Control of the Week #11
This week’s control involves the creation of an Employee Training Plan. Jose Costa (CISO at Tugboat Logic), Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic), Jitendra Juthani (Senior Manager, IS Risk & Compliance), and Chika Nwajagu (Senior Security Analyst at Tugboat Logic) explain why having good training plans can go a long way and be vital to your audit.
Why this control is important
HR5 – Training Plan – The organization has a formal training plan in place for the employees and meets annually to identify relevant training needs to support in scope-systems.
How you train your employees will largely determine their effectiveness and adherence to company policies. While many practices can be common sense and their skills catered specifically to the job they were hired to perform, a training plan can go a long way to ensure that elements of your organization stay safe, secure and run as smoothly as possible.
This control is closely tied with other controls surrounding training plans. This one in particular is a high-level, formal training plan that leadership will create at least once annually based on the organization’s needs. This process needs to be done regularly as the organization’s scope and goals will change as it grows and evolves.
How to implement this control for your audits
A training plan must be made annually to determine the training needs of employees required to perform job related tasks and in order to meet company’s business objectives. Onboarding new employees with different or specialized roles or changes in business processes can also call for an update to this training plan. In terms of maintaining a secure organization specifically, organizations will sometimes update their training plan quarterly depending on the need. This will be something that your leadership can define when creating a training plan.
When preparing for your audit ensure that:
- You have a training plan in place.
- Determine what needs to be captured for each department and what the specific training requirements are.
- Can be at an organizational level or department-specific. No hard and fast rules here!
- Shouldn’t be specific to technical job needs and should cover security awareness training.
- Identify training needs.
- Can be captured through performance evaluations and needs.
Other things to consider: If your organization is small or you are not at the stage of needing an overall organization training plan. A good idea is to include this control as part of the evaluation process of your employees. As you discuss their performance and the goals for the next year, you can also ask the supervisors to discuss changes to the role as well as training needs. This will make sure that you cover the control without having to implement a whole process around it.