Training and awareness-raising activities can be delivered in a variety of ways, and you are free to decide which methods to use for different staff groups.
It is good practice to use a range of training approaches, and this usually results in better participation and comprehension. Some people respond well to e-learning; others may benefit more from face-to-face training. See for example the good practice guidance on training and awareness published by the Information Commissioner's Office (ICO) and National Cyber Security Centre (NCSC).
Both formal training and informal awareness-raising methods have their place in delivering the different levels of understanding required.
Formal training is more structured and measurable, and can be useful to ensure specific topics are covered across a group, or to deliver more complex or compliance-based content. For example, you might decide to use e-learning to provide basic knowledge to all staff, with additional training in different forms to meet the specific needs of different staff groups.
Informal methods can be very helpful to raise awareness across the organisation or for specific staff groups. Alternatively, you might decide that formal training isn’t appropriate for staff that need a less advanced level of knowledge, and therefore maintain their awareness through less formal methods.
Your programme can take into account previous training that individuals may have received in your organisation or elsewhere, and the current level of awareness in different groups in your organisation. Interviews with a small representative sample of each staff group can help you gain an understanding of this.
Monitor and record your activities
You will need to monitor and record your training and awareness activities to give assurance to your board and auditors that you are delivering them in accordance with your training needs analysis and reaching all relevant staff.
Formal training approaches
Formal training is delivered in a systematic, intentional way. It can occur in a face-to-face setting or through an online learning platform. This training is structured and more easily measurable, and can be useful for detailed training or to ensure coverage of specific topics.
Examples of formal training approaches that can contribute to the required outcomes include:
- in-house face-to-face training (with national or local training material – such as an induction presentation)
- e-learning modules (such as the national Data Security Awareness module)
- external conferences or courses – attending relevant cyber or IG events with continuing professional development (CPD) points or certificate of attendance
- course syllabus with modules covering data protection and confidentiality which have been completed by newly qualified frontline staff such as a nurse or social worker
- relevant qualifications obtained by staff in specialist roles