S 3.48 Selection of trainers or training providers

Initiation responsibility: IT Security Officer, Head of Personnel, Top Management

Implementation responsibility: Personnel Department, IT Security Officer

Before performing any awareness-raising and training programmes on information security, it must first be clarified if the awareness-raising and training on security issues will be conducted by the organisation's own employees or by external specialists, as well as what form of training should be used.

If the organisation uses its own employees to do the training, these employees must have the special skills and knowledge required as well as the ability to convey this knowledge to others. Technical knowledge alone is not adequate for an information security trainer, and these trainers must also have didactic, educational, and communicative skills. It is also important, amongst other things, for a trainer to be familiar with the language used by the corresponding target audience so that the information security aspects to be trained can be placed in the context of their working environments and projects. In addition, internal trainers also need to be allotted the time required to prepare and hold such training courses.

In many cases, it can be more economical to have external specialists perform the training. In this case, it is necessary to specify the financial resources available to this end. The external trainers should be selected carefully.

The following internal resources need to be budgeted even if the training will be performed by external trainers:

• One person must be appointed responsible for selecting qualified external trainers, prescribing the contents and teaching methods for the training, and to act as an intermediary between the external trainers and the organisation's employees.
• The employees will be absent from their workplaces for the duration of the training events.
• In addition, the employees should evaluate the training they received, and their experiences should be evaluated internally at regular intervals.

Experience has shown that there are numerous training providers offering suitable courses in the desired form for many fields . The organisation should ask the training provider if the contents of the courses will convey the knowledge required.

The training provider should be examined critically at regular intervals to determine whether or not the knowledge taught by the instructors, trainers, and coaches is up to date.

Review questions:

• Has it been defined whether the awareness-raising and training programmes should be performed by internal employees or external specialists and in which form the training is to be performed?
• Was a person in charge of selecting qualified training providers, training content, and training methods appointed?
• Are the internal resources for performing training measures budgeted for?
• Are the training measures performed evaluated by the participants?
• Are the experiences from the training measures regularly analysed internally?