ISO 27001:2022 Annex A 6.3 Information security awareness, education and training

/ By
ISO 27001 Annex A 6.3 Information security awareness, education and training

In this guide, I will show you exactly how to implement ISO 27001 Annex A 6.3 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 6.3 Information Security Awareness, Education, and Training

ISO 27001 Annex A 6.3 requires organizations to ensure that all employees and relevant interested parties receive appropriate information security awareness, education, and training. This control is not just about a one-time “onboarding” session; it is about fostering a continuous culture of security responsibility. The goal is to empower individuals to recognize security threats (like phishing) and understand their specific role in protecting the organization’s assets.

Core requirements for compliance include:

  • Continuous Awareness: Training must be regular and updated. This typically includes annual “refresher” courses and periodic “nudges” (like monthly security tips or simulated phishing attacks).
  • Role-Specific Education: While some training is universal (e.g., password hygiene), certain roles require specialized training. For example, developers need training on Secure Coding (OWASP), and finance teams need training on CEO Fraud and Invoice Scam prevention.
  • Verification of Understanding: It is not enough to just “deliver” training; you must prove that people understood it. This is usually achieved through quizzes, tests, or behavioral simulations.
  • Topic-Specific Policies: Training should directly reflect your organization’s internal policies, such as the Acceptable Use Policy (AUP) and Incident Reporting procedures.
  • Record Keeping: For audit purposes, you must maintain a central log of who was trained, when they were trained, and their assessment results. “If it isn’t written down, it didn’t happen.”

Audit Focus: Auditors will look for “The Culture of Knowledge”:

  1. Staff Interviews: They will interview random employees and ask: “Where can I find the security policy?” or “How do you report a suspicious email?”
  2. Training Completion Rates: “Show me your training dashboard. Why have 15% of your staff not completed the annual refresher that was due last month?”
  3. Onboarding Integration: They will check if new hires receive security training before or immediately after being granted access to sensitive systems.

Simple Competence Training Matrix (Audit Prep):

Target Role Critical Awareness Topic Compliance Frequency Delivery Method ISO 27001:2022 Control
All Staff Phishing, Passwords, and Acceptable Use Policy (AUP). Monthly / Annual. Simulations & Refresher Quizzes. 6.3 (Awareness & Training)
New Hires ISMS Policy Basics & Incident Reporting. Day 1 (Induction). Induction Video + Assessment. 6.3 (Awareness & Training)
Developers Secure Coding Standards / OWASP Top 10. Annually. Technical Hands-on Workshops. 8.28 (Secure Coding)
Finance Invoice Fraud, BEC, and CEO Fraud detection. Quarterly. Targeted Security Briefings. 6.3 (Awareness & Training)
C-Level Whaling, Spear Phishing, and Travel Security. Annually. Executive 1-to-1 Briefings. 5.1 (Management Direction)

Table of contents

What is ISO 27001 Annex A 6.3?

ISO 27001 Information Security Awareness, Education, and Training (ISEAT) is a comprehensive program designed to empower individuals within an organisation to understand, recognise, and prevent security threats. It aims to foster a culture of security awareness and responsibility among employees.

ISO 27001 Annex A 6.3 Information Security Awareness, Education and Training is an ISO 27001 control that wants you to educate people on information security. From security awareness training and education to regular updates on your information security policy, topic specific policies and processes.

ISO 27001 Annex A 6.3 Purpose

The purpose of ISO 27001 Annex A 6.3 is to ensure that people are aware of their responsibilities for information security and that they meet them.

ISO 27001 Annex A 6.3 Definition

ISO 27001 defines ISO 27001 Information Security Awareness, Education, and Training as:

Personnel of the organisation and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organisations information security policy, topic-specific policies and procedures, as relevant for their job function.

ISO 27001:2022 Annex A 6.3 Information Security Awareness, Education and Training

Watch the ISO 27001 Annex A 6.3 Tutorial

In the video ISO 27001 Information Security Awareness and Training Explained – ISO27001:2022 Annex A 6.3 I show you how to implement it and how to pass the audit.

