ISO 27001 Annex A 6.3 deals with Information Security Awareness, Education, and Training. This control requires you to teach people about information security. This includes everything from general security awareness training and education to giving regular updates on your information security policy, any specific policies you have on certain topics, and all your security procedures.
Table of contents
What is ISO 27001 Annex A 6.3?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Information Security Awareness Education and Training”.
What is the ISO 27001 Annex A 6.3 control objective?
The formal definition and control objective in the standard is: “Personnel of the organisation and relevant interested parties should receive appropriate information security awareness, education and training and regular updates of the organisations information security policy, topic-specific policies and procedures, as relevant for their job function.“
What is the purpose of ISO 27001 Annex A 6.3?
The purpose of ISO 27001 Annex A 6.3 is “to ensure that people are aware of their responsibilities for information security and that they meet them.“
Is ISO 27001 Annex A 6.3 Mandatory?
ISO 27001 Annex A control 6.3 (Information Security Awareness Education and Training in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 6.3 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
You need to establish a system for information security education and awareness within your organisation. This is how you can put the requirements of ISO 27001 Annex A 6.3 into practice.
Planning and Development
You will have to decide what security training is best for your organisation. Base this decision on your organisation’s risks and its specific needs. Then, you should plan out all of your training and awareness activities for the next year.
After planning, you will need to create, build, and put together your learning materials. The main idea is that everyone should learn about information security.
Delivery and Requirements
You must teach this training and awareness material to everyone who needs it. When putting together this programme, think about your existing policies. This includes your main information security policy and any other policies about specific topics within ISO 27001. You should also include your company’s processes and instructions, especially those related to security.
Things to consider covering in your training include:
- How committed your leaders and managers are to security.
- The necessary rules from relevant laws and regulations.
- Each person’s duty and responsibility for security.
- How to report any security event or problem.
- Where to find the security policies.
- Who to speak to if you have a question about security.
When to Provide Training
You should provide security awareness and training regularly. The best way to do this is to:
- Hold awareness training on information security once a year.
- Hold awareness training on data protection once a year.
- Give new employees initial awareness training when they are hired or as part of their start-up process.
- Inform and train people when things change or when new processes are put in place.
- Provide extra training following any security problems or as a way to improve continuously.
Training Methods and Verification
You will implement training based on who needs it. Some training is for everyone, but some is more focused on certain people and job roles. It is a good idea to consider different ways to train people, such as emails, website pages, short meetings, or formal classroom sessions. However, many people choose ready-made training programmes that handle most of this task for them.
You must check that people understand the material. Most people do this by having employees take some type of test. These tests are often part of the ready-made training packages you might use.
Finally, you must check that people understand the training. You also need to keep records of all the training and awareness you have conducted.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will look for:
1. Training and Awareness
The auditor is checking if you train your staff on information security.
- They’ll look for a training plan and evidence that you are actually following it.
- You must be able to prove that the training happened, that people understood it, and that you have records of it.
- This includes things like yearly training on Data Protection and what you teach new employees when they start.
2. Communication of Training
The auditor wants to make sure you tell the right people about the training process itself.
- You must have a communication plan for the training.
- They will look for proof that you have shared the details of when and how the training and awareness activities happen.
3. Staff Responsibilities
This is about making sure people know exactly what their security role is.
- The auditor will look for written procedures and specific policies related to security.
- They will confirm that you have shared these rules with your employees and that they have been trained on what they must do.
