Clause 6 – People Controls

A 6.3 – Information Security Awareness, Education and Training

Attributes

Control TypeInformation Security PropertiesCybersecurity ConceptsOperational CapabilitiesSecurity Domains
PreventiveConfidentiality, Integrity, AvailabilityProtectHuman Resource SecurityGovernance and Ecosystem

Control

Personnel of the organisation and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organisations information security policy, topic-specific policies and procedures, as relevant for their job function. (ISO 27001:2022 Annex A 6.3 Information Security Awareness, Education and Training)

About

Annex 6.3 focusses on the human aspect of information security, more specifically their level of security awareness, education, training, and regular updates on your organization’s security policy and procedures that are relevant to their jobs.

Purpose

To ensure personnel and relevant interested parties are aware of and fulfil their information security

Implementation Guide

The guidance from ISO 27002 focusses on three topics: awareness, education, and training.

Awareness

Ensure all employees understand the importance of information security and their role in safeguarding the organization’s assets.

  • Develop Awareness Campaigns: Use a variety of communication methods (emails, posters, newsletters, intranet) to disseminate key security messages
  • Onboarding Orientation: Incorporate security awareness into the onboarding process for new employees, emphasizing the importance of information security from day one
  • Phishing Simultations: Regularly conduct phishing simulations to test and improve employees’ ability to recognize and respond to phishing attempts.

What Auditors Look For And How to Prepare

The auditor is going to check a number of areas for compliance with annex A 6.3. Be prepared for the following:

1. That you have done information security training and awareness

The auditor will meet with the HR department and those responsible for training and awareness to ensure that a plan is in place and being followed. The simplest approach is to use a specialist training tool, though it can also be done manually. Ensure you can provide evidence that the training occurred, that participants understood it, and that records are maintained. The auditor will review this training for components like annual Data Protection and Information Security training and will examine the onboarding process to see how these topics are addressed for new hires.

2. That you have communicated the training and awareness process

The audit will verify the existence of documented processes and topic-specific policies, ensuring they have been communicated and that employees have been trained on their requirements.

3. That your employees understand basic information security procedures

A great example of security awareness is the ability of employees to recognize phishing mails. Furthermore, an auditor can easily check if your employees have developed security awareness by inspecting their workplace. For example, if an employee does not lock his screen (clean screen policy) or clean his desk after work, it’s quite obvious that they are not security aware at all.