Competence, Awareness, and Training

Document ID: DPWAT-ISMS-GOV-006
Version: 1.0
Owner: ISMS Manager / CISO (RMSI) — Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-08-18
Next review: 2027-02-01

1. Purpose

Define how DP WAT ensures personnel are competent and aware of ISMS requirements (ISO 27001 clauses 7.2 and 7.3).

2. Minimum requirements

• All new joiners receive security onboarding (policies, incident reporting, access control).
• Annual refresher training/awareness is provided to all personnel.
• Project-specific security training is provided when required by customer contract or risk.

3. Security awareness topics

Annual awareness training covers the following topics (aligned with common threats in 02.01-risk-management-methodology):

• Phishing and social engineering — recognizing suspicious emails, verifying requests, reporting
• Credential security — password managers, MFA, not reusing passwords, passkeys
• Device security — encryption, screen lock, lost device procedures, patching
• Data handling — approved storage, avoiding secrets in code/chat, classification
• Incident reporting — what to report, how to report, no-blame culture

Training is delivered via team discussion, shared materials, or external resources as appropriate. Completion is recorded in the training register.

4. Evidence

• Record training in training-register.
• Store training materials/attendance evidence in 07-records/.

5. Security awareness sources (A.5.6)

The CISO maintains awareness of security trends and threats by monitoring:

• DNSC/CERT-RO advisories
• Cloud provider security bulletins (AWS, Google Cloud, Azure, GitHub)
• Vendor security announcements for tools in use
• General infosec news and professional networks

Formal membership in special interest groups is not required given company size; the CISO incorporates relevant insights into risk assessments and training as needed.