High Table Logo Website

ISO27001:2022

ISO27001 Clauses
ISO 27001 Clause 4.1 Understanding The Organisation And Its Context

ISO 27001 Clause 4.2 Understanding The Needs And Expectations of Interested Parties

ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System

ISO 27001 Clause 4.4 Information Security Management System

ISO 27001 Clause 5.1 Leadership and Commitment

ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities

ISO 27001 Clause 6.1.1 Planning General

ISO 27001 Clause 6.1.2 Information Security Risk Assessment

ISO 27001 Clause 6.1.3 Information Security Risk Treatment

ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them

ISO 27001 Clause 6.3 Planning Of Changes

ISO 27001 Clause 7.1 Resources

ISO 27001:2022 Clause 7.2 Competence

ISO 27001 Clause 7.3 Awareness

ISO 27001 Clause 7.4 Communication

ISO 27001 Clause 7.5.1 Documented Information

ISO 27001 Clause 7.5.2 Creating and Updating Documented Information

ISO 27001 Clause 7.5.3 Control of Documented Information

ISO 27001 Clause 8.1 Operational Planning and Control

ISO 27001 Clause 8.2 Information Security Risk Assessment

ISO 27001 Clause 8.3 Information Security Risk Treatment

ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation

ISO 27001 Clause 9.2 Internal Audit

ISO 27001 Clause 9.3 Management Review

ISO 27001 Clause 10.1 Continual Improvement

ISO 27001 Clause 10.2 Nonconformity and Corrective Action

ISO27001 Organisation Controls

ISO27001 Annex A 5.1 Policies for information security

ISO27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO27001 Annex A 5.3 Segregation of duties

ISO27001 Annex A 5.4 Management responsibilities

ISO27001 Annex A 5.5 Contact with authorities

ISO27001 Annex A 5.6 Contact with special interest groups

ISO27001 Annex A 5.7 Threat intelligence

ISO27001 Annex A 5.8 Information security in project management

ISO27001 Annex A 5.9 Inventory of information and other associated assets

ISO27001 Annex A 5.10 Acceptable use of information and other associated assets

ISO27001 Annex A 5.11 Return of assets

ISO27001 Annex A 5.12 Classification of information

ISO27001 Annex A 5.13 Labelling of information

ISO27001 Annex A Cotrol 5.14 Information transfer

ISO27001 Annex A 5.15 Access control

ISO27001 Annex A 5.16 Identity management

ISO27001 Annex A 5.17 Authentication information

ISO27001 Annex A 5.18 Access rights

ISO27001 Annex A 5.19 Information security in supplier relationships

ISO27001 Annex A 5.20 Addressing information security within supplier agreements

ISO27001 Annex A 5.21 Managing information security in the ICT supply chain

ISO27001 Annex A 5.22 Monitoring, review and change management of supplier services

ISO27001 Annex A 5.23 Information security for use of cloud services

ISO27001 Annex A 5.24 Information security incident management planning and preparation

ISO27001 Annex A 5.25 Assessment and decision on information security events

ISO27001 Annex A 5.26 Response to information security incidents

ISO27001 Annex A 5.27 Learning from information security incidents

ISO27001 Annex A 5.28 Collection of evidence

ISO27001 Annex A 5.29 Information security during disruption

ISO 27001 Annex A Cotrol 5.30 ICT readiness for business continuity

ISO27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO27001 Annex A 5.32 Intellectual property rights

ISO27001 Annex A 5.33 Protection of records

ISO27001 Annex A 5.34 Privacy and protection of PII

ISO27001 Annex A 5.35 Independent review of information security

ISO27001 Annex A 5.36 Compliance with policies and standards for information security

