Security Awareness Training and ISA Capability Maturity

calendar Jun 5, 2026 · 3 min read · security awareness information assurance security training isa-cmm security policy information security  ·
Share on: linkedin copy

Security Awareness Training and ISA Capability Maturity

Technology is constantly changing. Security technology is getting better and making jobs easier as described by Peltier (2013). Bad actors continue to cause issues no matter what new security is introduced. It is a constant cycle. Security awareness includes many activities and approaches at all levels of the organizations.

Building an Effective Security Awareness Program

The security team develops security policies, standards, procedures, and guidelines as part of the start of an effective information security program in an organization as described by Peltier (2001). After this security architecture, with policy’s, etc., are in place, they will become less effective if no process exists to ensure that the employees are aware of their rights and responsibilities.

Many times the security professionals implement the perfect security program as described by Peltier (2001) but then don’t follow through to include the personnel into the formula. To become successful as possible, an information security professional must define a way to sell the security architecture to the customers. An effective security awareness program can be the most cost-effective action the management team can approve to safeguard critical information assets as Peltier (2001) points out. Executing an effective security awareness program assists the employees in understanding why information security is to be taken seriously, what employees gain from the implementation of a security program, and how the security program will assist them in finishing their tasks. The process should begin with new employee orientation and continue annually for all employees at all levels of the organization.

Awareness, Training, and Education

Awareness, education, and training within information security as described by Layton (2016) are central values that must be employed in every organization. There is a difference between awareness, education, and training. Awareness, as Layton (2016) points out, is directed at all users and normally focuses attention on global security principles. Information security training is more in-depth and the message is directed at a particular audience with an expected outcome. The last type of training is education which training where ideas and subjects are covered in detail for developing new abilities or skills and altering the outcome in some way.

Training in the ISA-CMM

Within the Information Security Assurance Capability Maturity Model (ISA-CMM), as Security Horizon (2012) points out in section ISA-PA01 Provide Training, the base practices are identifying the training that is needed, select method(s) of security training, ensure that information security training is available, get out into the and organize training for personnel and access and gather feedback on the training and awareness training provided to the organization.

References

Layton, T. P. (2016). Information security: Design, implementation, measurement, and compliance. Auerbach Publications.

Peltier, T. R. (2001). Information security policies, procedures, and standards: Guidelines for effective information security management. CRC Press.

Peltier, T. R. (2013). Information security fundamentals (2nd ed.). CRC Press.

Security Horizon. (2012). Information security assurance capability maturity model (ISA-CMM), draft version 3.2.

Posts in this series