ISO27001 Security Awareness Training Policy Beginner's Guide

ISO 27001 Security Awareness Training Policy Ultimate Guide


In this ultimate guide to ISO 27001 Security Awareness and Training I am going to cover

  • the 2022 update to the ISO 27001 standard and what has changed for security awareness
  • the basics of what the policy is
  • what the policy should include
  • how you can create the policy yourself from scratch
  • answers to common questions
  • show you how to implement effective training awareness into your organisation
  • give you a simple yet effective policy template that you can download and use immediately.

Let me expose the insider trade secrets, give you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification.

I show you exactly what changed in the ISO 27001:2022 update.

I am Stuart Barker the ISO 27001 Ninja and this is the ISO 27001 Security Awareness Training Policy Ultimate Guide.

What is the ISO 27001 Information Security Training Policy?

The ISO 27001 Security Awareness Training Policy is to ensure all employees receive appropriate awareness education and training in all aspects of information security. It ensures that they get regular updates in policies and procedures that are relevant to their role.

Consequently putting in place a security awareness training program is one of the easiest and most important things that you can do.

Indeed, there are many providers of training software to choose from that can help you.

The information security training and awareness policy covers:

  • New starters
  • In role employees
  • Training plans
  • Competency register
  • Assessment
  • Acceptance
ISO27001 Training and Awareness Policy-Black

ISO 27001 Security Awareness Training Policy Template

Wish there was a quicker way to complete your ISO 27001 Security Awareness Training Policy?
There is.
In fact, I’ve written it for you. (Thank me later!)
Save yourself 8 hours of work and get this in your basket…

Why do we need a policy?

What is the biggest security risk? When asked most people will answer that it is people.

It isn’t people’s fault as people are busy.

Above all we want to do the best job that we can do.

As a result sometimes doing the best job we can do means cutting a few corners.

That is where an ISO 27001 Security Awareness Training Policy comes in.

We need to make people aware of the security risks in our organisation to better inform them. This will reduce risk and help them make the right decisions. As a result we want to formally train them with an information security overview and data protection training.

You cannot expect to achieve ISO 27001 certification without having staff who are part of that process.

The ISO 27001 requirement for information security training and awareness

In the Essential Guide to ISO 27001 7.3 Awareness we took a deep dive into what the actual requirement of the ISO 27001 standard is and how to comply with it. In summary the ISO 27001 standard states:

Persons doing work under the organisation’s control shall be aware of:
a) the information security policy;
b) their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and
c) the implications of not conforming with the information security management system requirements.

ISO 27002 Clause 6.3 Information security awareness, education and training

ISO 27001, the international standard for information security also includes an Annex A which is a list of actual controls that a business must comply with. In 2022 the list of controls for ISO 27001 Annex A / ISO 27002 changed. The updated control for Information Security training is now:

Personnel of the organization and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function.

Information Security Culture

You will often hear the term ‘information security culture’ or having a ‘culture of information security’.

On the whole this just means having an awareness of the risks that are out there and what simple measures you can do to protect yourself.

The policy is the company’s statement about what it is doing about training with the result that it can demonstrate that it is taking it seriously.

Policies are statements of intent that describe what we do but not how we do it. If people want us to demonstrate what we are doing to ensure our staff are trained then they would look to this policy.

Do it yourself

SAVE over £10,000

ISO 27001 The International Standard for Information Security

ISO 27001 is the international standard for information security management. You can learn more about the ISO 27001 policies in our ISO 27001 Policies Ultimate Guide and see how they are implemented in our detailed, step by step, video guides on How to Implement ISO 27001.

We cover how it fits into the information security management system in the ISO 27001 Templates Documents Ultimate Guide.

FREE 30 minute ISO 27001 strategy session.

Claim your 100% FREE no-obligation 30 minute strategy session call (£1000 value). This is strictly for small businesses who are hungry to get ISO 27001 certified up to 10x faster and 30x cheaper.

ISO27001 Certification Stragey Call

How to write an information security awareness and training policy

It is straightforward to write the policy yourself. As a result make sure to include the following points and topics:

Create your version control and document mark-up

ISO 27001 documents require version control of the author, the change, the date and the version as well as document mark up such as document classification.

Write the document purpose

The purpose of the Information Security Awareness Training policy is to protect against loss of data.

Write the scope of the policy

It should really apply to all employees and third party staff working for your company.

Write the principle on which the policy is based

The principle of the Information Security Awareness Training policy is the confidentiality, integrity and availability of data. Accordingly it is about the security and protection of confidential data.

Write Information Security Awareness and Training Topics

Write a statement that lists out the topics that your plan will cover. Particularly phishing, general security awareness, data protection are all good base topics to include.

Describe what happens for new starters

New starters to the organisation will need training so set out on what and when.

Describe what happens for in role employees

Training is not a one and done so the Information Security Awareness Training policy will cover continual training and annual reacknowledgment.

Have a training and competency register

The standard and best practice require us to understand the competency of staff in relation to information security and any training requirements. Therefore implement a Competency Matrix.

Have a training plan

To be effective it is best to plan training throughout the year and follow the plan.