ISO27001 Annex A 5.37 Documented operating procedures

ISO27001 People Controls

ISO27001 Annex A 6.1 Screening

ISO27001 Annex A 6.2 Terms and conditions of employment

ISO27001 Annex A 6.3 Information security awareness, education and training

ISO27001 Annex A 6.4 Disciplinary process

ISO27001 Annex A 6.5 Responsibilities after termination or change of employment

ISO27001 Annex A 6.6 Confidentiality or non-disclosure agreements

ISO27001 Annex A 6.7 Remote working

ISO27001 Annex A 6.8 Information security event reporting

ISO27001 Physical Controls

ISO27001 Annex A 7.1 Physical security perimeter

ISO27001 Annex A 7.2 Physical entry controls

ISO27001 Annex A 7.3 Securing offices, rooms and facilities

ISO27001 Annex A 7.4 Physical security monitoring

ISO27001 Annex A 7.5 Protecting against physical and environmental threats

ISO27001 Annex A 7.6 Working in secure areas

ISO27001 Annex A 7.7 Clear desk and clear screen

ISO27001 Annex A 7.8 Equipment siting and protection

ISO27001 Annex A 7.9 Security of assets off-premises

ISO27001 Annex A 7.10 Storage media

ISO27001 Annex A 7.11 Supporting Utilities

ISO27001 Annex A 7.12 Cabling Security

ISO27001 Annex A 7.13 Equipment Maintenance

ISO27001 Annex A 7.14 Secure Disposal or Re-Use of Equipment

ISO27001 Technical Controls

ISO27001 Annex A 8.1 User Endpoint Devices

ISO27001 Annex A 8.2 Privileged Access Rights

ISO27001 Annex A 8.3 Information Access Restriction

ISO27001 Annex A 8.4 Access To Source Code

ISO27001 Annex A 8.5 Secure Authentication

ISO27001 Annex A 8.6 Capacity Management

ISO27001 Annex A 8.7 Protection Against Malware

ISO27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO27001 Annex A 8.9 Configuration Management 

ISO27001 Annex A 8.10 Information Deletion

ISO27001 Annex A 8.11 Data Masking

ISO27001 Annex A 8.12 Data Leakage Prevention

ISO27001 Annex A 8.13 Information Backup

ISO27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO27001 Annex A 8.15 Logging

ISO27001 Annex A 8.16 Monitoring Activities

ISO27001 Annex A 8.17 Clock Synchronisation

ISO27001 Annex A 8.18 Use of Privileged Utility Programs

ISO27001 Annex A 8.19 Installation of Software on Operational Systems

ISO27001 Annex A 8.20 Network Security

ISO27001 Annex A 8.21 Security of Network Services

ISO27001 Annex A 8.22 Segregation of Networks

ISO27001 Annex A 8.23 Web Filtering

ISO27001 Annex A 8.24 Use of Cryptography

ISO27001 Annex A 8.25 Secure Development Life Cycle

ISO27001 Annex A 8.26 Application Security Requirements

ISO27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO27001 Annex A 8.28 Secure Coding

ISO27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO27001 Annex A 8.30 Outsourced Development

ISO27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO27001 Annex A 8.32 Change Management

ISO27001 Annex A 8.33 Test Information

ISO27001 Annex A 8.34 Protection of information systems during audit testing

ISO 27001 Jumpstart Kit
ISO 27001 Certification Kit
ISO 27001 Consultant Toolkit

Home / ISO 27001 Clauses / The Ultimate Guide to ISO 27001 Clause 7.3: Awareness

The Ultimate Guide to ISO 27001 Clause 7.3: Awareness

Last updated Sep 10, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

ISO 27001 Awareness

ISO 27001 Awareness

ISO 27001 Awareness is the requirement to educate and communicate to people about the information security risks they face, what they should be doing and the consequences of not doing it.

In ISO 27001 this is known as ISO27001:2022 Clause 7.3 Awareness. It is one of the mandatory ISO 27001 clauses.

ISO 27001 Awareness is about making people aware of the risks to information security so they can be better prepared and better protected.

Table of contents

What is ISO 27001 Clause 7.1 and Why is it Important?

ISO 27001 Clause 7.3 is awareness and requires you to communicate and make people aware of the information security policy, how they contribute to information security and the consequences of not conforming to information security.

The ISO 27001 standard for ISO 27001 certification wants you to let people know what you expect, educate them and have processes in place for if things go wrong.

Purpose and Definition

The purpose of ISO 27001 clause 7.3 Awareness is to make sure people are aware of information security and what they need to do. It is part of implementing a culture of information security into the organisation.

