ISO/IEC 27001 Control 6.3: Information security awareness, education and training

Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function.

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

MidPoint capabilities provide convenient support for security trainings, re-trainings, enforcing access policies and spreading of cybersecurity awareness.

MidPoint clearances (part of information classification features) can be used to represent security training necessary to get elevated privileges or access to sensitive information. Policy rules can be used to enforce the policy, not allowing access to any user that have not passed necessary training. Certification campaigns can be used to update the trainings, listing people that need to be re-training and track progress of re-training. Micro-certifications can be used to initiate ad-hoc re-training when a person is reassigned in organizational structure or acquires a role with elevated privileges. Provisioning capabilities can be combined with role-based access control to set up special-purpose e-mail distribution lists to manage security awareness. For example, a special-purpose e-mail distribution list can be set up for all personnel related to cybersecurity. All business roles that relate to cybersecurity may induce membership in the list, thus the list is automatically managed. Such list can be used to spread awareness about updated policies, potential vulnerabilities, training opportunities, suggestions of best practice, infographics and so on. Information distributed using automatically-managed lists is can be targeted, adapted to a specific audience and hence much more effective. Similar lists can be automatically set up for all users dealing with sensitive information (using information classifications), all personnel dealing with personal data and so on. Additionally, reporting can be used to select candidates for re-training, or persons that need to be informed about policy changes.