LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

Why is awareness indispensable even in an organization with a complete ISMS?

Because even the best security policies are useless if they aren't lived — the "why, what and how" must reach the workforce for the security goals to be achievable.

The chain of reasoning:

  • Organizations introduce ISMS measures to protect information — technical, organizational, and personnel measures
  • But: "Auch die besten Sicherheitsrichtlinien sind nutzlos, wenn sie nicht gelebt werden" — paper protects nothing
  • Therefore the why, what, and how must be communicated to the workforce: why security matters (motivation), what is expected (rules), how to do it (skills)

And the foundation everyone must know: the basic protection goals are CIA — Confidentiality, Integrity, Availability (Vertraulichkeit, Integrität, Verfügbarkeit).

Tip: The why/what/how triple maps exactly onto the Education/Awareness/Training levels of the NIST learning continuum — "why" builds insight, "what" builds recognition, "how" builds skill. A program delivering only one of the three leaves the behavior chain broken.

Go deeper:

  • doc NIST SP 800-50 Rev. 1 — Warum technische Massnahmen ohne gelebte Awareness und Sicherheitskultur unvollständig bleiben.

From Quiz: ISM / The Human Factor — Security Awareness | Updated: Jul 05, 2026