Cover assessment and acceptance

It is not enough to send out training, we also need to ensure people have understood it and accepted it.

Define policy compliance

Provide for how compliance to the policy will be acheived.

How to implement effective ISO 27001 training and awareness

When it comes to implementing effective ISO 27001 training and awareness the following is considered best practice.

Write your information security training and awareness policy

You need an information security and awareness training policy that is based on the needs of the business, the risks that the business faces and that fully satisfies the requirements of ISO 27001 and ISO 27002. The quickest way is to download the Training and Awareness Policy Template.

Review and approve the policy

The policy should be reviewed and approved by senior management to ensure there is full buy in and to make the policy as effective as possible. If you are doing an ISO 27001 implementation then the management review team will sign off the the policy.

Communicate the policy to everyone

A policy is a statement of what you do for information security and what is expected. If you do not communicate then people cannot be expect to know what is expected of them. How you communicate is down the to the culture and communication style of the organisation but getting approval from each person that they have read it, understand it and accept it is a key step. Be sure to update your communication plan so that it forms and appropriate part of your on going communicate.

Have a communication plan

A communication plan is plan for the year that covers

  • What we will communicate
  • Who will communicate
  • Who will they communicate it to
  • How will they communicate it
  • When will they communicate it
  • Evidence that it was communicated

As above the Information Security Awareness Training Policy is part of that plan but it goes wider. Based on the risks to the business and the needs of the business there are other communications that should be factored in that implement further training and further awareness. You will want to communicate on topics such as data protection, you will want to have regular management review meetings, you may have security operational meetings. Specific topics such as phishing attacks, backups, anti virus may all require their own communication. Consider what is important, what is a risk and let people know about it.

Implement Information Security Training

This is one of the few areas where a tool is highly recommended. You have to implement specific training throughout the year on information security and data protection. Part of that training is to ensure that people understand what they have been trained in and keeping a record that the training took place. It can be done manually, but tools are designed to take care of this for you. They often come with prebuilt modules and content so you don’t have to worry about it and they automate the process of getting people training, getting the confirmation of understanding via quizzes and tests and they include valuable reporting so you can track who has and who has not completed the training.

Awareness and Training Policy Mapped to ISO 27001 Controls

ISO 27001 Annex A / ISO 27002:2022

  • ISO 27002:2022 Clause 5 Organisational Controls
  • ISO 27002:2022 Clause 5.1 Policies for information security
  • ISO 27002:2022 Clause 5.36 Compliance with policies, rules, and standards for information security
  • ISO 27002:2022 Clause 5.4 Management Responsibilities
  • ISO 27002:2022 Clause 6 People Controls
  • ISO 27002:2022 Clause 6.3 Information security awareness, education, and training
  • ISO 27002:2022 Clause 6.4 Disciplinary process

Information Security Training Policy FAQ

What does the information security awareness cover?

Information security awareness covers communicating a basic understanding of information security issues, risks and threats. Markedly it is a more formal structured approach for staff. That is to say that it follows allocated and dedicated time to train on an aspect of information security with a test at the end to verify understanding. Additionally it covers the security measures that you are taking as well as the threats those measures address.

Does information security training include a test?

As rule yes because a test is a way for the trainer to verify that the training was affective and a basic level of understanding has been reached.

Why do we do information security training tests?

There are 2 reasons. Firstly to show that you have the required level of understanding as a result of the training materials. Secondly so that the company can evidence that it provided you with training and that you took it.

How often is information security training taken?

At least once in every 12 months as a minimum. So information security training modules are taken on an annual basis. In addition these are supplemented with training modules that are specific to your organisation and the risks it faces. Subsequently it is not unusual for these to include modules such as Phishing, Data Protection and more.

Where do I get an information security awareness and training policy?

The information security awareness and training policy template can be found here:

How often must you retake information security training?

When starting with an organisation and at least every 12 months.

How do you demonstrate security awareness?

By having a communication plan and communication record for information security. Likewise by having a formal training plan with training records. Additionally you can consider a controlled phishing training campaign.

Where can I get an Information Security Training Policy Example PDF?

A great sample of the Information Security Training Policy can be download from the template:

What is the purpose of security training?

The purpose of security training is to make people aware of the the security threats that they face and what to do about them. The more informed that people are the more likely they are to be able to keep themselves and company data safe.

Why is information security training important?

The world can be a very bad place and people want what you have. Generally there are times you aren’t aware that what you have has any value. Nonetheless to protect what is important to us, our data, our company data and our finances it is important that we are aware of the risks we face so we can make informed choices about addressing them.

Does information security training UK differ to information security training USA or information security training Australia?

No, the principles are the same and the threats are the same. Given these points there may be slight differences in legal implementations and laws but the basics of training are consistent across the globe.


ISO/IEC 27001 Information Security Management

ISO 27001 Templates Toolkit Business Edition Black
ISO27001 Policy Templates Pack Green

FREE 30 minute ISO 27001 strategy session.

Claim your 100% FREE no-obligation 30 minute strategy session call (£1000 value). This is strictly for small businesses who are hungry to get ISO 27001 certified up to 10x faster and 30x cheaper.

ISO27001 Certification Stragey Call

Shopping Basket