The basics
ISO 27001 sub-clause 7.3 is called “Awareness” — it requires that people must be made aware of the information security policy and its contents, what their personal performance means to the ISMS and its objectives, and what implications nonconformities may have on the ISMS.
Documentation
ISO 27001 clause 7.3 Awareness does not require writing any documents.
The following document is not mandatory, and companies can decide whether to write it:
- Awareness plan
Implementation
To implement ISO 27001 clause 7.3 Awareness, you can follow these steps:
- Assign Responsibility: Designate someone, typically the Information Security Officer, to be responsible for awareness activities.
- Develop an Awareness Plan: Create a plan that outlines the topics to be covered, the frequency of training sessions, and the methods of delivery.
- Conduct Training Sessions: Ensure that all employees participate in regular awareness sessions. For example, the Risk Treatment Plan might require two hours of awareness training per employee every quarter.
- Allocate Resources: Make sure employees have time available for these sessions and that the Information Security Officer has the resources needed to conduct them, or allocate funds to hire a consultant or trainer.
- Monitor and Review: Regularly assess the effectiveness of the awareness program and make improvements as necessary.
Audit evidence
The auditor will look for evidence that relevant people know why security is needed, i.e., if they are made aware of the importance of policies, procedures, and performing activities in a secure way.
