INFORMATION SECURITY MANAGEMENT SYSTEM MANUAL

PROCEDURE FOR INFORMATION SECURITY TRAINING,

AWARENESS AND COMPETENCE

1. PURPOSE:

To establish a system to ensure that all personnel who are assigned responsibilities defined in the ISMS are
competent to perform the required tasks.

2. SCOPE:

Information security related training, awareness and competence.

3. DEFINITIONS:

NIL

4. REFERENCES:

ISO/IEC 27001:2013 Standard: Clauses 7.2 Competence

7.3 Awareness

5. AUTHORITY AND RESPONSIBILITY:

Managing Director

He / she is authorized to approve the job description (including the information security related requirements) of
various designations in the organization including his / hers.

Management Representative (ISMS)

He / she is responsible for effective implementation of this procedure and to ensure that the ISMS training needs
of personnel are identified at regular intervals and training is imparted to satisfy the identified training needs.

He / she is authorized to select training faculty and training venue, and provide resources for training.

Heads of Departments (HODs)

They are responsible for evaluating the performance of their sub-ordinates and determining the training needs
on a regular basis, and, to communicate the same to the Management Representative.

6. METHOD:

Our organization ensures that all personnel who are assigned responsibilities defined in the ISMS are competent
to perform the required tasks.
This is achieved by …
- Determining the necessary competence of person(s) doing work under the organization’s control that affects
its information security performance
- Ensuring that these persons are competent on the basis of appropriate education, training, or experience

Prepared by Approved by Issued by Document Identification

Doc ID: ISMM-PR-02
Signature Version: 001
Date 01.03.2016 01.03.2016 01.03.2016 Issue Date: 01.03.2016
Designation MR (ISMS) MD MR (ISMS) Page 1 of 4
 INFORMATION SECURITY MANAGEMENT SYSTEM MANUAL
PROCEDURE FOR INFORMATION SECURITY TRAINING,
AWARENESS AND COMPETENCE

- Where applicable, taking actions to acquire the necessary competence (actions such as the provision of
training to, the mentoring of, or the reassignment of current employees; or the hiring or contracting of
competent persons), and evaluate the effectiveness of the actions taken, and
- Retaining appropriate documented information as evidence of competence.

We also ensure that the persons doing work under the organization’s control are aware of …
a) the organization’s information security policy
b) their (persons’) contribution to the effectiveness of the information security management system, including
the benefits of improved information security performance, and
c) the implications of not conforming with the information security management system requirements.

The Management Representative (ISMS) maintains a ‘Master List of Personnel (ISMF-PR02-002)’ and ensures
that only competent personnel are employed to carry out specific ISMS tasks.

Suitability of a person is decided on the basis of a combination of level of education, training, awareness, and
job experience required for performing the specific ISMS tasks, as defined in the job descriptions.

Job Descriptions

The Management Representative (ISMS) maintains designation-wise ISMS Job Description (ISMF-PR02-001)
for ISMS tasks.

The ISMS job description for a particular designation clearly identifies the information security related
responsibilities and authorities of the person(s) holding that designation.

Training

ISMS awareness training commence with a formal induction process designed to introduce the organization’s
security policies and expectations before access to information or services is granted.

Topics covered in the on-going training include security requirements, legal responsibilities and business
controls, as well as training in the correct use of information processing facilities e.g. log-on procedure, use of
software packages, and, information on the disciplinary process.

The security awareness, education, and training activities are made suitable and relevant to the person’s role,
responsibilities and skills, and this includes information on known threats, who to contact for further security
advice and the proper channels for reporting information security incidents.

Training to enhance awareness is intended to allow individuals to recognize information security problems and
incidents, and respond according to the needs of their work role.

Identification of training needs

Our organization has the following system for identifying training needs and imparting the required training to
its personnel:

Prepared by Approved by Issued by Document Identification

Doc ID: ISMM-PR-02
Signature Version: 001
Date 01.03.2016 01.03.2016 01.03.2016 Issue Date: 01.03.2016
Designation MR (ISMS) MD MR (ISMS) Page 2 of 4
 INFORMATION SECURITY MANAGEMENT SYSTEM MANUAL
PROCEDURE FOR INFORMATION SECURITY TRAINING,
AWARENESS AND COMPETENCE

HODs carry out competence assessment of their sub-ordinates once in a year, in which they also identify the
training needs for performing ISMS activities.

The HODs prepare the ISMS Competence Evaluation Record (ISMF-PR02-003) and send to the Management
Representative alongwith the training request memo (where applicable).

The identified training requirements are communicated formally to the Management Representative through
ISMS Training Request Memo (ISMF-PR02-004).

In case of senior management personnel, the individuals themselves can assess their own training needs and
communicate the same to the Management Representative through the training request memo.

Note: In case of contract workers, the controlling officer identifies the training need and communicates to the
MR (ISMS)

Planning and imparting training

Based on the identified training needs, the Management Representative prepares a yearly ISMS Training
Calendar, indicating the tentative schedule of the various training programs to be conducted in the year.

The Management Representative then organizes various training programs as per schedule.

Heads of departments release the training participants from work to enable them to attend training programs. In
case of on-the-job training, necessary work relaxation is given for effectiveness of the training imparted.

In-house ISMS training attendance record (ISMF-PR02-005) is maintained for all classroom-type in-house
training programs.

Assessing the effectiveness of training

The Management Representative takes feedback from the participants about the usefulness of training programs
attended by them. In case of classroom-type in-house training programs, this feedback is recorded in the
Training Attendance Record itself. For on-the-job training, participant’s feedback is taken verbally through brief
interview and recorded in the ‘ISMS Personnel History Card (ISMF-PR02-006)’. Feedback is also taken from
the participant’s superior (immediate boss) in the ISMS Personnel History Card.

HR record keeping

Our organization maintains records of competence, educational and professional qualifications, training, skills
and experience of all personnel.

All ISMS related HR records are available with the Management Representative.

Prepared by Approved by Issued by Document Identification

Doc ID: ISMM-PR-02
Signature Version: 001
Date 01.03.2016 01.03.2016 01.03.2016 Issue Date: 01.03.2016
Designation MR (ISMS) MD MR (ISMS) Page 3 of 4
 INFORMATION SECURITY MANAGEMENT SYSTEM MANUAL
PROCEDURE FOR INFORMATION SECURITY TRAINING,
AWARENESS AND COMPETENCE

7. RECORDS:

The following records are maintained.

Sl. No Records Retention Period Custodian

1 Job Description Matrix (ISMF-PR02-001) Perpetual MR (ISMS)
2 List of Personnel (ISMF-PR02-002) Perpetual MR (ISMS)
3 ISMS Competence Evaluation Record (ISMF-PR02-003) Min 3 years MR (ISMS)
4 ISMS Training Request Memo (ISMF-PR02-004) Min 3 years MR (ISMS)
5 In-house ISMS training attendance record (ISMF-PR02-005) Min 3 years MR (ISMS)
6 ISMS Personnel History Card (ISMF-PR02-006) Min 10 years MR (ISMS)
7 Records of education, training, skills, experience and Perpetual MR (ISMS)
qualifications of all personnel

8. DOCUMENT AMENDMENT HISTORY:

Version No. Summary of changes from previous version of the document Changes sought by Remarks of MR
V-001 First version released for implementation. N/A Nil

Prepared by Approved by Issued by Document Identification

Doc ID: ISMM-PR-02
Signature Version: 001
Date 01.03.2016 01.03.2016 01.03.2016 Issue Date: 01.03.2016
Designation MR (ISMS) MD MR (ISMS) Page 4 of 4