Skip to content
AuditFront
A.6.3 ISO 27001

ISO 27001 A.6.3: Information security awareness, education and training

What This Control Requires

Personnel of the organization and relevant interested parties shall receive appropriate information security awareness education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function.

In Plain Language

Your security is only as strong as the person most likely to click a phishing link. Technical controls are essential, but people remain the most common attack vector - and the best defence when properly trained. This control is about building a genuine security culture, not just ticking a training box.

Training needs to be tailored by role. Everyone needs the basics - phishing recognition, password hygiene, incident reporting. Developers need secure coding practices. Sysadmins need hardening and configuration training. Management needs to understand their governance responsibilities. Generic, one-size-fits-all training is a common audit finding.

This also extends to contractors, suppliers, and other third parties who interact with your systems. And it has to be ongoing - a single onboarding session is not enough. Threats evolve, policies change, and people forget. Regular reinforcement throughout the year is what actually shifts behaviour.

How to Implement

Design a multi-layered awareness programme: mandatory annual training for all personnel, role-specific modules, ongoing awareness campaigns throughout the year, and induction training for new joiners.

For annual mandatory training, cover social engineering and phishing recognition, password and authentication best practices, data classification and handling, clean desk and clear screen, mobile device and remote working security, incident reporting procedures, acceptable use policies, and relevant regulatory requirements like GDPR for staff handling personal data.

Run phishing simulations - monthly or quarterly. Track click rates and reporting rates. Give immediate feedback to people who fall for simulations. Use the results to identify common weaknesses and target your training accordingly.

Build role-specific modules. Developers get secure coding training covering OWASP Top 10 and secure SDLC. Sysadmins get secure configuration and hardening. Incident responders get specialised handling training. Managers learn their security oversight responsibilities. HR gets trained on screening and offboarding security procedures.

Vary your delivery methods to keep engagement high: e-learning modules, short videos, security newsletters, posters and visual reminders, lunch-and-learn sessions, quizzes and competitions, and anonymised real-world examples from recent incidents. Death by PowerPoint kills engagement faster than anything.

Measure effectiveness with multiple metrics: training completion rates, phishing simulation trends, security incidents from human error, incident reporting rates, and periodic knowledge assessments. Use these numbers to improve the programme continuously and report to management.

Evidence Your Auditor Will Request

  • Security awareness training program documentation and curriculum
  • Training completion records for all personnel by role category
  • Phishing simulation results and trend analysis
  • Role-specific training records for technical and management personnel
  • Program effectiveness metrics and improvement actions

Common Mistakes

  • Training is a one-time event at onboarding with no ongoing reinforcement
  • Training content is generic and not tailored to different roles and responsibilities
  • Phishing simulations are not conducted or results are not used to improve training
  • Contractors and third-party personnel are excluded from the awareness program
  • Training effectiveness is not measured and the program is not improved based on results

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 CC1.4 Related
SOC 2 CC2.2 Related
GDPR Art.39(1)(b) Related
NIS2 Art.20(2) Equivalent

Frequently Asked Questions

How often should security awareness training be conducted?
Formal training should be mandatory at least annually, plus at onboarding for new joiners. But the best programmes run continuous reinforcement throughout the year - monthly phishing simulations, quarterly newsletters, periodic tips and reminders, and timely alerts about current threats. Think of the annual training as the foundation, with ongoing micro-learning moments keeping it fresh in people's minds.
How do we measure the effectiveness of security awareness training?
Track several metrics together: phishing simulation click rates (should drop over time), security incident reporting rates (should rise as people get better at spotting things), incidents caused by human error (should decrease), training quiz scores, and employee feedback. Compare before and after training campaigns, and watch trends over time rather than fixating on any single data point. If click rates are not improving after several campaigns, your training content probably needs rethinking.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment