ISO/IEC 27001:2022 Employee Awareness Training

ISO/IEC 27001:2022 Employee Awareness Training

Securing our information assets together (ISO/IEC 27001:2022)

• Introduction to Information Security: Why security awareness matters
• Understanding ISO/IEC 27001: The basics of ISO 27001 and ISMS
• Key Security Concepts: CIA triad, classification, and roles
• Practical Security Habits: Phishing, passwords, and incident reporting
• Annex A Controls Overview: High-level overview of protective controls
• Quiz and Takeaways: Review and closing thoughts

1

Introduction to Information Security

Why security awareness is critical for everyone

• Information is a critical business asset.
• Human error is the leading cause of security breaches.
• Security is everyone's responsibility, not just IT.
• Awareness empowers you to recognize and report threats.
• Compliance with ISO/IEC 27001 keeps our organization trusted.

2

Understanding ISO 27001

Our framework for information security management

• ISO/IEC 27001 is an international standard for Information Security Management Systems (ISMS).
• It provides a systematic approach to managing sensitive company information.
• The goal is to keep information assets secure by applying a risk management process.
• It includes people, processes, and technology.
• Being certified demonstrates our commitment to security to clients and partners.

• Confidentiality: Protecting info from unauthorized disclosure.
• Integrity: Ensuring information is accurate and hasn't been tampered with.
• Availability: Ensuring information is accessible when needed by authorized users.

3

Security Best Practices

Practical habits for your daily routine

• Use strong, unique passwords for every account.
• Enable Multi-Factor Authentication (MFA) everywhere it's available.
• Never share your credentials with anyone, not even colleagues.
• Lock your workstation when you step away.
• Use an approved password manager if possible.

• Definition: Phishing is the practice of tricking users into revealing sensitive info via email or chat.
• Red Flags: Unexpected attachments, urgent or threatening language, strange sender addresses.
• Always hover over links before clicking.
• Verify unusual requests via a second channel (e.g., call the requester).
• When in doubt, report it to the IT Security Team.

• What is an incident? Lost laptop, accidental data leak, suspicious email, lost keycard.
• How to report: Use our official IT Security support channel.
• Timeliness is key: Don't wait; report immediately.
• No shame: We encourage reporting even if it was a mistake—it helps us learn and fix the process.

4

Compliance & Controls

Understanding our protective measures

• Information Classification (Public, Internal, Confidential, Restricted).
• Access Control: Granting access only to what is needed (Least Privilege).
• Physical Security: Keeping offices and server rooms locked.
• Encryption: Protecting data in transit and at rest.
• Regular Updates: Ensuring software is patched against vulnerabilities.

• DO: Use your own user account for all work.
• DO: Report suspicious emails immediately.
• DO: Use your privacy screen in public areas.
• DON'T: Use public Wi-Fi without a VPN.
• DON'T: Plug untrusted USB drives into your machine.
• DON'T: Write passwords on post-it notes.

• Question 1: What is the primary purpose of the CIA triad?
• Question 2: Who is responsible for information security? (Answer: Everyone)
• Question 3: If you receive a suspicious email, what is your first step? (Answer: Do not click, report to IT)
• Question 4: Why should you use MFA? (Answer: Adds a second layer of defense)

Thank You - Stay Secure!

You are our most important security control. Stay vigilant.