ISO 27001 Annex A 6.3 Explainer Video

In this beginner’s guide to IISO 27001 Annex A 6.3 Information Security Awareness Education and Training, ISO 27001 Lead Auditor Stuart Barker and his team talk you through what it is, how to implement in and how to pass the audit. Free ISO 27001 training.

ISO 27001 Annex A 6.3 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 6.3 Information Security Awareness Education and Training. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 6.3 Implementation Guidance

General Guidance

You are going to have to

  • decide what information security training and awareness to do based on organisation risk and needs
  • plan your training and awareness for the next 12 months
  • develop, build and implement your training and awareness materials
  • deliver your training and awareness to those that need it
  • verify that people understand it
  • keep records of all training and awareness

The headline guidance is to train people on information security. For more guidance on the ISO 27001 Security Training Policy and guidance on what and how to implement you can read our beginners guide to information security awareness and training.

Information security training and awareness plan

You are going to put in place and plan for information security training. It is not that hard to do but you want to think about what people will need to know about and how you are going to communicate that. A great tool to help is the ISO 27001 communication plan. You will also consider an off the shelf training tool to help you.

ISO 27001 training requirements

The programme should consider your ISO 27001 policies. That is the main information security policy and any ISO 27001 topic specific policies. It should also include your processes and procedures, specifically around information security.

The list to consider including:

  • Leadership and management commitment to information security – it is top down after all
  • Requirements of relevant laws and regulations
  • People’s own accountability and responsibility for information security
  • How to report an event of incident
  • Where the information security policies are
  • Who you speak to if you have a question on information security

When to do information security awareness and training

The guidance is periodically but the best approach is

  • conduct annual awareness training in information security
  • conduct annual awareness training in data protection
  • conduct initial awareness training either pre employment or as part of the onboarding process
  • as things change or new things are introduced make people aware and train them
  • in response to incidents and as part of continual improvement you may require additional training or awareness

Approaches to information security training

Actual training is something you implement based on need. You identify who needs training and provide it to them. Some training is for everyone, and some training is a little more targeted and specific to certain people and roles.

It is good practice to consider different types of training, such as emails, web pages, stand up meetings, classroom based but most people opt for an off the shelf training package that makes most of the problem go away.

There is a requirement to verify understanding that most people interpret as taking a test of some sort. These are usually built into the off the shelf training packages.

How to implement ISO 27001 Annex A 6.3

Implementing ISO 27001 Annex A 6.3 requires more than a simple annual slideshow; it demands a structured, multi-layered approach to human risk management. By following these steps, organisations can build a resilient security culture that transforms personnel from a primary vulnerability into a critical detective and preventive control.

1. Formalise the Security Awareness Strategy and Plan

Develop a documented roadmap that defines the objectives, target audiences, and delivery methods for the annual training cycle.

  • Identify different user groups, such as general staff, C-suite executives, and technical personnel (e.g., DevOps or Database Admins).
  • Define specific learning objectives for each group based on the results of your Physical Security Risk Assessment and Threat Landscape.
  • Set a training schedule that includes initial inductions for new starters and regular refresher intervals for existing staff.
  • Select appropriate delivery channels, such as a Learning Management System (LMS), live webinars, or simulated phishing exercises.

2. Provision Role-Based Training Content

Customise education materials to address the unique technical risks and IAM roles associated with different departments.

  • Deliver general awareness on phishing, social engineering, and password hygiene (including MFA usage) for all staff.
  • Provision specialised modules for technical teams covering secure coding (OWASP Top 10) and secure system administration.
  • Educate management on their specific responsibilities regarding incident reporting and the Disciplinary Process for security breaches.
  • Ensure all content reflects current UK data protection legislation, such as the Data Protection Act 2018 and UK GDPR.

3. Execute Simulated Threat Exercises

Implement practical testing scenarios to validate that theoretical training is being applied in real-world situations.

