How Can You Check The Effectiveness Of Information Security Training Measures?
Your employee comes back from further training and you, as the managing director, naturally want to know whether it has brought anything. Your employee agrees almost out of reflex.
But how can you really measure the long-term effectiveness of training?
Monitoring and measuring the success of your employees’ training not only requires ISO 27001 or ISO 9001, but also your commercial thinking. Because you invest in the skills of your employees so that they do their job well and contribute to ensuring information security and quality in your company. As a manager, you determine and evaluate the requirements for various roles and functions in your company yourself, according to your goals and protection requirements. Derived from this are the competencies your employees must have and the need for further development.
Further Training According To The ISO 27001 Or ISO 9001 Standards
ISO 27001 defines section 7.2. Competencies Requirements related to skills of your employees for the performance of information security. Due to the high level structure of the standards, you will also find comparable requirements in ISO 9001.
If an employee does not have the desired competence requirements in their role, further development is necessary. A distinction is made here between which of the required skills a responsible person must bring along and which are acquired with the help of knowledge transfer and further training. As an entrepreneur, you should ensure that these skills are sufficiently available. Without the necessary skills, the desired level of information security cannot be achieved. A process is therefore needed to identify skills gaps and build skills.
Assistance From ISO 27001
Assistance is provided by the so-called controls, i.e. requirements from ISO 27001 to be checked. Section 7.2.2 is particularly relevant. Information security awareness, education and training. It is recommended here to sensitize employees to the need for certain skills and to increase awareness of information security in their own organization.
This means that not only executives should know if their employees have the necessary skills, but also them and even their colleagues. In this way, three parties can identify any deficits and strive for further training and an increase in skills or also benefit from the skills of their colleagues.
How Can One Determine The Level Of Knowledge And Experience Or Competence?
- Open communication: Ideally, an employee reports himself if he cannot do something.
- Manager observes employees in the application of their competencies.
- Colleagues observe employees at work and give tips.
- Internal auditors observe how something is being done and provide tips for improvement.
But How Can The Application Of Knowledge And Experience Or Competence Be Measured And Evaluated?
The measurement criterion can be a simple “I can/I can’t”. An evaluation according to the school grading system or in the form of percentages, 30%, 60%, 90% and 120%, is also suitable. The latter would mean, for example: 30% is not enough, 60% is not enough but can be expanded through training, 90% would be sufficient and 120% would even be more than necessary, which can definitely be relevant for a company.
Section 9 of ISO 27001 describes the evaluation of the current status with regard to information security. In order to determine the existing competences, it must first be determined which criteria are to be used to assess them.
Regular measurement of competences enables a target/actual comparison between the existing and required characteristics of the competences. For example, measurements should be taken at least once a quarter as described above or something similar. The combination of various measurements such as appraisal interviews, observation by colleagues, internal audits and feedback from the employee provide a good basis for planning measures for competence development throughout the year.
If it is determined that a value or key figure (KPI) is below the target level, it is up to you to act. In this way, you can identify insufficient skills at an early stage and initiate appropriate qualification or further development measures.
Training Or Development Activities
Suitable measures can be:
- internal training by external trainers
- Mentoring by colleagues from your own team
- Internal group workshop to develop a solution in the team
- internal training by manager
- External further training, webinar, self-study, online training, distance learning, etc.
- Experience from in-house projects
- Workshops with a neighboring department that is responsible for a different product
The effectiveness of the skills acquired in this way should be checked in the company, for example by querying knowledge using a checklist or questionnaire. This is also possible several months after participating in one of the events mentioned above. You can do this quite easily using e-learning platforms or intranet query forms.
The current status of the existing competencies as well as their target status and the measures taken to improve the competencies should be documented at each step in order to monitor progress. Of course, each entry has a timestamp in order to understand the chronological development of the competencies. Data is therefore available to analyze the effectiveness of certain measures.
It should be noted here that a change in the key figures (KPIs) after the introduction of a measure is not always necessarily due to this. The correlation of the change in a competency-specific KPI with the introduction of a measure must be tested as well as the necessity and effectiveness of a further training measure.
It is important for you to establish a system that you can use to determine who has which skills, how to compensate for a lack of skills and how you can regularly check and measure the effectiveness of skills development measures.
Also Read: The Management Of Human Resources In SMEs