Quiz Entry - updated: 2026.07.05
Why is awareness indispensable even in an organization with a complete ISMS?
Because even the best security policies are useless if they aren't lived — the "why, what and how" must reach the workforce for the security goals to be achievable.
The chain of reasoning:
- Organizations introduce ISMS measures to protect information — technical, organizational, and personnel measures
- But: "Auch die besten Sicherheitsrichtlinien sind nutzlos, wenn sie nicht gelebt werden" — paper protects nothing
- Therefore the why, what, and how must be communicated to the workforce: why security matters (motivation), what is expected (rules), how to do it (skills)
And the foundation everyone must know: the basic protection goals are CIA — Confidentiality, Integrity, Availability (Vertraulichkeit, Integrität, Verfügbarkeit).
Tip: The why/what/how triple maps exactly onto the Education/Awareness/Training levels of the NIST learning continuum — "why" builds insight, "what" builds recognition, "how" builds skill. A program delivering only one of the three leaves the behavior chain broken.
Go deeper:
NIST SP 800-50 Rev. 1 — Warum technische Massnahmen ohne gelebte Awareness und Sicherheitskultur unvollständig bleiben.