information security awareness, education and training

A.6.3 Information security awareness, education and training

Version: 3.0

Valid until: 2025-04-12

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Theo Koster

Edward Robinson

Initiation document.


2022-05-23

1.1

Edward Robinson

Additions/changes as part of the periodic review and improvement.


Renamed to A.7.2.2 information security awareness, education and training from B06 Awareness. 

2022-10-19

2.0Edward RobinsonAdditions/changes as part of the annual review.

Added that A.6.2 and A.7.2.3 are mandatory reading upon onboarding.
2023-05-15
3.0
Edward Robinson
Additions/changes as part of the annual review.

Updated the broken links for Information Security Training and the respective scores.

Added links to the AI/LLM Use Policy and HR Manual as mandatory reading material.

Purpose & background


In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.


The purpose of this document is to describe the information security awareness, education and training policy of anDREa and the associated controls, checks and administrations.


This document will be reviewed at least annually and when significant change happens.

Objectives


The objective of this control is:


  • To ensure that employees and contractors are aware of and fulfill demonstrable their information security responsibilities (A.7.2).

Scope


The scope of this document corresponds to Clause 4 Context of the organisation.

Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

A.7.2.2 Information security awareness, education and training


“All employees of the organisation and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organisational policies and procedures, as relevant for their job function.”

All anDREa employees and contractors working for anDREa will have to complete the Information Security & Data Protection training as part of the onboarding process to establish base knowledge of information security and to increase awareness. Employees have the opportunity to complete above mentioned training in ‘training form’ with feedback or ‘quiz form’ with feedback. The quiz form will result in a score, which is valid for one year after which the training is updated and has to be completed again. Reminders are sent out automatically. The Security Officer registers the scores.


In addition, awareness articles are published on the support website and are mandatory reading material for anDREa employees (articles are also available for all myDRE users). Moreover, if the need arises (such as when there is a trend in awareness-related security incident tickets), company-wide information security sessions can and will be scheduled. Finally, new employees are encouraged to read all the policies but in particular A.6.2 Mobile Devices & Teleworking, A.7.2.3 Disciplinary procedureAI/LLM Use Policy and HR Manual are mandatory. Employees have to confirm that they have read and agree with both policies.

Administrations


    • Related Articles

    • 20220607 Security Management Report

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001 please feel free to download and read the attached anDRE's 20220607 Security Management Report.
    • 20210224 Pentest 2021-Q1 Report & 20210301 White Box Security Audit 2021-Q1 Report

      In accordance with our Pentest Program, anDREa engaged nSEC/Resilience for the anDREa White Box Security and the Pentesting 2021-Q1. The core questions being: Can non-authorized people or services access Workspaces or affect anDREa’s core services? ...
    • 20220714 Security Management Report Addendum

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001. This document is an addendum to the 20220607 Security Management Report and addresses the on 2022-07-14 reported findings of the ISO ...
    • 20220713 Report Azure White Box Security Audit

      Version: 2022-07-14 Introduction anDREa has a Pentest Program program as part of the commitment to protect the security of its business information. At least once a year we request an external party to do the pentest and a white box security audit. ...
    • 20220624 Pentest 2022-Q2/Q3 Report

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001 please feel free to download and read the attached anDREa's 20220624 Pentest 2022-Q2/Q3 Report. TLDR: none of the findings have any risk ...