ISO 27001 Clause 7.3 Awareness: Certification Body Guide

ISO 27001 Clause 7.3 Awareness

ISO 27001 Clause 7.3 Awareness is a management control that ensures persons doing work under the organisation’s control understand the information security policy, their contribution to ISMS effectiveness, and the implications of non-conformance. It focuses on changing human behaviour to reduce security risks across the business.

ISO 27001:2022 Attribute Mapping
Attribute Classification
Control Type Management / Administrative
CIA Triad Confidentiality, Integrity, Availability
Cybersecurity Concept Protect
Operational Capability Human Resource Security

Implementation Difficulty & Cost

Metric Rating / Detail
Difficulty 2/5 (Implementation is simple; effectiveness is hard)
Resource Cost Low to Medium (Depends on tool choice like KnowBe4)
Primary Owner CISO / HR Manager
Accountability Cascade Board → CISO → Department Heads → Staff

ISO 27002 Control Guidance

ISO 27002 suggests that awareness should not be a “one-off” event. In my experience, the most successful programmes use a multi-channel approach. Physical guidance includes visible reminders in the office. Think about posters or “Clean Desk” reminders. These act as constant nudges for staff. When I walk a site, I look for these visual cues as evidence of an active programme.

Technical guidance involves using the tools already at your disposal. This includes login banners on workstations. You can also use automated phishing simulations. These tools provide measurable data on staff behaviour. I often find that technical reminders are more effective than long, boring documents. They meet the user where they work. This reduces the friction of security compliance.

Behavioral guidance is the hardest part of Clause 7.3. It requires a shift in company culture. Staff must feel comfortable reporting security weaknesses. I look for a “no-blame” culture during my audits. If staff fear punishment, they will hide their mistakes. This creates a hidden risk for the business. True awareness means staff understand their role as the first line of defence.

The Auditor’s Eye: Expert Insight

In my 20 years of auditing, I have seen hundreds of training logs. Anyone can click ‘Next’ on a slide deck. To avoid a Non-Conformity (NC), you must prove the message actually landed. I often perform a Camera Walkthrough for remote audits or a site tour for physical ones. I will stop a random employee and ask: “How does your daily work support the Information Security Policy?” If they look confused, you have a failure. Don’t just show me logs; show me competence and culture.

10 Steps to Implement ISO 27001 Clause 7.3

  1. Identify Your Stakeholders

    You must determine who falls under your ISMS scope. This includes full-time staff, contractors, and even third-party vendors. I find that many CISOs forget to include cleaners or security guards. These roles have high physical access. Map these groups in Jira to ensure no one misses the mandatory sessions. Every group needs a tailored message.

  2. Draft the Awareness Strategy

    Document how you will deliver the message. Will you use emails, town halls, or an LMS? I look for a formal strategy document. It should define the frequency of training. Most firms choose annual sessions, but I recommend quarterly updates. This keeps security fresh in everyone’s minds. A documented strategy proves management intent to auditors.

  3. Design the Training Content

    The content must cover three mandatory areas. First, the Information Security Policy. Second, the benefits of improved security performance. Third, the consequences of breaking the rules. Use simple language. Avoid technical jargon that confuses non-IT staff. I often find that short, five-minute videos perform better than hour-long lectures. Ensure the content is accessible to all.

  4. Deploy an LMS or Awareness Tool

    Use a tool like KnowBe4 or Curricula. These platforms automate the delivery of content. They also provide the reporting I need to see. If you use manual methods, your admin burden will be huge. Microsoft Intune can also push notification banners to remind users of security tasks. Automation ensures consistency across a growing workforce.

  5. Launch Phishing Simulations

    Simulations are the best way to measure real-world awareness. Send out fake phishing emails and track the click rate. I look for a downward trend in these rates over time. If the rate stays high, your training is not working. I often ask to see the results of these tests during an audit. It is a fantastic proof of behavioral change.

  6. Establish Clear Reporting Channels

    Staff must know exactly where to go if they see something wrong. Create a dedicated email address or a button in your service desk. Mention this channel in every training session. I check Jira Service Management logs to see if staff actually use these channels. A lack of reports often signals a lack of awareness, not a lack of incidents.

  7. Gamify the Experience

    Turn security into a competition. Offer small rewards for the first person to report a phishing test. Create a “Security Champion” badge for helpful employees. In my experience, positive reinforcement works better than threats. It encourages people to engage with security voluntarily. This creates a much stronger culture than forced compliance ever could.

  8. Conduct “Clean Desk” Sweeps

    This is a physical audit of the office space. Look for passwords on post-it notes or unlocked screens. I perform these during my site visits. If you do them internally, record the results. Share the findings with the team. It turns a boring policy into a tangible reality. It also reminds staff that security is a physical responsibility.

