5. Information Security Management System

5.6. Security of human resources

Entities are also obliged to pay attention to the security of human resources within the ISMS as one of the assets. As mentioned earlier, people are usually the weakest link in cybersecurity. In particular, these entities are obliged to:

  • establish a security awareness development plan to ensure adequate security awareness education and improvement,
  • This plan contains the form, content and scope of
    • instruction of users, administrators, security officers and suppliers about their responsibilities and security policy;
    • necessary theoretical and practical training for users, administrators and security officers.
  • designate the persons responsible for the implementation of the individual activities set out in the plan,
  • provide guidance to users, administrators, security officers and suppliers on their responsibilities and security policy through initial and regular trainings,
  • provide regular professional trainings for persons holding security roles,
  • ensure regular training sessions and checking of security awareness of employees in accordance with their job description,
  • ensure check of compliance with the security policy by users, administrators and persons holding security roles,
  • in the event of termination of the contractual relationship with administrators and persons holding security roles, ensure the transfer of responsibilities,
  • assess the effectiveness of the security awareness development plan, the training provided and other activities related to improving security awareness,
  • determine rules and procedures for dealing with breaches of established security rules by users, administrators and persons holding security roles.

It is obligatory to keep overviews of the above-mentioned training sessions that contain the subject of the training and a list of persons who have completed the training.

Example:
Because the standard training, which is the only one users are required to complete, proves to be ineffective, some organisations also approach methods to
verify a true understanding of the information provided in their own training. This could be, for example, sending out phishing messages to users after training focused on this area. The organisation then monitors how many users
responded incorrectly to the attack. However, it should be noted that such tests must be well thought out, and a lawyer to assess whether the test used
will not, for example, infringe on the privacy of employees should not be absent.