The ISO 27001 standard defines ISO 27001 clause 7.3 Awareness as:

Persons doing work under the organisation’s control shall be aware of:
a) the information security policy;
b) their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and
c) the implications of not conforming with the information security management system requirements.

ISO 27001:2022 Clause 7.3 Awareness

ISO 27001 Clause 7.3 Requirement

The requirement is to tell people what is expected of them and explain to them the consequences of not doing what is expected when it comes to information security.

ISO 27001 Toolkit
Get the ISO 27001 Certification Kit >

ISO 27001 Clause 7.3 Explained: A Complete Guide

In this ISO 27001 tutorial How to Implement ISO 27001 Clause 7.3 Awareness I show you how to implement it and how to pass the audit.

How to implement ISO 27001 Clause 7.3: Step-By-Step

There are distinct phases in the journey of staff, contractors and third parties.

Each of those phases potentially requires a different level of communication.

It is possible that one approach will work but the likelihood is you are going to have different communication styles and approaches depending on the ‘who’ and the ‘where’ they are in their journey with you.

In this step by step implementation checklist to ISO 27001 awareness I show you, based on real world experience and best practice, the best way to implement Clause 7.3.

Time needed: 1 hour and 30 minutes

How to implement ISO 27001 Clause 7.3 Awareness

  1. Define the Information Security Awareness Objectives

    Clearly define what employees need to know and understand about information security. This should align with the organisation’s ISMS objectives and risk assessment. Conduct workshops with representatives from different departments to identify specific awareness needs based on their roles and responsibilities.

  2. Identify Target Audiences

    Segment employees into groups based on their roles, access levels, and potential risks they pose to information security. Tailor awareness programs to each group. Conduct a thorough analysis of roles and responsibilities to identify distinct target audiences and their respective needs.

  3. Develop Awareness Content

    Create engaging and relevant materials, including training presentations, videos, infographics, and posters. Avoid technical jargon and focus on practical examples. Use a variety of media, gamification, and real-world scenarios to make the content more appealing and memorable. Consider micro-learning modules for easier consumption.

  4. During Onboarding

    Include copies of policies and the employee handbook as part of onboarding.
    Arrange a dedicated face to face session to explain the information security approach of the business, where the policies are, who is responsible for information security, how to raise a security incident.
    Cover how their role contributes to information security and what is required of them.
    Enrol them on the general information security awareness training and basic GDRP / Data Protection training if you use a training tool or do it face to face and get them to sign that they attended and understood.

  5. Throughout the Year

    Plan you training and awareness throughout the year based on risk and business need.
    As well as the information security and data protection training perhaps people need educating on the risks of home working. Or perhaps on the perils of phishing attacks.
    The process of awareness should be on going.

  6. Annually

    Conduct the general information security awareness training and the general data protection training at least annually. Even it is just a refresher people should formally go through basic training once a year.

  7. On Ending Employment / Engagement

    Ensure that at the end of employment or the end of engagement that you communicate the contractual obligations that are, and will remain, in play in regards to information security.

  8. Continually improve

    Continually update your training and your awareness program to respond to known threats, risks and issues.

  9. Reinforce Awareness

    Integrate information security awareness into daily operations. Include security tips in emails, display posters in common areas, and discuss security topics in team meetings. Incorporate security awareness messages into existing communication channels and processes. Recognise and reward employees who demonstrate good security practices.

  10. Get an information security training tool

    In this day and age one of the few times we would recommend the use of a tool is for information security training. These come with courses pre built in and allow for the automation of many of the required tasks around awareness. Scheduling the awareness and verifying understanding is a must have as well as the ability to report. These tools will refresh content annually which saves you time and effort and will include popular modules for topics that are likely to be relevant to you. Being online they can be taken by staff from anywhere.

  11. Communicate Regularly

    Information security awareness is not a one-time event. Communicate regularly through newsletters, emails, intranet posts, and informal reminders. Develop a communication plan that includes regular updates, but varies the format and content to keep employees engaged. Focus on positive reinforcement and success stories.

  12. Measure Effectiveness

    Track the effectiveness of awareness programs through surveys, quizzes, simulated phishing attacks, and analysis of security incidents. Establish clear metrics and use a combination of quantitative and qualitative methods to assess awareness levels and behavioural changes.

