ISO 27001 Clause 7.3 Awareness

ISO 27001 Awareness

ISO 27001 Awareness is about making people aware of the risks to information security so they can be better prepared and better protected.

What is ISO 27001 Clause 7.3?

ISO 27001 Clause 7.3 is awareness and requires you to communicate and make people aware of the information security policy, how they contribute to information security and the consequences of not conforming to information security.

The ISO 27001 standard for ISO 27001 certification wants you to let people know what you expect, educate them and have processes in place for if things go wrong.

ISO 27001 Clause 7.3 Purpose

The purpose of ISO 27001 clause 7.3 Awareness is to make sure people are aware of information security and what they need to do. It is part of implementing a culture of information security into the organisation.

ISO 27001 Clause 7.3 Definition

ISO 27001 defines ISO 27001 Awareness as:

Persons doing work under the organisation’s control shall be aware of:
a) the information security policy;
b) their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and
c) the implications of not conforming with the information security management system requirements.

ISO 27001:2022 Clause 7.3 Awareness

ISO 27001 Clause 7.3 Requirement

The requirement is to tell people what is expected of them and explain to them the consequences of not doing what is expected when it comes to information security.

How to implement ISO 27001 Clause 7.3

There are distinct phases in the journey of staff, contractors and third parties.

Each of those phases potentially requires a different level of communication.

It is possible that one approach will work but the likelihood is you are going to have different communication styles and approaches depending on the ‘who’ and the ‘where’ they are in their journey with you.

ISO 27001 Clause 7.3 Implementation Checklist

Awareness ISO 27001 Clause 7.3 Implementation Checklist

1. Define Information Security Awareness Objectives

Clearly define what employees need to know and understand about information security. This should align with the organisation’s ISMS objectives and risk assessment.

Challenge

Difficulty in translating high-level ISMS objectives into practical, relatable awareness points for staff.

Solution

Conduct workshops with representatives from different departments to identify specific awareness needs based on their roles and responsibilities.

2. Identify Target Audiences

Segment employees into groups based on their roles, access levels, and potential risks they pose to information security. Tailor awareness programs to each group.

Challenge

Overlooking specific groups or assuming a one-size-fits-all approach.

Solution

Conduct a thorough analysis of roles and responsibilities to identify distinct target audiences and their respective needs.

3. Develop Awareness Content

Create engaging and relevant materials, including training presentations, videos, infographics, and posters. Avoid technical jargon and focus on practical examples.

Challenge

Creating content that is both informative and engaging, avoiding “death by PowerPoint.”

Solution

Use a variety of media, gamification, and real-world scenarios to make the content more appealing and memorable. Consider micro-learning modules for easier consumption.

4. Deliver Awareness Training

Implement various delivery methods, such as online training, in-person workshops, and short awareness sessions. Make training mandatory for all employees.

Challenge

Scheduling training for all employees, especially those in different locations or with shift work.

Solution

Offer flexible training options, including online modules that can be completed at employees’ convenience, and schedule in-person sessions at different times.

5. Communicate Regularly

Information security awareness is not a one-time event. Communicate regularly through newsletters, emails, intranet posts, and informal reminders.

Challenge

Maintaining consistent communication and avoiding “awareness fatigue.”

Solution

Develop a communication plan that includes regular updates, but varies the format and content to keep employees engaged. Focus on positive reinforcement and success stories.

6. Reinforce Awareness

Integrate information security awareness into daily operations. Include security tips in emails, display posters in common areas, and discuss security topics in team meetings.

Challenge

Making security awareness a part of the everyday work culture.

Solution

Incorporate security awareness messages into existing communication channels and processes. Recognise and reward employees who demonstrate good security practices.

7. Measure Effectiveness

Track the effectiveness of awareness programs through surveys, quizzes, simulated phishing attacks, and analysis of security incidents.

Challenge

Difficulties in objectively measuring the impact of awareness training.

Solution

Establish clear metrics and use a combination of quantitative and qualitative methods to assess awareness levels and behavioural changes.

8. Review and Update

Regularly review and update awareness programs to ensure they remain relevant and effective. Incorporate feedback from employees and lessons learned from security incidents.

Challenge

Keeping content up-to-date with the evolving threat landscape.

Solution

Establish a process for regularly reviewing and updating awareness materials, including monitoring industry trends and incorporating feedback from security incidents.

9. Document Awareness Activities

Maintain records of all awareness activities, including training attendance, communication materials, and evaluation results. This demonstrates compliance with ISO 27001.

Challenge

Maintaining accurate and up-to-date records.

Solution

Use a centralised platform or system to manage awareness training and communication records.

10. Promote a Security Culture

Foster a culture where information security is everyone’s responsibility. Encourage employees to report security incidents and ask questions about security.

Challenge

Overcoming apathy and resistance to security measures.

