ISO 27001 Clause 7.3 Audit Checklist

/ By
ISO 27001 Clause 7.3 Audit Checklist

Auditing ISO 27001 Clause 7.3 ensures that all employees actively understand their role in the Information Security Management System. This audit confirms the Primary Implementation Requirement that staff are aware of policy implications and non-conformity risks. The Business Benefit is a security-conscious culture that minimizes human error and strengthens organizational resilience.

Use this pass/fail checklist to strictly validate compliance with ISO 27001 Clause 7.3 (Awareness). For a detailed methodology on how to conduct the interviews and system tests required to generate this evidence, refer to our Clause 7.3 Audit Guide.

1. Policy Accessibility & Communication Verified

  • Verification Criteria: The Information Security Policy is not just “stored” but actively communicated to all personnel in a way that is easily accessible (e.g., Intranet, Knowledge Base).
  • Required Evidence: System logs showing policy distribution emails or Intranet analytics proving active access by staff.
Pass/Fail Test: If an employee is asked “Where is the security policy?” and cannot locate it within 30 seconds, mark as Non-Compliant.

2. Personal Contribution Understanding Confirmed

  • Verification Criteria: Employees can articulate how their specific daily role contributes to the effectiveness of the ISMS (e.g., “I verify invoices to prevent fraud”).
  • Required Evidence: Interview notes from random staff sampling (3-5 employees) linking job descriptions to security responsibilities.
Pass/Fail Test: If staff view security solely as “IT’s job” and cannot name one security responsibility they personally hold, mark as Non-Compliant.

3. Knowledge of Non-Conformity Consequences Verified

  • Verification Criteria: Staff are aware of the specific disciplinary actions or business risks that result from failing to follow security rules.
  • Required Evidence: The “Sanctions” or “Disciplinary Policy” section in the Employee Handbook, signed by the employee.
Pass/Fail Test: If an employee believes there are no formal consequences for sharing their password, mark as Non-Compliant.

4. Structured Awareness Programme Plan Verified

  • Verification Criteria: A formal, scheduled “Awareness Plan” exists that outlines activities throughout the year, rather than ad-hoc, reactive emails.
  • Required Evidence: The “Annual Awareness Schedule” document showing planned dates for phishing tests, newsletters, and training modules.
Pass/Fail Test: If the only evidence of awareness is the initial induction training with no follow-up scheduled, mark as Non-Compliant.

5. Content Relevance & Targeting Verified

  • Verification Criteria: Awareness content is tailored to the audience (e.g., Developers get secure coding training; HR gets PII handling training).
  • Required Evidence: Training matrices showing different content assigned to “High Risk” vs. “General” staff roles.
Pass/Fail Test: If the Finance team and the Cleaning staff receive the exact same generic technical training, mark as Non-Compliant.

6. Lifecycle Integration (Onboarding/Offboarding) Verified

  • Verification Criteria: Security awareness is embedded into the HR lifecycle, from day-one induction to exit interviews.
  • Required Evidence: Onboarding checklists showing “Security Training” as a mandatory gate before full system access is granted.
Pass/Fail Test: If a new starter has access to sensitive data before completing their security induction, mark as Non-Compliant.

7. Ongoing Communication Evidence Present

  • Verification Criteria: Security messaging is integrated into regular business communications (newsletters, Town Halls) and is not silent for months at a time.
  • Required Evidence: Copies of the last 3 internal newsletters or All-Hands meeting agendas featuring a security update.
Pass/Fail Test: If the last communication regarding security is dated older than 3 months, mark as Non-Compliant.

8. Programme Effectiveness Measured

  • Verification Criteria: The organisation measures behaviour change (e.g., click rates on phishing sims), not just “attendance” or “completion.”
  • Required Evidence: Phishing simulation reports showing a trend line of improved reporting rates or reduced click rates over time.
Pass/Fail Test: If you have 100% training completion but phishing click rates are increasing, mark effectiveness as Non-Compliant.

9. Comprehension Testing Verified

  • Verification Criteria: Staff are tested on their understanding of the training material via quizzes or practical assessments.
  • Required Evidence: LMS (Learning Management System) reports showing quiz scores (e.g., “Pass mark 80% required”).
Pass/Fail Test: If the training allows users to click “Next” without any knowledge check or quiz, mark as Non-Compliant.

10. Continual Improvement of Programme Verified

  • Verification Criteria: The awareness programme is updated based on feedback, new threats, or incidents.
  • Required Evidence: Management Review minutes discussing awareness metrics and authorising updates to the content.
Pass/Fail Test: If the training slides have not been updated in 2 years despite new threat landscapes (e.g., AI risks), mark as Non-Compliant.
ISO 27001 Clause 7.3 SaaS / GRC Platform Failure Checklist
Control Requirement The “Checkbox Compliance” Trap The Reality Check
Active Comprehension Tool logs “User viewed document” as success. Auditor must verify time-on-page. If a user “read” a 50-page policy in 12 seconds, the tool failed to verify awareness.
Role-Based Content Tool sends the same “Security 101” video to everyone. Auditor must check assignment rules. Does the CFO get “CEO Fraud” training? Do Devs get “OWASP” training? If not, it fails “Relevance.”
Phishing Integration Phishing tool is separate from Training tool. Auditor must check for remedial triggers. If a user clicks a phishing link, does the platform automatically assign extra training?
Contractor Coverage Tool only syncs with Active Directory (Employees). Auditor must manually check Contractors. Are freelancers in the training portal? Usually, they are missed because they lack AD accounts.
Update Management Library contains outdated “Password Rotation” advice. Auditor must review the content library date. Generic SaaS libraries often lag behind NIST/ISO best practices (e.g., still advising 90-day resets).
Feedback Loops No mechanism for users to rate content. Auditor must check for survey features. How does the org know if the training is effective if the tool collects no user feedback?

About the author

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top