Enhancing cybersecurity awareness strategies to comply with ISO 27001:2022

Abstract

This thesis presents a case study of ICT Group aimed at enhancing cybersecurity awareness throughout the organization by developing a role-based strategy aligned with the ISO 27001:2022 standard. Through a multi-method research approach, including literature review, organizational analysis, benchmarking, and data collection via interviews, surveys, and incident reports, the study identifies critical gaps in the current one-size-fits-all awareness program. The findings demonstrate the need for tailored, role-specific training that addresses the unique cybersecurity risks associated with different employee functions.

A comprehensive, modular awareness strategy is proposed, featuring detailed role-risk mapping, targeted training plans, and the integration of Learning Management Systems (LMS) to support scalable and engaging learning experiences. The strategy further incorporates the appointment of cybersecurity champions, a centralized communication platform, continuous microlearning, and a metrics-driven evaluation framework to monitor effectiveness and promote continuous improvement.

The LMS options were evaluated, recommending Docebo for its scalability and robust role-based capabilities, with Moodle and Nerds & Company as alternative solutions based on organizational needs. Finally, a phased implementation roadmap is outlined to guide ICT Group in transitioning to a sustainable, scalable, and ISO-aligned cybersecurity awareness program that fosters a proactive security culture.