🟢 Commons — Visible to all members
1. Purpose and Scope
This policy defines how the organisation builds a culture of cybersecurity awareness and resilience. It applies to all employees, contractors, and partners.
Policy Statements:
🔵 Core — Core membership and above
🔒 Core membership required — Core membership required for full Cybersecurity Awareness & Training Policy.
Login
or become a member →
- Training is mandatory for all staff, aligned with ISO/IEC 27002:2022 Clause 7.2.2.
- Awareness programs are integrated into the ISMS scope (ISO 27001 Clause 4.3).
- Training content includes privacy obligations under applicable data protection law; representative references include EU GDPR Article 39 and POPIA Section 19(2).
2. Mandatory Training
Policy Statements:
- All employees complete annual cybersecurity training (ISO 27001 Annex A.7.2.2).
- Training covers phishing, social engineering, secure data handling, privacy rights, and incident reporting.
- Completion rates are tracked and reported to management.
- Training programs include modules on collaborative security responsibilities with suppliers and partners (ISO 44000 Clause 7.2).
- Employees are trained to understand obligations in joint ventures and outsourcing arrangements.
- Training programs include modules on enterprise risk awareness, aligned with the COSO Internal Control — Integrated Framework (Principle 3: Risk Awareness & Culture) or equivalent internal-control framework adopted by the organisation.
- Employees are trained to understand how cybersecurity risks fit into the broader ERM framework.
🟡 Essential — Essential membership and above
🔒 Essential membership required — Essential membership required for control mappings and appendix references.
Login
or become a member →
3. Role‑Based Training
Policy Statements:
- Executives receive training on governance and accountability consistent with applicable governance instruments; representative references include ISO/IEC 38500:2015 and, where applicable, US SOX Section 404 and equivalent national governance codes.
- IT staff are trained on technical controls (NIST RMF, ISO 27017 cloud security).
- End‑users receive awareness training on secure practices (ISO 27018 privacy awareness).
- Supplier managers receive specialized training on collaborative relationship management and shared security obligations.
- IT staff are trained to implement and monitor joint controls with external service providers.
- Risk owners and managers receive specialised training on integration of the organisation’s chosen ERM framework (COSO ERM, ISO 31000:2018, or equivalent) with cybersecurity.
- Supplier managers are trained to apply the organisation’s chosen internal-control principles (COSO or equivalent) when managing collaborative risks.
4. Awareness Campaigns
Policy Statements:
🟠 Professional — Professional membership and above
🔒 Professional membership required — Professional membership required for framework cross-references and heatmap detail.
Login
or become a member →
- Quarterly campaigns highlight emerging threats (e.g., ransomware, phishing).
- Supplier awareness is integrated into contracts (SIAM principles).
- Case studies drawn from significant publicly-reported cybersecurity incidents are used to illustrate risks. Illustrative examples include WannaCry 2017, NotPetya 2017, the Twitter Bitcoin scam 2020, SolarWinds 2020, and regionally-relevant incidents in each organisation’s operating jurisdiction.
- Awareness campaigns highlight the importance of trust, transparency, and accountability in collaborative relationships (ISO 44000 Clause 5.3).
- Case studies of supply chain breaches are used to emphasise collaborative risk. Illustrative examples include SolarWinds 2020 and MOVEit 2023, alongside regionally-relevant incidents in each organisation’s operating jurisdiction.
- Awareness campaigns emphasize the role of internal controls and enterprise risk management in cybersecurity resilience.
- Case studies highlight how enterprise risk management frameworks — COSO ERM, ISO 31000:2018, or equivalent — support proactive risk management in supply chain and collaborative contexts.
5. Measurement and Effectiveness
Policy Statements:
- Effectiveness is measured through phishing simulations and knowledge tests.
- Results are reported to the board quarterly.
- Continuous improvement is ensured under ISO 9001:2015 Clause 10.3.
- Monitoring and evaluation follow COBIT MEA.
6. Audit and Assurance
Policy Statements:
- Training records are audited annually (ISO 27001 Clause 9.2).
- Management reviews awareness program effectiveness (Clause 9.3).
- External audits validate compliance with recognised assurance frameworks applicable to the organisation’s market context; representative reference: SOC 2 Security principle (AICPA).
7. Governance Alignment Statement
This policy supports transparency, accountability, ethical conduct, and stakeholder inclusivity, consistent with recognised corporate governance instruments in each jurisdiction in which the organisation operates. Representative instruments include the OECD Principles of Corporate Governance and the AU APRM framework. National codes referenced as applicable include (non-exhaustive):
- UK Corporate Governance Code
- US SOX Section 404
- Japan Corporate Governance Code
- Singapore Code of Corporate Governance
- India SEBI LODR
- South Africa King V
- Mauritius National Code of Corporate Governance
- AU APRM
- OECD Principles of Corporate Governance
⚫ Enterprise & Conglomerate — Implementation artifacts
🔒 Enterprise membership required — Enterprise membership required for procedures, templates and work instructions.
Login
or become a member →
Enterprise and Conglomerate implementation content will be added here.
● LIVE CONTENT
· Verified 29 May 2026 at 15:52 UTC · Version 1.0
· Always current at
c-ao.com
· © CIAO Standard Secretariat 2026