The idea of customising the training to meet user requirements is in fact a very good approach. However, there will have to be certain additions to this approach which will then suit everyone in your organisation.

With that being said, it is very much correct when you say that the training required for an application developer will not be the same that is to be imparted to a HR person.

However, when you look at structure of ISO 27001, you will see that it has many number of aspects which will be applicable to all departments, such as access control, asset management and disposal, Intellectual property rights management, Business continuity procedures, Employment procedures, Incident handling, Acceptable use guidelines, Clear desk and Clear screen and much more. You will see that each of these items which I have listed above will be applicable to everyone.

You training approach should take all these into account while also making the training role specific. I have been taking an approach that is department specific. Some modules have been exclusively reserved for certain departments, while most modules are applicable to all departments. Your training schedule should list out all these.

Finally the topics that you impart to your employees should actually be within the limits of your organisation's Information security management system (ISMS). So, if you have a well defined ISMS, look through all the policies and procedures that have been defined for your organisation. This will give you a good starting point to define all your topics.

The idea of customising the training to meet user requirements is in fact a very good approach. However, there will have to be certain additions to this approach which will then suit everyone in your organisation.

With that being said, it is very correct when you say that the training required for an application developer will not be the same as an HR person.

However, when you look at structure of ISO 27001, you will see that it has many aspects which will be applicable to all departments, such as access control, asset management and disposal, Intellectual property rights management, Business continuity procedures, Employment procedures, Incident handling, Acceptable use guidelines, Clear desk and Clear screen and much more. You will see that each of these items which I have listed above will be applicable to everyone.

Your training approach should take all these into account while also making the training role-specific. I have been taking an approach that is department-specific. Some modules have been exclusively reserved for certain departments, while most modules are applicable to all departments. Your training schedule should list out all these.

Finally the topics that you impart to your employees should actually be within the limits of your organisation's Information security management system (ISMS). So, if you have a well defined ISMS, look through all the policies and procedures that have been defined for your organisation. This will give you a good starting point to define all your topics.