ISO 27001 Clause 7.3

ISO 27001 Clause 7.3 Awareness

Clause 7.3 of ISO IEC 27001 is easy to link with clause 7.2 about skills and clause 7.4 about telling everyone who needs to know about the information security management system.

What is ISO 27001 Clause 7.3?

Persons doing work under the organisation’s control shall be aware of:
a) the information security policy;
b) their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and
c) the implications of not conforming with the information security management system requirements.

ISO 27001:2022 Clause 7.3 Awareness

ISO 27001 clause 7.3 says that organisations need to:

  • Make all employees more aware of why information security is important.
  • Give all staff training on the organisation’s rules and steps for keeping information safe.
  • Make sure staff understand what they are responsible for when it comes to information security.

It’s really important that by making people more aware, you help create a culture where everyone thinks about risks and considers information security in everything they do at work.

Also, the person in charge of the information security management system in an organisation must clearly understand a few things:

  • Have they carefully read and understood the organisation’s information security plan?
  • Do they know how important it is to always follow and improve the ISMS?
  • Are they aware of what could happen if they ignore the ISMS and don’t meet the ISO 27001 rules?

What does Clause 7.3 involve?

ISO 27001 wants to make sure that the people doing the work know about:

  • The rules for keeping information safe.
  • How what they do helps the ISMS work well, including the good things that come from making it better.
  • What happens if the information security management system doesn’t meet the rules.

What does ISO 27001 requirement 7.3 cover?

ISO 27001 requirement 7.3 looks at these areas:

  • Why information security is important.
  • The organisation’s rules for keeping information safe.
  • The organisation’s steps for keeping information secure.
  • What staff are responsible for regarding information security.
  • The dangers to information security.
  • The security measures that are used to lower these dangers.

Showing awareness for clause 7.3

If you’re setting up your ISMS in a connected way, the people helping to build it will have been involved in creating the information security plan for the top managers to approve (clause 5.2).

They should also clearly understand their role because it would have been agreed and written down as part of clause 7.1 (and other areas we’ve already mentioned).

We also suggest that:

Anyone working on the ISMS should read the ISO 27001 standard to understand what’s required. Then, they should be shown how these requirements are being met in practice (which is easy if you use a system like ISMS.online). This would include understanding risk management (6.1), ISMS goals (6.2), broader measurement and evaluation (9.1), internal checks (9.2), management reviews (9.3), dealing with problems and fixing them (10.1), as well as always trying to improve things (10.2).

Besides understanding how the ISMS is managed and run (as mentioned above), we also strongly recommend that staff involved in the ISMS follow the same steps as those involved in the broader communication in line with clause 7.4. This looks at how staff are informed, involved, and follow the rules. It also connects with the HR security process, especially Annex A 7.2.2, which is about making sure people are aware of, educated about, and trained in information security.

How to demonstrate awareness for ISO 27001 clause 7.3

Here’s how organisations can show awareness for ISO 27001 clause 7.3:

  • Give awareness training to all employees.
  • Tell all staff about the organisation’s information security plan.
  • Put up information security posters and reminders in the workplace.
  • Include information security when new staff start and in performance reviews.
  • Regularly check staff’s awareness to make sure they know what they’re responsible for.

Conclusion

In conclusion, making sure everyone knows why information security is important is a key part of any organisation’s information security management system (ISMS).

By ensuring that all employees understand why information security matters and what they need to do to protect the organisation’s important information, organisations can help stop security problems and keep their information safe.