Solution

Promote a positive security culture that emphasises the importance of security and empowers employees to take ownership of their security responsibilities. Lead by example from top management.

ISO 27001 Clause 7.3 Audit Checklist

How to audit ISO 27001 Clause 7.3 Awareness

1. Review Awareness Objectives

Verify that the organisation has defined clear and measurable information security awareness objectives aligned with the ISMS and risk assessment.

• Examine documented objectives, interview management to understand the rationale behind them, and check their alignment with the overall ISMS objectives.

2. Confirm Target Audience Identification

Ensure that the organisation has identified different target audiences and tailored awareness programs to their specific needs.

• Review documentation related to target audience identification (e.g., role descriptions, training needs analysis), and interview employees from different roles to confirm their understanding of relevant security practices.

3. Evaluate Awareness Content

Assess the quality and relevance of awareness materials, including training presentations, videos, and other communication materials.

• Review training materials for accuracy, clarity, and engagement.
• Observe a training session (if possible) and interview participants for feedback on the content.

4. Check Training Delivery Methods

Verify that the organisation uses appropriate delivery methods for awareness training, considering the target audience and the nature of the information.

• Review training records to confirm attendance and completion of training.
• Interview employees about their preferred learning styles and the effectiveness of different delivery methods.

5. Assess Communication Frequency and Channels

Determine whether the organisation communicates about information security awareness regularly and through appropriate channels.

• Examine communication logs, intranet posts, newsletters, and other communication materials. Interview employees to gauge their awareness of recent security communications.

6. Verify Reinforcement Activities

Confirm that the organisation reinforces awareness through various activities, such as integrating security tips into daily operations and promoting a security-conscious culture.

• Observe work practices, review internal policies and procedures for security reminders, and interview employees about how security is integrated into their daily tasks.

7. Evaluate Effectiveness Measurement

Check if the organisation measures the effectiveness of its awareness programs through surveys, quizzes, simulated phishing attacks, or analysis of security incidents.

• Review reports on awareness program effectiveness, including survey results, phishing campaign data, and incident analysis.
• Interview management about how this data is used to improve the program.

8. Confirm Review and Update Process

Verify that the organisation regularly reviews and updates its awareness programs to maintain relevance and effectiveness.

• Examine the process for reviewing and updating awareness materials, including the frequency of reviews and the involvement of relevant stakeholders.
• Check version control on training materials.

9. Inspect Documentation

Ensure that the organisation maintains adequate records of all awareness activities, including training attendance, communication materials, and evaluation results.

• Review training records, communication logs, and other relevant documentation.
• Verify that records are complete, accurate, and readily accessible.

10. Assess Security Culture

Evaluate the overall security culture within the organisation, including employee awareness of security risks, reporting of security incidents, and commitment to security practices.

• Conduct employee surveys, interviews, and focus groups to assess security awareness and attitudes.
• Observe employee behaviour and interactions related to security practices. Look for evidence of management commitment to security.

Watch the Tutorial

Watch the ISO 27001 tutorial How to Implement ISO 27001 Clause 7.3 Awareness

ISO 27001 Awareness Templates

The following are ISO 27001 Awareness templates.

ISO 27001 Awareness and Training

In this day and age, one of the few times we would recommend using a tool is for information security training. These tools come with pre-built courses and allow for the automation of many required awareness tasks. Scheduling awareness training, verifying understanding, and reporting capabilities are must-haves. These tools refresh content annually, saving you time and effort, and include popular modules on relevant topics. Being online, they can be accessed by staff from anywhere. While not the only way to raise and manage awareness, they do the lion’s share of the work.

Of course, you should consider your company culture and supplement the training accordingly. Emails are useful, as are stand-up meetings, presentations at company meetings, and perhaps bringing in external resources. There’s no one-size-fits-all answer, but training tools go a long way for those who are time-poor and simply want to get the job done efficiently.

How to pass an audit of ISO 27001 Clause 7.3

The easiest way is to have a training tool that records people’s understanding by presenting with training and what you want them to be aware of and then has them take a test which you can report.

Having a communication plan that records what you communicated, when, to whom and the evidence that you did is also part of showing compliance to the clause.

There is a place for the signing of policies to accept them and the way you do this can be via traditional signature (which is clunky but doable), electronic signature, or an email to you that they have read and accept them. There are many ways to skin a cat.

What the auditor will check

The audit is going to check a number of areas for compliance with ISO 27001 Clause 7.3. Lets go through them

1. That you have a communication plan

The auditor wants to see a plan for communication that includes awareness and evidence that communications relating to awareness have taken place.

2. That consequences of not doing what is expected

The auditor wants to that you have communicated what will happen if people do not do what is expected of them for information security. In addition they will want to see the process that you would follow even if you have not had to follow it in the last 12 months.

It is usual to include this as part of the information security policies.

ISO 27001 Clause 7.3 FAQ