3.1.8 Staff Competence and Training
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 |
Effective from 2021-11-04 - Nov 03 2021
To view other versions open the versions tab on the right
Principle
Staff of the Member Organizations should be equipped with the skills and required knowledge to operate the Member Organization's information assets in a controlled manner and provided with training regarding how to operate, address and apply IT relevant controls on Member Organization's information assets.
Control Requirements
| 1. | Member Organizations should identify and define critical roles within IT department (e.g. DBA, sysadmin, etc.) | |
| 2. | Member Organizations should ensure adequate staffing for critical IT roles, such that critical IT roles are not handled by only one staff. | |
| 3. | Member Organizations should identify the professional certifications required for staff responsible for critical IT roles. | |
| 4. | Member Organizations should evaluate staffing requirements on periodic basis or upon major changes to the business, operational or IT environments to ensure that the IT function has sufficient resources. | |
| 5. | Annual IT training plan should be developed by the Member Organizations. | |
| 6. | Formal training should be conducted, as a minimum for: | |
| a. | IT staff (existing and new); and | |
| b. | Contractors (where applicable). | |
| 7. | IT training plan should be reviewed periodically. | |
| 8. | Specialist training should be provided to staff in the Member Organization's relevant functional area categories in line with their job descriptions, including: | |
| a. | staff involved in performing critical IT roles; | |
| b. | staff involved in developing and (technically) maintaining information assets; and | |
| c. | staff involved in risk assessments. | |