Information Security Management isn’t a buzzword or a passing IT trend. It’s a real, required, and audited discipline that’s becoming increasingly relevant in quality departments. Especially in contexts involving TISAX, ISO 27001, or simply customer expectations that sensitive technical data won’t leak via an accidental screenshot or an open laptop in an open space.
So how do you build awareness without endless trainings, slide decks full of bullets, or the classic “sign this sheet to confirm you attended” routine?
One word: newsletter.
And before you roll your eyes: relax. I’m not talking about a “marketing newsletter” offering discounts on shoes. I’m talking about a simple, internal communication tool that, during my time implementing TISAX in a manufacturing plant, delivered real results. Let me show you how you can do the same.
What is Information Security Management (ISM) and What Does It Have to Do with Quality?
ISM isn’t just about firewalls and passwords. It’s a full system designed to protect confidentiality, integrity, and availability of information.
From a quality perspective, that means safeguarding client data, project documentation, 8D reports, customer complaints, and internal audits. All of this can leak not through hacking, but through:
• an open laptop during a meeting,
• a password left on a sticky note,
• a photo of a project board,
• clicking a virus-laden email link.
This is where education comes in. Or better yet: micro-education.
Why Do Newsletters Work? Because They’re Quiet, Regular, and Predictable
We don’t always have time for a 2-hour training. But we do have 90 seconds to read an email. That’s what makes a newsletter powerful:
• short message
• regular format (e.g. every 2 weeks, especially during ISO 27001 or TISAX implementation)
• real-life examples, ideally from your own production floor
• one clear topic per issue
I started with “Clear Desk, Clear Screen.” Then came phishing, ransomware, business travel, passwords, USB drives, social engineering… All important topics, delivered in a light format.
How to Build an Information Security Management Newsletter? Step by Step
1. Choose a Topic That Actually Happens in Your Company
No point starting with ISO 27001 theory. Start with a real issue:
• Someone left a laptop at the reception?
• A phishing email from “DHL” hit 30 inboxes?
• An employee posted a photo showing a confidential screen?
• Great. You have a topic.
2. Add Context: What Could Happen If…
People don’t react to policies. They react to consequences.
“If you leave a drawing open on your screen, a supplier or competitor could easily see it.”
3. Use Simple Language
Don’t write:
“Internal ISO 27001 information security policies require protection of ‘confidential’ information.”
Instead write:
“Don’t leave customer documents on your desk. Lock them away before heading out for coffee.”
4. Add a Graphic or Real Photo (While Respecting Confidentiality!)
Images break up walls of text. They show real context. Even a simple icon or sketch works.
5. End With a Question or Task
“Does your screen lock automatically when you leave your desk? Check it today.”
This creates engagement. People remember it.
Topics That Worked for Me (and Might Work for You Too)
Phishing – What a Typical Attack Looks Like and How Not to Fall for It
Phishing is one of the most common methods hackers use to breach systems. They impersonate well-known brands, send fake invoices, or request clicks on suspicious links. One careless moment can hand them the keys to your company network.
Show real-life phishing examples in your newsletter. Use screenshots and give simple advice: “Before you click, check the sender. Never log in through a link in an email – type the address yourself.”
Social Engineering – “Help the IT Guy” and Other Traps
Not all attacks are digital. Some come via phone calls, emails from “head office colleagues,” or fake suppliers asking about project details. The goal: get information.
People naturally want to be helpful. And that’s often the weakest point in any security system. Highlight this in newsletters: “Before you help, ask yourself: is this person really who they claim to be?”
Business Travel Security – What to Do With Your Laptop at the Airport
Work trips increase risk. Laptops, USBs, smartphones – all leave the safe company network. Airports, hotels, and cafes are hotspots for eavesdropping or theft.
Remind employees: never leave your laptop unattended. Always lock your screen. Use privacy filters. If you don’t have to, don’t open confidential files in public. Stay aware without becoming paranoid.
Clear Desk – What You Leave Behind When You Head to Production
Leftover complaint reports, printed technical drawings, a presentation on a USB stick – all can end up in the wrong hands if desks aren’t cleared. And no, this isn’t about tidiness for tidiness’ sake.
Specific newsletter examples help: “I found a notebook on a desk with a password to the project laptop.” No room for interpretation. Just: lock it, hide it, don’t leave it out.
Ransomware – How Not to Lose Data by Clicking the Wrong Link
Ransomware encrypts your data and demands payment. It often starts with a harmless-looking .zip file or a fake invoice. By the time you notice, it’s too late. Prevention is the only real protection.
Newsletter advice? Keep an offline backup. Don’t open unknown attachments. Keep your software updated. Sounds boring? Maybe. But it works.
Home Office – How to Secure Data While Working From the Kitchen
Remote work is convenient, but risky. Kids nearby, open laptop, unsecured router, saved passwords in your browser. Sound familiar?
Your newsletter can remind: use a VPN. Don’t save passwords in Chrome. Cover your webcam when not in use. And above all: don’t print confidential docs unless you have a way to secure them.
Visitor Badges – Who Entered the Plant and What Did They Leave With?
Physical security is part of information protection. If visitors can roam freely and leave without returning their badge, you have a problem. They could take documents, snap photos, or worse.
Remind your team: badges aren’t a formality. They’re access control. And kindly letting someone in through the turnstile with your ID opens the door to unnecessary risk. Kindness should never override security protocols.
Newsletters and Audits – Yes, They Really Help
During a TISAX audit, one of the questions was about raising employee awareness. I showed a series of newsletters: regular, relevant, and easy to understand. That was enough.
The auditor didn’t ask about platform-based training. He saw that we were actively working on awareness.
Common Mistakes to Avoid
• Walls of text (no one reads them)
• Copy-pasting ISO / TISAX content without simplifying
• No real-life examples
• Rare or inconsistent mailings
• No relevance to shop floor roles
In Summary: Less Formal, More Effective
Information Security Management isn’t just about policies and tech. It’s about everyday decisions: do I shield my screen, do I post a photo from the plant, do I click that link?
A newsletter is a simple tool that lets you remind, teach, and inspire every week or two. Low effort, low cost, big impact.
Got questions about setting up your own awareness newsletter? Want a ready-to-use TISAX checklist? You’ll find it in our free documents.
Author: Dariusz Kowalczyk
