Clause 6 – People Controls
A 6.3 – Information Security Awareness, Education and Training
Table of Contents
Attributes
Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
Preventive | Confidentiality, Integrity, Availability | Protect | Human Resource Security | Governance and Ecosystem |
Control
Personnel of the organisation and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organisations information security policy, topic-specific policies and procedures, as relevant for their job function. (ISO 27001:2022 Annex A 6.3 Information Security Awareness, Education and Training)
About
Annex 6.3 focusses on the human aspect of information security, more specifically their level of security awareness, education, training, and regular updates on your organization’s security policy and procedures that are relevant to their jobs.
Purpose
To ensure personnel and relevant interested parties are aware of and fulfil their information security
Implementation Guide
The guidance from ISO 27002 focusses on three topics: awareness, education, and training.
Awareness
Ensure all employees understand the importance of information security and their role in safeguarding the organization’s assets.
- Develop Awareness Campaigns: Use a variety of communication methods (emails, posters, newsletters, intranet) to disseminate key security messages
- Onboarding Orientation: Incorporate security awareness into the onboarding process for new employees, emphasizing the importance of information security from day one
- Phishing Simultations: Regularly conduct phishing simulations to test and improve employees’ ability to recognize and respond to phishing attempts.
What Auditors Look For And How to Prepare
The auditor is going to check a number of areas for compliance with annex A 6.3. Be prepared for the following:
1. That you have done information security training and awareness
The auditor will meet with the HR department and those responsible for training and awareness to ensure that a plan is in place and being followed. The simplest approach is to use a specialist training tool, though it can also be done manually. Ensure you can provide evidence that the training occurred, that participants understood it, and that records are maintained. The auditor will review this training for components like annual Data Protection and Information Security training and will examine the onboarding process to see how these topics are addressed for new hires.
2. That you have communicated the training and awareness process
The audit will verify the existence of documented processes and topic-specific policies, ensuring they have been communicated and that employees have been trained on their requirements.
3. That your employees understand basic information security procedures
A great example of security awareness is the ability of employees to recognize phishing mails. Furthermore, an auditor can easily check if your employees have developed security awareness by inspecting their workplace. For example, if an employee does not lock his screen (clean screen policy) or clean his desk after work, it’s quite obvious that they are not security aware at all.