  • Launch periodic, non-punitive phishing simulations to measure staff detection and reporting rates.
  • Conduct physical security tests, such as “tailgating” checks at secure entry points, to assess adherence to Annex A 7.2 controls.
  • Use the results of these exercises to identify “high-risk” individuals or departments that require targeted remedial education.

4. Socialise Security through Continuous Awareness Campaigns

Maintain top-of-mind awareness through frequent, low-friction communications that supplement formal training sessions.

  • Distribute monthly newsletters or security advisories highlighting new emerging threats or “Zero Day” vulnerabilities.
  • Utilise internal communication channels (e.g., Slack or Teams) to share quick security tips and “Hero of the Month” recognitions for reporting incidents.
  • Display physical or digital posters in secure zones to reinforce clear desk and clear screen policies.

5. Formalise Attendance Tracking and Understanding Verification

Establish a verifiable audit trail that demonstrates to external auditors that all personnel have completed and understood their training.

  • Utilise an LMS to automate the tracking of completion dates and generate individual training certificates.
  • Include mandatory quizzes or assessments at the end of each module to verify the “Education” element of the control.
  • Capture formal acknowledgements of the Information Security Policy (ISP) as part of the training workflow.
  • Maintain a centralised Training Matrix that maps personnel to their completed modules for easy auditor inspection.

6. Audit Training Effectiveness and Optimise

Review performance metrics annually to ensure the training program remains effective and aligned with the ISMS goals.

  • Compare training completion rates against the number of security incidents caused by human error.
  • Update training modules based on findings from internal audits or changes in the organisational risk profile.
  • Present awareness metrics to the management review board as evidence of continual improvement within the ISMS.

Simple Competence Training Topics Matrix Example

Example of who needs to know what.

RoleAwareness TopicFrequencyMethod
All StaffPhishing & PasswordsMonthlySimulated Phishing / Email Tips.
New HiresPolicy Basics & AUPDay 1Induction Video + Quiz.
DevelopersSecure Coding (OWASP)AnnuallyTechnical Workshop.
FinanceInvoice Fraud / CEO FraudQuarterlyTargeted Briefing.
C-LevelWhaling / Travel SecurityAnnually1-to-1 Briefing.

ISO 27001 Annex A 6.3 Implementation Checklist

ISO 27001 Annex A 6.3 Information Security Awareness, Education And Training Implementation Checklist:

Define Target Audience & Objectives

Challenge

  • Identifying specific needs and tailoring programs to different roles (e.g., executives, IT staff, end-users).

Solution

  • Conduct role-based risk assessments to understand information security threats and vulnerabilities specific to each role.
  • Create tailored training programs with clear learning objectives.

Develop a Training Program

Challenge

  • Ensuring training is engaging, effective, and covers all necessary topics (e.g., data classification, security policies, incident response).

Solution

  • Utilise a variety of training methods (e.g., online courses, workshops, simulations, gamification) to keep employees engaged.
  • Regularly review and update training materials based on new threats and vulnerabilities.

Implement Training Delivery

Challenge

  • Ensuring all employees receive the necessary training, including new hires and contractors.

Solution

  • Integrate training into onboarding processes for all new employees and contractors.
  • Establish a system for tracking training completion and maintaining records.

Conduct Training Assessments

Challenge

  • Evaluating the effectiveness of training programs and identifying areas for improvement.

Solution

  • Conduct regular assessments (e.g., knowledge tests, surveys, simulated phishing attacks) to measure employee understanding and retention of training materials.
  • Analyse assessment results to identify areas for improvement and adjust training programs accordingly.

Promote Security Awareness

Challenge

  • Maintaining employee awareness of security threats and best practices on an ongoing basis.

Solution

  • Utilise various communication channels (e.g., newsletters, posters, email alerts, security bulletins) to disseminate security information and reminders.
  • Conduct regular security campaigns and awareness events.

