ISO 27001 Annex A Control 6.3

ISO 27001 control 6.3 Information security awareness, education and training

The basics

ISO 27001 control A.6.3 Information security awareness, education and training requires companies to explain to relevant people why security is needed, and how to comply with various security requirements. This is important in order to avoid people’s resentment and noncompliance because of not knowing how to perform security activities.

Documentation

ISO 27001 control A.6.3 Information security awareness, education and training can be documented:

  • for smaller and mid-sized companies by writing a Training and Awareness Plan to document which trainings and awareness activities are required and for which personnel
  • on top of Training and Awareness Plan, larger companies might also write a Training & Awareness Procedure

These documents are not mandatory, but are recommended.

Implementation

In order to comply with control A.6.3 Information security awareness, education and training you might implement the following:

  • Technology — the technology to enable information security awareness, education, and training may include software to develop the material, and access to Internet to share the material with employees and contractors. Small companies may simply use current office applications, while bigger companies may use learning platforms to share material and assess and evaluate learning.
  • Organization/processes — you should set up a process for defining which material must be developed, for whose audience, how often it must be presented, and how the effectiveness of the presentation is going to be measured. You can document those processes through a Training and Awareness Plan or a Training & Awareness Procedure.
  • People — train HR personnel on how to develop and deliver security awareness and training.

Audit evidence

During the audit, an auditor might look for the following evidence regarding clauses 7.2 Competence and 7.3 Awareness, and control A.6.3 Information security awareness, education and training:

  • If the required competencies are defined for particular job roles.
  • If the relevant people are trained for the required competencies, i.e., if they know how to perform their security-related work.
  • If relevant people know why security is needed, i.e., if they are made aware of the importance of policies, procedures, and performing activities in a secure way.

These are the things the auditor will be looking for, if they are not found this is considered a nonconformity.