Control: The organisation establishes an information security workforce development and improvement program.
Information Security Workforce Supplemental Guidance:
Information security workforce development and improvement programs include, for example:
- (i) defining the knowledge and skill levels needed to perform information security duties and tasks;
- (ii) developing role-based training programs for individuals assigned information security roles and responsibilities; and
- (iii) providing standards for measuring and building individual qualifications for incumbents and applicants for information security-related positions.
Such workforce programs can also include associated information security career paths to encourage:
- (i) information security professionals to advance in the field and fill positions with greater responsibility; and
- (ii) organisations to fill information security-related positions with qualified personnel.
Information security workforce development and improvement programs are complementary to organisational security awareness and training programs. Information security workforce development and improvement programs focus on developing and institutionalising core information security capabilities of selected personnel needed to protect organisational operations, assets, and individuals.
Related controls: AT-2, AT-3.