  13. Implement an information security training and awareness policy

    The information security training and awareness policy clearly sets out what you do for information security training and awareness and can be shared with staff, auditors and clients.

  14. Review and Update Awareness Materials

    Regularly review and update awareness programs to ensure they remain relevant and effective. Incorporate feedback from employees and lessons learned from security incidents. Establish a process for regularly reviewing and updating awareness materials, including monitoring industry trends and incorporating feedback from security incidents.

  15. Document Awareness Activities

    Maintain records of all awareness activities, including training attendance, communication materials, and evaluation results. This demonstrates compliance with ISO 27001. Use a centralised platform or system to manage awareness training and communication records.

  16. Promote a Security Culture

    Foster a culture where information security is everyone’s responsibility. Encourage employees to report security incidents and ask questions about security. Promote a positive security culture that emphasises the importance of security and empowers employees to take ownership of their security responsibilities. Lead by example from top management.

How can an ISO 27001 Toolkit help with ISO 27001 Clause 7.3 Awareness?

For ISO 27001 Clause 7.3 Awareness the entire ISO 27001 toolkit is relevant but in particular the following templates directly support this ISO 27001 clause:

ISO 27001 Training and Awareness Policy Template

The ISO 27001 Training and Awareness Policy template sets out what you do and what must be done For ISO 27001 clause 7.3.

ISO27001 Training and Awareness Policy-Black

ISO 27001 Communication Plan Template

The ISO 27001 Communication Plan Template is used to plan communications on information security including training and awareness for the year ahead and to record evidence that those communications happened which will be required at the ISO 27001 certification audit.

ISO27001 Communication Plan Template

How to use an Awareness and Training tool

In this day and age, one of the few times we would recommend using a tool is for information security training. These tools come with pre-built courses and allow for the automation of many required awareness tasks. Scheduling awareness training, verifying understanding, and reporting capabilities are must-haves. These tools refresh content annually, saving you time and effort, and include popular modules on relevant topics. Being online, they can be accessed by staff from anywhere. While not the only way to raise and manage awareness, they do the lion’s share of the work.

Of course, you should consider your company culture and supplement the training accordingly. Emails are useful, as are stand-up meetings, presentations at company meetings, and perhaps bringing in external resources. There’s no one-size-fits-all answer, but training tools go a long way for those who are time-poor and simply want to get the job done efficiently.

How to audit ISO 27001 Clause 7.3

This audit checklist is a guide on how to conduct an internal audit of ISO 27001clause 7.3 Awareness based on what the ISO 27001 certification auditor will audit. It gives practical audit tips including what to audit and how.

1. Review Awareness Objectives

Verify that the organisation has defined clear and measurable information security awareness objectives aligned with the ISMS and risk assessment.

  • Examine documented objectives, interview management to understand the rationale behind them, and check their alignment with the overall ISMS objectives.

2. Confirm Target Audience Identification

Ensure that the organisation has identified different target audiences and tailored awareness programs to their specific needs.

  • Review documentation related to target audience identification (e.g., role descriptions, training needs analysis), and interview employees from different roles to confirm their understanding of relevant security practices.

3. Evaluate Awareness Content

Assess the quality and relevance of awareness materials, including training presentations, videos, and other communication materials.

  • Review training materials for accuracy, clarity, and engagement.
  • Observe a training session (if possible) and interview participants for feedback on the content.

4. Check Training Delivery Methods

Verify that the organisation uses appropriate delivery methods for awareness training, considering the target audience and the nature of the information.

  • Review training records to confirm attendance and completion of training.
  • Interview employees about their preferred learning styles and the effectiveness of different delivery methods.

5. Assess Communication Frequency and Channels

Determine whether the organisation communicates about information security awareness regularly and through appropriate channels.

  • Examine communication logs, intranet posts, newsletters, and other communication materials. Interview employees to gauge their awareness of recent security communications.

6. Verify Reinforcement Activities

Confirm that the organisation reinforces awareness through various activities, such as integrating security tips into daily operations and promoting a security-conscious culture.

