Security Awareness Training
Security awareness training is a mandatory component of all cybersecurity insurance risk assessment questionnaires. This means it is mandatory now. Further, phishing training is NOT phishing testing. You need both. It is also important that this information be tracked in a learning management system so that the IT security manager, as well as the HR manager, are aware of who has successfully completed what training and when. Who is falling prey to phishing emails? You need to know this so you can have them do more training, even one-on-one.
Is ISO different from SOC?
A useful orientation article from ImmuniWeb. ISO/IEC 27001 is a global standard designed to establish, maintain and continuously improve a corporate Information Security Management System (ISMS) to protect corporate data in a holistic manner. It is jointly developed and maintained by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Service Organization Control (SOC), designed and maintained by the American Institute of Certified Public Accountants (AICPA), is not a certification but rather a set of interrelated auditing reports validating proper implementation of internal controls by service companies.