According to the ISO/IEC 27001:2022 standard, the organization should determine the necessary competence of persons doing work under its control that affects the performance and effectiveness of the ISMS. The organization should also ensure that these persons are aware of the information security policy, their contribution to the effectiveness of the ISMS, the implications of not conforming with the ISMS requirements, and the benefits of improved information security performance. The organization should also provide information security awareness, education, and training to all employees and, where relevant, contractors and third-party users, as relevant for their job function. The awareness, education, and training programs should be planned, implemented, and maintained according to the needs of the organization and the results of the risk assessment and risk treatment.
Therefore, Colin should have handled the situation with Lisa by delivering training and awareness sessions for employees with the same level of competence needs based on the activities they perform within the company.
This would ensure that the content and the language of the sessions are appropriate and understandable for the target audience, and that the sessions are effective and efficient in achieving the desired learning outcomes. By doing so, Colin would also avoid wasting time and resources on delivering sessions that are too technical or too basic for some employees, and that do not address their specific information security challenges and responsibilities.
References:
* ISO/IEC 27001:2022, Clause 7.2 Competence and Clause 7.3 Awareness
* ISO/IEC 27002:2022, Clause 7.2.2 Information security awareness, education and training
* PECB ISO/IEC 27001 Lead Implementer Course, Module 4: Leadership, Commitment, and Support of Top Management.