Once you have read my article, you will have a good idea of how to approach your compliance awareness campaign. You will get concrete advice on choosing topics, forming alliances, and how to measure how well your campaign worked.
Compliance is hardly known for being the world's most interesting topic. In the eyes of many, it is time-consuming, limiting, and boring.
A run-down car can get purple fringe tail lights, 30-inch fins, and a Palomino dashboard - and become Greased Lightnin'. Similarly, you can give compliance a makeover in order to make the topic more accessible, relevant, and exciting.
This is what you do:
You must first and foremost ensure the involvement of the management. There are two reasons for this:
For one thing, the employees should hear from the management why compliance is important. The message then carries more weight.
For another thing, awareness campaigns are not free. They cost the organisation time. You will only get the resources you need if you make it clear to the management why you need a compliance awareness campaign. If a compliance audit has resulted in findings and recommendations or if you need to follow ISO 27001/2, NIS2, or any other standards, you will have a compelling argument. Awareness is a requirement under ISO 27001 and ISO 27002, so there is no way around it. A focus on compliance can furthermore save you time and money. Both your finances and your image take a hit when a user error causes a data leak or system breakdown.
Moreover, awareness is about communication. If this is not your strong side, you should become good friends with your communications or marketing department, if you have those in the company. They will be able to help you contact us in a language the employees understand.
With the backing of your new allies, you should now determine the areas your awareness campaign should focus on. There are many topics to choose from, some heavier than others, and unnecessary information needs to be removed.
Consider the problems you have experienced due to user ignorance. A few examples may be:
If you are unsure of anything, get hold of HelpDesk or IT support if you have those functions. They can tell you what employees most often ask about and what they are unsure of. You can also consider whether you recently began using new systems or performing tasks in a new way. Have the employees become familiar with this, or are there many mistakes?
You will possibly find more problems than you can address in a single awareness campaign. Focus on the most important parts and save the less important ones until your next campaign. We must ensure we use simple, powerful messages. Prepare short campaigns with simple themes, and then run campaigns more often.
Now you need to go out and meet people where they are. The employees sit at their computers, eat in the cafeteria, and attend Friday morning meetings. This is where you should meet them. One way to do this is by means of:
An employee awareness quiz can also demonstrate to management that your awareness campaign has had an impact on people. Set a realistic goal for yourself. If half of all the employees take the quiz, you have done a great job! A quiz also shows you the areas where you need to do more training for your employees.
So, can you make compliance interesting? You can at least go a long way toward making it accessible, relevant, and engaging.
There are many programs that can help you make quizzes. Our compliance platform for all Governance, Risk, and Compliance matters not only lets you write your own questions and answers, but also tracks how many have been answered correctly. You also get an entire library of questions/answers concerning compliance from which you can pick. This way you efficiently ensure that the employees are made familiar with the relevant policies and rules, as well as any compliance with standards, such as ISO 27001.
Contact us for a demo of our compliance platform