ISO 27001 Clause 7.3 is all about making sure people know about information security. It states that everyone working for the company must know about the security policy and how they help the security system work well. This also includes knowing what could happen if they don’t follow the rules.
What Is Awareness?
This rule is a simple but important one. It’s about getting everyone in a company to be aware of security. The goal is to create a culture where everyone thinks about keeping information safe. This is not just for the IT department, but for all staff and even contractors. The rule says that people doing work under a company’s control must be aware of:
- The company’s information security policy.
- Their part in making the security system work well, including how it helps the company.
- What could happen if they do not follow the security rules.
What is ISO 27001 Clause 7.3 Awareness?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Awareness”.
What is the ISO 27001 Clause 7.3 control objective?
The formal definition and control objective in the standard is: “Persons doing work under the organisation’s control shall be aware of:
a) the information security policy;
b) their contribution to the effectiveness of the information security management system, including the benefits of improved information security performance; and
c) the implications of not conforming with the information security management system requirements.“
What is the purpose of ISO 27001 Clause 7.3?
The purpose of ISO 27001 Clause 7.3 is “To make sure people are aware of information security and what they need to do. It is part of implementing a culture of information security into the organisation.”
Is ISO 27001 Clause 7.3 Mandatory?
ISO 27001 Clause 7.3 (Awareness in the 2022 standard) is a mandatory clause in the main body of the standard.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies.
You can follow this rule in many ways. The goal is to make sure people know about security. Here are some ideas:
- Training: You can give security training when a new person starts. You should also have training for all staff at least once a year.
- Posters and Emails: Put up posters or send out emails to remind people about security.
- Tests: You can check if people remember the training by giving them a short test.
- Clear Rules: Make sure the security rules are easy to find and understand.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will:
- Check if you have a plan to make people aware of security.
- Look for proof that you have done it, like sign-in sheets from training or copies of the emails you sent.
You can learn more about awareness and ISO 27001 by watching this video: ISO 27001 Awareness Explained – ISO27001:2022 Clause 7.3
