A Heightened Sense of Awareness: What the Internal Auditor Should Know About Information Security Awareness Training

According to the US National Institute of Standards and Technology (NIST), each individual in an organization who owns, uses, relies on, or manages information and information systems must fully understand his or her specific security responsibilities.

One of the most important tools an organization has (or should have) to reach that state of readiness is an information security awareness training program.

Even though internal auditors may not be performing an audit of the security awareness training program specifically, they should be familiar with the elements of a good awareness program regardless of the business area at which they are looking. If there are issues in a security-related area, awareness training may be one place they can look to provide recommendations.

The key characteristics of an information security awareness training program that an internal auditor should be aware of include the extent to which the program is supported by management, the content of the training itself, how that training is delivered and how the organization measures success for the program.

Learn More