Auditing ISO 27001 Annex A 6.3 is the systematic evaluation of personnel competency and security culture through targeted education. The Primary Implementation Requirement is a formal awareness programme, delivering the Business Benefit of a resilient workforce capable of identifying cyber threats and protecting vital organizational assets.
ISO 27001 Annex A 6.3 Information Security Awareness, Education and Training Audit Checklist
This technical verification tool is designed for lead auditors to confirm the efficacy of the organisation’s security culture and personnel competency. Use this checklist to validate compliance with ISO 27001 Annex A 6.3.
1. Information Security Awareness Programme Formalised
Verification Criteria: A documented programme exists that defines the strategy, frequency, and delivery methods for security awareness across all personnel levels.
Required Evidence: Approved Security Awareness Strategy or Annual Training Plan with version history and management sign-off.
Pass/Fail Test: If the organisation cannot produce a documented plan that schedules awareness activities for the current fiscal year, mark as Non-Compliant.
2. Induction Security Training Completion Verified
Verification Criteria: Every new employee and contractor completes mandatory information security induction training prior to being granted access to production systems or sensitive data.
Required Evidence: Learning Management System (LMS) reports or HR onboarding logs showing completion timestamps cross-referenced against system account creation dates.
Pass/Fail Test: If a sample of five recent joiners shows system access was granted more than 48 hours before the security induction was completed, mark as Non-Compliant.
3. Annual Refresher Training Cycle Confirmed
Verification Criteria: All personnel undergo regular refresher training at least once per year to maintain awareness of evolving threats and policy changes.
Required Evidence: Historical training logs showing >95% completion rates for annual security modules over the last two audit cycles.
Pass/Fail Test: If the organisation allows more than 13 months to pass between training sessions for any active employee, mark as Non-Compliant.
4. Specialised Role-Based Security Training Validated
Verification Criteria: Personnel in high-risk or technical roles (e.g. developers, system admins, HR) receive specialised training relevant to their specific security duties.
Required Evidence: Certificates or course outlines for technical training such as OWASP Top 10 for developers or Privileged Access Management for administrators.
Pass/Fail Test: If technical staff with privileged access only receive the same generic awareness training as non-technical staff, mark as Non-Compliant.
5. Practical Threat Simulation (Phishing) Performance Monitored
Verification Criteria: The organisation performs periodic simulations of social engineering attacks to measure practical awareness and identify vulnerable personnel.
Required Evidence: Results and analysis reports from recent phishing simulations, including click rates and reporting rates.
Pass/Fail Test: If the organisation has not conducted a social engineering simulation or practical threat test in the last six months, mark as Non-Compliant.
6. Comprehension and Competency Assessments Recorded
Verification Criteria: Training includes formal assessments (e.g. quizzes) to verify that personnel have understood the material and achieved a minimum passing score.
Required Evidence: LMS records showing individual assessment scores and a defined “pass” threshold (e.g. 80%).
Pass/Fail Test: If training is “read-only” with no mandatory knowledge check or scoring mechanism, mark as Non-Compliant.
7. Topic-Specific Policy Awareness Evidenced
Verification Criteria: Awareness activities explicitly cover the organisation’s specific policies, such as Acceptable Use, Clear Desk, and Incident Reporting.
Required Evidence: Training module screenshots or slide decks that reference the organisation’s specific policy names and unique reporting channels.
Pass/Fail Test: If the training content is purely generic (off-the-shelf) and fails to name the organisation’s actual internal reporting portal or SOC contact details, mark as Non-Compliant.
8. Security Awareness Communication Trail Identified
Verification Criteria: Information security is communicated through varied, ongoing channels such as newsletters, intranet updates, or physical posters to supplement formal training.
Required Evidence: Archive of security bulletins, screenshots of intranet banners, or photographs of physical awareness displays.
Pass/Fail Test: If formal annual training is the only form of security communication found in the audit trail, mark as Non-Compliant.
9. Management Engagement in Awareness Activities Verified
Verification Criteria: Senior management demonstrates leadership by participating in the programme and ensuring time is allocated for staff completion.
Required Evidence: Management Review Meeting (MRM) minutes showing review of training completion rates and leadership messaging.
Pass/Fail Test: If completion rates for senior management are lower than the organisational average, mark as Non-Compliant.
10. External Party (Contractor) Awareness Alignment Confirmed
Verification Criteria: Contractors and third-party personnel with access to organisational assets are subjected to the same awareness standards as internal staff.
Required Evidence: Signed Master Service Agreements (MSAs) mandating training or induction records for specific third-party consultants.
Pass/Fail Test: If a contractor has active administrative access but has not completed the organisational security induction, mark as Non-Compliant.
About the author
