If you have ever been involved in an information security audit, you know that technology is only half the battle. The other half involves the people using that technology. When ISO 27001 shifted from its 2013 version to the 2022 update, the way we handle education and awareness saw a significant shift in perspective. This is now captured under Annex A 6.3: Information Security Awareness, Education and Training.
Table of contents
The Evolution from 7.2.2 to 6.3
In the ISO 27001:2013 standard, awareness and training were tucked away under Control 7.2.2. It was part of the “Human Resources Security” domain, which often led organisations to treat it as a task for the HR department, something to be ticked off during a new starter’s first week.
In the 2022 update, this has been reclassified as Annex A 6.3 and moved into the People Controls theme. This transition is important. According to insights from Hightable.io, moving this into the People theme emphasizes that awareness isn’t just an administrative onboarding task; it is a fundamental security control that must be nurtured throughout the entire employment lifecycle. It shifts the focus from “training” to building a genuine “security culture.”
What is New in Annex A 6.3?
The core objective remains the same: ensuring that personnel and relevant interested parties receive appropriate awareness, education, and training. However, the 2022 version is much more modern in its approach. It acknowledges that a yearly PowerPoint presentation is no longer enough to defend against sophisticated threats like phishing or social engineering.
One of the most notable changes is the increased emphasis on role-specific training. While the 2013 version was somewhat generic, the 2022 standard expects training to be tailored to the specific risks associated with an individual’s job. As noted by Hightable.io, this means your developers should be receiving training on secure coding, while your finance team might need specific education on identifying “CEO fraud” or business email compromise.
The Introduction of Attributes
The 2022 version of the standard introduced a “taxonomic” approach using attributes. This allows you to tag Control 6.3 with specific metadata. For example, it is now clearly defined as a Preventive control. By categorising it this way, the standard helps security managers explain to the board that an educated workforce is the first line of defence in preventing incidents before they even happen.
These attributes also link training to Corrective measures. If a security incident occurs because of a human error, Annex A 6.3 provides the framework to use that incident as a “teachable moment,” updating your training materials to ensure the same mistake isn’t repeated.
What Auditors Expect to See Now
If you are transitioning from the 2013 version, your evidence trail for 6.3 needs to be more robust than it was in the past. An auditor will likely look for more than just an attendance sheet. They will want to see:
- A Training Needs Analysis: Evidence that you have thought about which roles need which specific types of security education.
- Evidence of Understanding: It isn’t enough to just “watch a video.” You should have quiz results or assessments that prove the staff actually absorbed the information.
- Ongoing Awareness: Evidence of “drip-feed” awareness, such as monthly security newsletters, posters, or simulated phishing tests.
- Third-Party Inclusion: Proof that contractors and relevant external parties are included in your awareness programme where appropriate.
Why the Change to 6.3 Matters
The transition to Annex A 6.3 reflects the reality that humans are the primary target for modern cyber-attacks. By moving this control into the People theme, ISO 27001:2022 encourages organizations to move beyond “compliance-based training” and toward “risk-based education.”
As suggested by Hightable.io, the best way to tackle this change is to create a dynamic awareness calendar. Don’t try to cram everything into one week of the year. Instead, break your security topics down and deliver them in small, digestible chunks that keep security at the front of your employees’ minds all year round. This doesn’t just pass an audit; it significantly reduces your organization’s risk profile.
Final Thoughts for the Transition
While the jump from 7.2.2 to 6.3 might seem like a simple administrative update, it is an opportunity to revitalize your security culture. Take the time to review your current training modules and ensure they reflect the modern threats your specific business faces. In the world of ISO 27001:2022, an informed employee is your most powerful security tool.