Information Security Awareness, Education and Training - ISO 27001 Annex A Control

ISO 27001 Annex A 6.3

People need to know what security looks like for their role.

ISO 27001 Annex A 6.3 - Information Security Awareness, Education and Training

The control sets up information security as something staff actually understand rather than something written into policies they may never have read. Awareness training covers the basics that everyone in the organisation needs - phishing recognition, password handling, reporting incidents, the principles of confidentiality. Role-specific education adds depth for staff whose jobs touch security more directly - administrators, developers, those handling personal or sensitive data.

Frequency matters. A single induction session at the start of employment fades quickly. The control expects regular reinforcement - annual refresher training, phishing simulations, awareness campaigns, policy update communications. The mix can vary, but the principle is that the security message stays current rather than becoming stale.

The training has to land. If the same training is given to the same people every year and the assessment is a tick-box exercise, the awareness benefit is limited. Effective programmes track engagement, test understanding, and adapt content to the threats the organisation actually faces. The audit will look for evidence that the training is meaningful, not just that it was completed.

For us the awareness programme is more than annual training. It includes simulated phishing exercises with feedback, monthly tips circulated through internal comms, and targeted refresher training when something significant changes - a new policy, a new threat, a near-miss we want to learn from. The training records show what was delivered, when, and to whom, with completion and assessment results where used.

Practical Compliance Guidance

Awareness, education and training are described in the IMS1 manual at section 7 on competence and awareness alongside the People Security Policy. The training matrix records what training each role requires and tracks delivery.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How often should awareness training be refreshed?

At least annually as a baseline, with topic-specific refreshers when something significant changes. Many organisations supplement annual refresher training with shorter regular touchpoints - phishing simulations, monthly bulletins, awareness moments at team meetings - to keep the message current rather than relying on a single annual session.

Does the same training apply to everyone?

A common baseline applies to all staff covering the everyday security points. Beyond that, role-specific training should be applied where the role has specific responsibilities or risks - administrators, developers, finance, HR, those handling sensitive personal data. The training matrix should set out the role-specific expectations.

Should training be assessed?

Some form of assessment is helpful both for the worker - it confirms understanding rather than just attendance - and for the organisation - it provides evidence the training has been understood. Assessment can be a short quiz at the end of training, a phishing simulation that tests behaviour, or a discussion-based check for smaller teams.

Further Resources