Hi all, we have just revised our security awareness training programme. In our organisation (small setup) as part of a new starters we give them basic IT security awareness training, i.e. password good practice, awareness for social engineering, shoulder surfing etc.
We have got a 3rd party external audit coming in soon and I wonder what sort of things they will pick us up on. Have you had similar audits, i..e them auditing you that you are training your staff properly. What sort of things did they ask, recommend, highlight in there testing and findings?
In terms of documentation our training programme is documented, we record users attendance etc, we dont allow exceptions i.e. a corporate director still has to have it etc. Anything we are likely to have to do in addition to satisfy the external auditors?