The organization should establish a program for InfoSec knowledge, training, and education. This program should take into account the protected data and the security controls implemented. The program should be periodic and initially provided to new employees and those in new roles with different security requirements. Personnel knowledge should be tested after each activity to evaluate the program’s efficacy. The awareness program should include regular activities such as physical or online campaigns, discussions, e-learning modules, etc., and cover topics such as management commitment to security, compliance with rules and regulations, personal responsibility, basic procedures, and resources for further information.