  • Observe work practices, review internal policies and procedures for security reminders, and interview employees about how security is integrated into their daily tasks.

7. Evaluate Effectiveness Measurement

Check if the organisation measures the effectiveness of its awareness programs through surveys, quizzes, simulated phishing attacks, or analysis of security incidents.

  • Review reports on awareness program effectiveness, including survey results, phishing campaign data, and incident analysis.
  • Interview management about how this data is used to improve the program.

8. Confirm Review and Update Process

Verify that the organisation regularly reviews and updates its awareness programs to maintain relevance and effectiveness.

  • Examine the process for reviewing and updating awareness materials, including the frequency of reviews and the involvement of relevant stakeholders.
  • Check version control on training materials.

9. Inspect Documentation

Ensure that the organisation maintains adequate records of all awareness activities, including training attendance, communication materials, and evaluation results.

  • Review training records, communication logs, and other relevant documentation.
  • Verify that records are complete, accurate, and readily accessible.

10. Assess Security Culture

Evaluate the overall security culture within the organisation, including employee awareness of security risks, reporting of security incidents, and commitment to security practices.

  • Conduct employee surveys, interviews, and focus groups to assess security awareness and attitudes.
  • Observe employee behaviour and interactions related to security practices. Look for evidence of management commitment to security.

How to pass the ISO 27001 Clause 7.3 audit

The easiest way is to have a training tool that records people’s understanding by presenting with training and what you want them to be aware of and then has them take a test which you can report.

Having a communication plan that records what you communicated, when, to whom and the evidence that you did is also part of showing compliance to the clause.

There is a place for the signing of policies to accept them and the way you do this can be via traditional signature (which is clunky but doable), electronic signature, or an email to you that they have read and accept them. There are many ways to skin a cat.

What an auditor looks for

The audit is going to check a number of areas for compliance with ISO 27001 Clause 7.3. Lets go through them

1. That you have a communication plan

The auditor wants to see a plan for communication that includes awareness and evidence that communications relating to awareness have taken place.

2. That consequences of not doing what is expected

The auditor wants to that you have communicated what will happen if people do not do what is expected of them for information security. In addition they will want to see the process that you would follow even if you have not had to follow it in the last 12 months.

It is usual to include this as part of the information security policies.

ISO 27001 Clause 7.3: Awareness FAQ

What is ISO 27001 Clause 7.3 Awareness?

The ISO 27001 standard requires an organisation to have people that are competent to do the work for information security. Simple.

What are the ISO 27001:2022 Changes to Clause 7.3 Awareness?

Great news. There are no changes to ISO 27001 Clause 7.3 in the 2022 update.

How do I evidence I meet the requirement of ISO 27001 Clause 7.3 Awareness?

The best way is to record training in a training tool that requires a test to show understanding. Having a communication plan that includes evidence of the communications is also required.

Who is responsible for ISO 27001 Awareness?

Senior management are responsible for ensuring that ISO 27001 Clause 7.3 is implemented and maintained.

Why is ISO 27001 Awareness important?

People cannot be expected to act and do in a certain way unless they have been told what is expected of them. Equally, they need to know what the consequences can be if they do not do what is expected. In addition on going awareness is about building and establishing a culture of information security into the organisation. By implementing awareness you will ensure that you have an effective information security management system (ISMS).

Where can I download ISO 27001 Clause 7.3 Awareness templates?

You can download ISO 27001 Clause 7.3 Awareness templates in the ISO 27001 Toolkit.

ISO 27001 Clause 7.3 Awareness example?

An example of ISO 27001 Clause 7.3 Awareness can be found in the ISO 27001 Toolkit.

ISO 27001 Annex A 6.3: Information Security Awareness Education and Training

ISO 27001 Clause 7.4: Communication

Further Reading

ISO 27001 Security Awareness Training Policy Beginner’s Guide

ISO 27001 Awareness Beginner’s Guide

ISO 27001 Objectives | Beginner’s Guide

Tags: ISO 27001 Reference Guide
Stuart Barker, ISO 27001 expert

Stuart Barker
ISO 27001 Expert and Thought Leader

ISO 27001 Toolkit Business Edition
Stuart Barker, ISO 27001 expert

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.