Address Security Incidents

Challenge

  • Ensuring employees know how to report and respond to security incidents.

Solution

  • Develop clear incident reporting procedures and provide employees with easy-to-use reporting mechanisms.
  • Conduct regular incident response drills and simulations to test employee preparedness.

Manage Training Records

Challenge

  • Maintaining accurate and up-to-date training records for all employees.

Solution

  • Implement a centralised training records management system.
  • Ensure all training records are properly documented, including dates, topics, and completion status.

Continual Improvement

Challenge

  • Regularly reviewing and improving the information security awareness and training program.

Solution

  • Conduct periodic reviews of the training program to assess its effectiveness and identify areas for improvement.
  • Gather feedback from employees and stakeholders to identify training needs and preferences.

Address Cultural Factors

Challenge

  • Ensuring that the information security culture within the organisation supports and encourages secure behaviour.

Solution

  • Promote a culture of security awareness and responsibility at all levels of the organisation.
  • Lead by example and demonstrate commitment to information security from senior management.

Challenge

  • Ensuring that the information security awareness and training program complies with all relevant legal and regulatory requirements.

Solution

  • Stay informed of all applicable laws and regulations related to information security.
  • Regularly review and update the training program to ensure compliance.

How to pass the audit of ISO 27001 Annex A 6.3

To comply with ISO 27001 Annex A 6.3 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

  • Consider a specialist training tool
  • Write, sign off, implement and communicate your information security awareness plan
  • Write, sign off, implement and communicate your information security security plan
  • Implement your training and awareness that includes the consequences of violating policies and procedures
  • Implement your communication plan to communicate to relevant and interested parties
  • Ensure that the training and awareness process meets all laws as well as local laws and regulations
  • Keep records of all training and awareness as evidence
  • Consider the ISO 27001 competency matrix to ensure you have the required skills for information security
  • Implement a process of internal audit that checks that the appropriate controls are in place and effective and where they are not follow the continual improvement process to address the risks

What the auditor will check

The audit is going to check a number of areas for compliance with Annex A 6.3. Lets go through them

1. That you have done information security training and awareness

The auditor will meet with the HR and those responsible for training and awareness and check that it there is a plan and that you are following that plan. The easiest way to do this is get a specialist training tool but you can do it manually. Just be sure to be able to evidence that it happened, people understood it and you have records. They will check this training for things like annual training on Data Protection and Information Security and look at the onboarding process to see how you address it for new hires.

2. That you have communicated the training and awareness process

The process needs to be communicated to relevant and interested parties. The audit will check that the training and awareness plan and the communication plan and look for past evidence that this has happened.

3. That people are aware of their responsibilities

The audit is going to check for documented processes, documented topic specific policy and these have been communicated and people have been trained on what is required of them.

ISO 27001 Annex A 6.3 Audit Checklist

ISO 27001 Annex A 6.3 Information Security Awareness, Education And Training Audit Checklist:

Review Awareness & Training Program Documentation

Examine the documented information security awareness and training program, including objectives, scope, target audience, and training materials.

Verify that the program aligns with the organisation’s risk assessment and information security policy.

Assess Training Needs Analysis

Determine if the organisation has conducted a thorough training needs analysis to identify specific training requirements for different roles and responsibilities.

Evaluate whether the analysis considers factors like job roles, access levels, and potential threats.

Examine Training Materials

Review training materials for accuracy, relevance, and effectiveness in conveying key information security concepts.

Check for clarity, conciseness, and appropriate language for the target audience.

Verify Training Delivery Methods

Evaluate the variety and effectiveness of training delivery methods used (e.g., online courses, workshops, simulations, presentations).

Assess whether the chosen methods are engaging and suitable for different learning styles.

Assess Training Records

Verify the accuracy and completeness of training records, including attendance, completion dates, and assessment results.

Ensure that records are maintained securely and for the appropriate retention period.

Evaluate Training Effectiveness

Review the methods used to evaluate training effectiveness (e.g., knowledge tests, surveys, simulated phishing attacks).

