ISO 27001 Annex A 6.3 Information Security Awareness, Education And Training

Home / ISO 27001 Annex A Controls / ISO 27001 Annex A 6.3 Information Security Awareness, Education And Training

ISO 27001 Information Security Awareness, Education And Training

In this ultimate guide to ISO 27001 Annex A 6.3 Information Security Awareness, Education And Training you will learn

  • What is ISO 27001 Annex A 6.3
  • How to implement ISO 27001 Annex A 6.3

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

What is ISO 27001 Annex A 6.3 Information Security Awareness, Education And Training?

ISO 27001 Annex A 6.3 Information Security Awareness, Education and Training is an ISO 27001 control that wants you to educate people on information security. From security awareness training and education to regular updates on your information security policy, topic specific policies and processes.

ISO 27001 Annex A 6.3 Purpose

The purpose of ISO 27001 Annex A 6.3 is a preventive control that ensures that people are aware of their responsibilities for information security and that they meet them.

ISO 27001 Annex A 6.3 Definition

The ISO 27001 standard defines ISO 27001 Annex A 6.3 as:

Personnel of the organisation and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organisations information security policy, topic-specific policies and procedures, as relevant for their job function.

ISO 27001:2022 Annex A 6.3 Information Security Awareness, Education and Training

DO IT YOURSELF

ISO 27001

ISO 27001 Toolkit Business Edition

ISO 27001 Annex A 6.3 Implementation Guide

You are going to have to

  • decide what information security training and awareness to do based on organisation risk and needs
  • plan your training and awareness for the next 12 months
  • develop, build and implement your training and awareness materials
  • deliver your training and awareness to those that need it
  • verify that people understand it
  • keep records of all training and awareness

The headline guidance is to train people on information security. For more guidance on the ISO 27001 Security Training Policy and guidance on what and how to implement you can read our beginners guide to information security awareness and training.

Information Security Awareness, Eduction and Training Programme

You are going to put in place and plan for information security training. It is not that hard to do but you want to think about what people will need to know about and how you are going to communicate that. A great tool to help is the ISO 27001 communication plan. You will also consider an off the shelf training tool to help you.

What should information security awareness and training include?

The programme should consider your ISO 27001 policies. That is the main information security policy and any ISO 27001 topic specific policies. It should also include your processes and procedures, specifically around information security.

The list to consider including:

  • Leadership and management commitment to information security – it is top down after all
  • Requirements of relevant laws and regulations
  • People’s own accountability and responsibility for information security
  • How to report an event of incident
  • Where the information security policies are
  • Who you speak to if you have a question on information security

When to do information security awareness and training

The guidance is periodically but the best approach is

  • conduct annual awareness training in information security
  • conduct annual awareness training in data protection
  • conduct initial awareness training either pre employment or as part of the onboarding process
  • as things change or new things are introduced make people aware and train them
  • in response to incidents and as part of continual improvement you may require additional training or awareness

Information security training

Actual training is something you implement based on need. You identify who needs training and provide it to them. Some training is for everyone, and some training is a little more targeted and specific to certain people and roles.

It is good practice to consider different types of training, such as emails, web pages, stand up meetings, classroom based but most people opt for an off the shelf training package that makes most of the problem go away.

There is a requirement to verify understanding that most people interpret as taking a test of some sort. These are usually built into the off the shelf training packages.

Stuart - High Table - ISO27001 Ninja - 3

ISO 27001 Templates

Having an ISO 27001 template for control 6.3 can help fast track your implementation. The ISO 27001 Toolkit is a the ultimate resource for your ISO 27001 implementation. Having a topic specific policy for information security awareness training template and an ISO 27001 communication plan template can really help if you don’t want the entire ISO 27001 toolkit.

How to comply with ISO 27001 Annex A 6.3

To comply with ISO 27001 Annex A 6.3 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

  • Consider a specialist training tool
  • Write, sign off, implement and communicate your information security awareness plan
  • Write, sign off, implement and communicate your information security security plan
  • Implement your training and awareness that includes the consequences of violating policies and procedures
  • Implement your communication plan to communicate to relevant and interested parties
  • Ensure that the training and awareness process meets all laws as well as local laws and regulations
  • Keep records of all training and awareness as evidence
  • Consider the ISO 27001 competency matrix to ensure you have the required skills for information security
  • Implement a process of internal audit that checks that the appropriate controls are in place and effective and where they are not follow the continual improvement process to address the risks

How to pass an audit of ISO 27001 Annex A 6.3

To pass an audit of ISO 27001 Annex A 6.3 you are going to make sure that you have followed the steps above in how to comply.

You are going to do that by first conducting an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.

What will the auditor will check

The audit is going to check a number of areas for compliance with Annex A 6.3. Lets go through them

1. That you have done information security training and awareness

The auditor will meet with the HR and those responsible for training and awareness and check that it there is a plan and that you are following that plan. The easiest way to do this is get a specialist training tool but you can do it manually. Just be sure to be able to evidence that it happened, people understood it and you have records. They will check this training for things like annual training on Data Protection and Information Security and look at the onboarding process to see how you address it for new hires.

2. That you have communicated the training and awareness process

The process needs to be communicated to relevant and interested parties. The audit will check that the training and awareness plan and the communication plan and look for past evidence that this has happened.

3. That people are aware of their responsibilities

The audit is going to check for documented processes, documented topic specific policy and these have been communicated and people have been trained on what is required of them.

Top 3 Mistakes People Make

In my experience, the top 3 mistakes people make for ISO 27001 Annex A 6.3 are

1. You have no evidence that anything actually happened

You need to keep records and minutes of everything. You need a paper trail to show it was done. Make sure you have updated communication plans and training plans and you can evidence that it took place. If it isn’t written down it didn’t happen.

2. One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have. Do they know where the process documents are in relation to the training and awareness process? Has everyone done the training they should have done in the time they should have done it? Is the communication plan up to date with evidence that communications on awareness have taken place. Do a pre audit as close to the audit as you can that checks the training and awareness process and the HR team that will be involved. Assuming they are doing the right thing is a recipe for disaster. Check!

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

What are the Benefits of Information Security Awareness, Education and Training?

Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001 Annex A 6.3 Information Security Awareness, Education and Training: 

  1. You cannot get ISO 27001 certification without it.
  2. Improved security: You will have an effective information security implementation that is based on people who are trained and aware of the requirements for information security
  3. Reduced risk: By raising awareness of information security risks and teaching employees how to protect sensitive data, organisations can significantly reduce their risk of a data breach.
  4. Improved compliance:  Many regulations, such as the General Data Protection Regulation (GDPR), require organizations to implement information security measures. By implementing an effective awareness, education, and training program, organisations can demonstrate compliance with these regulations.
  5. Reputation Protection: In the event of a breach having a training and awareness procedure in place will reduce the potential for fines and reduce the PR impact of an event

Why is Information Security Training and Awareness important?

Information security training and awareness is important because it helps employees understand the risks associated with information security and how to protect sensitive data. By raising awareness of these risks and teaching employees how to mitigate them, organisations can significantly reduce their risk of a data breach.

Overall, information security training and awareness is a critical component of any organisation’s information security program. By implementing an effective program, organisations can reduce the risk of data breaches, improve employee productivity, enhance customer confidence, and reduce costs.

ISO 27001 Controls and Attribute values

Control typeInformation
security properties
Cybersecurity
concepts
Operational
capabilities
Security domains
PreventiveAvailability
Confidentiality
Integrity
ProtectHuman resource securityGovernance and ecosystem
ISO 27001 Toolkit Business Edition

Do It Yourself ISO 27001

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing