ISO 27001 Information Security Awareness, Education and Training – Annex A 6.3

What is ISO 27001:2022 Annex A 6.3?

6.3 Information Security Awareness, Education and Training is an ISO 27002:2022 control that wants you to educate people on information security. From security awareness training and education to regular updates on your information security policy, topic specific policies and processes.

ISO 27001:2022 Annex A 6.3 Purpose

Annex A 6.3 is a preventive control that ensures that people are aware of their responsibilities for information security and that they meet them.

ISO 27001:2022 Annex A 6.3 Definition

The ISO 27001:2022 standard defines ISO 27001:2022 Annex A 6.3 as:

Personnel of the organisation and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organisations information security policy, topic-specific policies and procedures, as relevant for their job function.

ISO 27001:2022 Annex A 6.3 Information Security Awareness, Education and Training

ISO 27001:2022 Annex A 6.3 Implementation Guide

You are going to have to

• decide what information security training and awareness to do based on organisation risk and needs
• plan your training and awareness for the next 12 months
• develop, build and implement your training and awareness materials
• deliver your training and awareness to those that need it
• verify that people understand it
• keep records of all training and awareness

The headline guidance is to train people on information security. For more guidance on the ISO 27001 Security Training Policy and guidance on what and how to implement you can read our beginners guide to information security awareness and training.

Information Security Awareness, Eduction and Training Programme

You are going to put in place and plan for information security training. It is not that hard to do but you want to think about what people will need to know about and how you are going to communicate that. A great tool to help is the ISO 27001 communication plan. You will also consider an off the shelf training tool to help you.

What should information security awareness and training include?

The programme should consider your ISO 27001 policies. That is the main information security policy and any ISO 27001 topic specific policies. It should also include your processes and procedures, specifically around information security.

The list to consider including:

• Leadership and management commitment to information security – it is top down after all
• Requirements of relevant laws and regulations
• People’s own accountability and responsibility for information security
• How to report an event of incident
• Where the information security policies are
• Who you speak to if you have a question on information security

When to do information security awareness and training

The guidance is periodically but the best approach is

• conduct annual awareness training in information security
• conduct annual awareness training in data protection
• conduct initial awareness training either pre employment or as part of the onboarding process
• as things change or new things are introduced make people aware and train them
• in response to incidents and as part of continual improvement you may require additional training or awareness

Information security training

Actual training is something you implement based on need. You identify who needs training and provide it to them. Some training is for everyone, and some training is a little more targeted and specific to certain people and roles.

It is good practice to consider different types of training, such as emails, web pages, stand up meetings, classroom based but most people opt for an off the shelf training package that makes most of the problem go away.

There is a requirement to verify understanding that most people interpret as taking a test of some sort. These are usually built into the off the shelf training packages.

ISO 27001 Annex A 6.3 Templates

Having an ISO 27001 template for control 6.3 can help fast track your implementation. The ISO 27001 Document Toolkit is a the ultimate resource for your ISO 27001 implementation. Having a topic specific policy for information security awareness training template and an ISO 27001 communication plan template can really help if you don’t want the entire ISO 27001 toolkit.

How to comply with ISO 27001:2022 Annex A 6.3

To comply with ISO 27001 Annex A 6.3 you are going to implement the ‘how’ to the ‘what’ the control is expecting. In short measure you are going to:

• Consider a specialist training tool
• Write, sign off, implement and communicate your information security awareness plan
• Write, sign off, implement and communicate your information security security plan
• Implement your training and awareness that includes the consequences of violating policies and procedures
• Implement your communication plan to communicate to relevant and interested parties
• Ensure that the training and awareness process meets all laws as well as local laws and regulations
• Keep records of all training and awareness as evidence
• Consider the ISO 27001 competency matrix to ensure you have the required skills for information security
• Implement a process of internal audit that checks that the appropriate controls are in place and effective and where they are not follow the continual improvement process to address the risks

How to pass an audit of ISO 27001:2022 Annex A 6.3

To pass an audit of ISO 27001 Annex A 6.3 you are going to make sure that you have followed the steps above in how to comply.

You are going to do that by first conducting an internal audit, following the How to Conduct an ISO 27001 Internal Audit Guide.

What will an audit check?

The audit is going to check a number of areas for compliance with Annex A 6.3. Lets go through them

1. That you have done information security training and awareness

The auditor will meet with the HR and those responsible for training and awareness and check that it there is a plan and that you are following that plan. The easiest way to do this is get a specialist training tool but you can do it manually. Just be sure to be able to evidence that it happened, people understood it and you have records. They will check this training for things like annual training on Data Protection and Information Security and look at the onboarding process to see how you address it for new hires.

2. That you have communicated the training and awareness process

The process needs to be communicated to relevant and interested parties. The audit will check that the training and awareness plan and the communication plan and look for past evidence that this has happened.

3. That people are aware of their responsibilities

The audit is going to check for documented processes, documented topic specific policy and these have been communicated and people have been trained on what is required of them.

Top 3 Mistakes People Make for ISO 27001:2022 Annex A 6.3

In my experience, the top 3 mistakes people make for ISO 27001 Annex A 6.3 are

1. You have no evidence that anything actually happened

You need to keep records and minutes of everything. You need a paper trail to show it was done. Make sure you have updated communication plans and training plans and you can evidence that it took place. If it isn’t written down it didn’t happen.

2. One or more members of your team haven’t done what they should have done

Prior to the audit check that all members of the team have done what they should have. Do they know where the process documents are in relation to the training and awareness process? Has everyone done the training they should have done in the time they should have done it? Is the communication plan up to date with evidence that communications on awareness have taken place. Do a pre audit as close to the audit as you can that checks the training and awareness process and the HR team that will be involved. Assuming they are doing the right thing is a recipe for disaster. Check!

3. Your document and version control is wrong

Keeping your document version control up to date, making sure that version numbers match where used, having a review evidenced in the last 12 months, having documents that have no comments in are all good practices.

What are the Benefits of Information Security Awareness, Education and Training?

Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001:2022 Annex A 6.3 Information Security Awareness, Education and Training: 

1. You cannot get ISO 27001 certification without it.
2. Improved security: You will have an effective information security implementation that is based on people who are trained and aware of the requirements for information security
3. Reduced risk: By raising awareness of information security risks and teaching employees how to protect sensitive data, organisations can significantly reduce their risk of a data breach.
4. Improved compliance:  Many regulations, such as the General Data Protection Regulation (GDPR), require organizations to implement information security measures. By implementing an effective awareness, education, and training program, organisations can demonstrate compliance with these regulations.
5. Reputation Protection: In the event of a breach having a training and awareness procedure in place will reduce the potential for fines and reduce the PR impact of an event

Why is Information Security Training and Awareness important?

Information security training and awareness is important because it helps employees understand the risks associated with information security and how to protect sensitive data. By raising awareness of these risks and teaching employees how to mitigate them, organisations can significantly reduce their risk of a data breach.

Overall, information security training and awareness is a critical component of any organization’s information security program. By implementing an effective program, organisations can reduce the risk of data breaches, improve employee productivity, enhance customer confidence, and reduce costs.

Get the Help of the ISO 27001 Ninja

Book your FREE 30 Minute ISO 27001 Strategy Call and let me show you how you can do it 30x cheaper and 10x faster that you ever thought possible.

Matrix of ISO 27001:2022 Controls and ISO 27001:2022 Attribute values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
#Preventive	#Availability #Confidentiality #Integrity	#Protect	#Human_resource_security	#Governance_and_ecosystem

Reference

ISO/IEC 27001 Information Security Management