Analyse the results of these evaluations to identify areas for improvement in the training program.

Assess Awareness Campaigns

Examine the methods used to promote ongoing security awareness (e.g., newsletters, posters, security bulletins).

Evaluate the effectiveness of these campaigns in raising employee awareness and changing behaviour.

Interview Key Personnel

Conduct interviews with key personnel involved in the training program, including trainers, managers, and employees.

Gather their perspectives on the effectiveness and relevance of the training.

Observe Training Sessions

If possible, observe training sessions to assess the delivery style, participant engagement, and overall quality of the training.

Verify that the information security awareness and training program complies with all relevant legal and regulatory requirements.

Top 3 ISO 27001 Annex A 6.3 mistakes and how to avoid them

In my experience, the top 3 mistakes people make for ISO 27001 Information Security Awareness Education and Training are

1. You have no evidence that anything actually happened

You need to keep records and minutes of everything. You need a paper trail to show it was done. Make sure you have updated communication plans and training plans and you can evidence that it took place. If it isn’t written down it didn’t happen.

2. One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have. Do they know where the process documents are in relation to the training and awareness process? Has everyone done the training they should have done in the time they should have done it? Is the communication plan up to date with evidence that communications on awareness have taken place. Do a pre audit as close to the audit as you can that checks the training and awareness process and the HR team that will be involved. Assuming they are doing the right thing is a recipe for disaster. Check!

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

Applicability of ISO 27001 Annex A 6.3 across different business models.

Business Type Applicability Examples of Control Implementation
Small Businesses Highly applicable for reducing human risk in small teams where one mistake can be devastating. Focus is on fundamental hygiene (passwords, phishing) and ensuring everyone knows how to report a lost device.
  • Conducting a mandatory “Security Induction” for every new hire on their first day, covering the Acceptable Use Policy (AUP).
  • Using an off-the-shelf security awareness platform (e.g., KnowBe4) to deliver annual refresher training and short monthly “security nuggets.”
  • Maintaining a simple spreadsheet to track which employees have completed their annual security and data protection training.
Tech Startups Critical for managing a fast-growing, often remote-first workforce. Compliance involves role-specific education to ensure that technical teams and high-privilege users understand their unique responsibilities.
  • Implementing mandatory Secure Coding training (e.g., OWASP Top 10) for all developers once they pass their probationary period.
  • Launching quarterly simulated phishing campaigns to test employee vigilance and identify departments that need extra coaching.
  • Integrating security “tips of the week” into the company-wide Slack or Teams channel to keep security top-of-mind between formal training cycles.
AI Companies Vital for protecting specialized IP and high-value research data. Focus is on advanced social engineering threats (like Whaling) and educating researchers on the risks of data poisoning or model exfiltration.
  • Delivering specialized “Executive Briefings” for leadership on targeted threats such as CEO fraud and “Whaling” attacks.
  • Educating AI researchers on the Secure Data Handling protocols specifically for proprietary model weights and high-capacity training datasets.
  • Requiring that any contractor or third-party researcher with access to internal labs completes a specialized security induction before being granted access.

Fast Track ISO 27001 Annex A 6.3 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 6.3 (Information security awareness, education and training), the requirement is to ensure all personnel receive appropriate training and regular updates on security policies relevant to their job functions. This is about fostering a culture of security responsibility.

Compliance Factor SaaS Compliance Platforms High Table ISO 27001 Toolkit Audit Evidence Example
Strategy Ownership Rents access to your training logs; if you cancel the subscription, your documented competence matrices and training history vanish. Permanent Assets: Fully editable Word/Excel Awareness Policies and Training Matrices that you own forever. A localized “Competence Training Matrix” defining mandatory security topics for Developers vs. HR staff.
Operational Simplicity Mandates rigid LMS modules that often duplicate your existing onboarding workflows and HR systems. Governance-First: Formalizes your existing training tools (phishing simulators, workshops) into an auditor-ready framework. An Awareness Training Plan proving that security updates are delivered regularly, not just during onboarding.
Cost Efficiency Charges a “Per-Employee Tax” that scales costs aggressively as your headcount and organizational complexity grow. One-Off Fee: A single payment covers your training governance for 5 employees or 5,000. Allocating budget to specialized secure-coding training rather than a monthly software “seat” fee.
Learning Stack Freedom Forces generic, “one-size-fits-all” training videos that may not reflect your specific business risks or company culture. 100% Agnostic: Procedures adapt to any content—Lunch-and-Learns, phishing simulators, or interactive workshops. The ability to switch training content providers or methods without reconfiguring a rigid SaaS compliance module.

Own Your ISMS, Don’t Rent It

Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit

Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit

Get the Ultimate ISO 27001 Toolkit

Summary: For Annex A 6.3, the auditor wants to see that you have a formal plan for training and awareness and proof that people have completed it. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 6.3 FAQ

What is ISO 27001 Annex A 6.3?

ISO 27001 Annex A 6.3 is an organisational control that mandates all personnel receive appropriate information security awareness, education, and training regularly.

  • It aims to reduce human error, which is the leading cause of security breaches.
  • It requires training to be tailored to specific organisational roles and risks.
  • It mandates that awareness should be ongoing, not just a one-off induction event.
  • It applies to all employees, contractors, and relevant third-party users.

How often is ISO 27001 security awareness training required?

ISO 27001 requires that security awareness training is conducted at regular intervals, which is universally interpreted by auditors as at least annually or when significant changes occur.

  • Annual training is the minimum requirement for most certification bodies.
  • Immediate “refresher” sessions should occur following a security incident or policy change.
  • Ongoing awareness campaigns (e.g., monthly newsletters) should supplement formal training.
  • New starters must receive training as part of their initial onboarding induction.

Is security awareness training mandatory for all employees?

Yes, ISO 27001 Annex A 6.3 makes security awareness training mandatory for every individual working under the organisation’s control, regardless of their seniority.

  • Executive leadership must participate to demonstrate a “Tone at the Top” culture.
  • Contractors and freelancers must be included if they access sensitive systems.
  • Technical teams require additional, specialised training (e.g., secure coding).
  • General staff focus on common threats like phishing and physical security.

What topics must be covered in ISO 27001 training?

Training must cover the organisation’s specific security policies, legal requirements, and common technical threats relevant to the user’s role.

  • Phishing awareness and social engineering defence.
  • Password management and Multi-Factor Authentication (MFA) usage.
  • Physical security protocols and clear desk/clear screen policies.
  • Procedures for reporting security events and suspected weaknesses.

How do you prove training compliance to an ISO 27001 auditor?

Auditors require verifiable evidence that training was delivered, understood, and attended by the relevant personnel.

  • Attendance logs or digital certificates from a Learning Management System (LMS).
  • Quiz scores or assessment results to prove the “Education” element was successful.
  • Signed acknowledgements of the Information Security Policy (ISP).
  • Samples of awareness materials such as internal posters or email campaigns.

What is the difference between awareness, education, and training?

ISO 27001 distinguishes between these three to ensure a holistic approach to the human element of information security.

  • Awareness: High-level reminders of security threats (e.g., posters or newsletters).
  • Training: Formal instruction on how to perform specific tasks safely (e.g., using a VPN).
  • Education: Deeper learning to understand the “why” behind security controls and risks.

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Clause 7,3 Awareness

Further Reading

ISO 27001 Awareness Beginner’s Guide

ISO 27001 Information Security Awareness Training Policy Template

ISO 27001 Annex A 6.3 Attributes Table

Control typeInformation
security properties		Cybersecurity
concepts		Operational
capabilities		Security domains
PreventiveAvailability
Confidentiality
Integrity		ProtectHuman resource securityGovernance and ecosystem
, , , , , ,
Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor ⚡ 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top