  9. Align with HR Disciplinary Policies

    You must define what happens when someone ignores the rules. This is the “consequences” part of Clause 7.3. Work with HR to ensure your security policy and contracts align. I look for this alignment to ensure the policy has teeth. If there are no consequences, the awareness programme is just a suggestion. Clear rules protect both the company and the staff.

  10. Review and Improve the Programme

    At least once a year, look at your metrics. Are people still clicking links? Do they know where the policy is? Adjust your content based on these findings. I look for “Continuous Improvement” evidence in your Management Review Meeting minutes. This proves you are not just ticking a box. You are building a living system that adapts to new threats.

Requirements by Environment

  • The Office: Focus on physical security, visitor management, and clean desk policies. Visible posters are effective here.
  • Home Working: Emphasis on home Wi-Fi security, shoulder surfing, and secure disposal of paper waste. Awareness must cover the risks of mixing work and personal devices.
  • The Cloud: Technical staff must understand the shared responsibility model. They need awareness regarding misconfigurations and the risks of over-privileged service accounts.

The “Checkbox Compliance” Trap

Requirement SaaS Tool Trap Auditor Reality
Knowledge of Policy Showing a report that says “100% Read”. Asking an employee to summarise the policy.
Contribution to ISMS The tool gives a “Completion Certificate”. Asking staff how their role protects data.
Consequences A tick box saying “I agree”. Checking if HR policies actually mention security breaches.

10 Steps to Audit Clause 7.3 (Internal Audit Guide)

  1. Check the Training Matrix: Verify that every person in scope has been assigned the training.
  2. Verify Completion Rates: Look for 100% completion. If it is lower, ask for the plan to train the remaining staff.
  3. Interview Non-IT Staff: This is the “acid test”. Talk to marketing, finance, or sales. Ask about the policy.
  4. Test Phishing Reports: Look at the last simulation. Did staff report it, or just delete it?
  5. Review Onboarding Records: Ensure new starters receive training within their first week. I often find a “training lag” here.
  6. Inspect the Office: Look for visual evidence. Are there posters? Are screens locked?
  7. Check Reporting Logs: Cross-reference security incidents with staff reports. See if the staff are actually the ones finding issues.
  8. Evaluate Content Relevance: Is the training current? Does it mention the latest threats like Deepfakes or AI social engineering?
  9. Verify Consequences: Ask HR for a sample of a disciplinary case related to security (if one exists).
  10. Watch for “Red Flags”: Red flags include “I didn’t know we had a policy” or “I just do what IT tells me.”

Clause 7.3 Audit Evidence Checklist

Evidence Item Pass/Fail Criteria Owner
Awareness Strategy Must be documented and approved by management. CISO
LMS Reports Must show 100% completion for all active users. HR / IT
Phishing Metrics Must show historical data and improvement trends. Security Team
Signed IS Policy Must be signed or digitally acknowledged by all staff. All Personnel

Required Policy Content: A Lead Auditor’s Checklist

  • Employee Contribution: Must explain that every staff member is a “security officer” for their own data.
  • Mandatory Training Clause: Must state that awareness training is a condition of employment.
  • Reporting Procedures: Must provide the exact email, phone number, or portal for incident reporting.
  • Non-Conformance Clause: Must define the specific disciplinary path for security breaches (Verbal -> Written -> Dismissal).
  • Acceptable Use Summary: Must remind users of the core rules for using company assets.

What to Teach Employees

  • The Core Policy: What are the “Golden Rules” of your organisation?
  • Reporting: How to spot a “near miss” and who to tell.
  • Responsibility: How their specific job role affects the security of the business.

Enforcement and Consequences

Awareness is not optional. Failure to complete mandatory training should trigger an automated block on system access via Azure AD / Entra ID. I look for a clear enforcement path: 1. Verbal Warning for first-time policy breaches. 2. Written Warning for repeated failure to report incidents. 3. Termination for gross negligence or intentional data theft.

Common Implementation Challenges

Challenge Root Cause Solution
Low Engagement Training is boring or too long. Use gamification and short video content.
“I’m too busy” Lack of management buy-in. Have the CEO send the training invite, not IT.
Contractor Gaps Assuming the agency handles it. Make internal awareness a requirement for system access.

Sample Statement of Applicability (SoA) Entry

“ISO 27001 Clause 7.3 is Applicable. The organisation ensures all persons under its control are aware of the security policy and their roles. We use a combination of LMS training, quarterly phishing tests, and monthly newsletters. Evidence is maintained in our LMS and Jira Service Desk. This control is reviewed during our annual Management Review.”

Changes from ISO 27001:2013

ISO 27001:2013 ISO 27001:2022
Focus on “Awareness” Unchanged, but Annex A 6.3 adds more prescriptive guidance.
General Requirement Stronger link to “Human Resource Security” capabilities.

How to Measure Effectiveness (KPIs)

  • Phish-Prone Percentage: The percentage of employees who click a simulated phishing link. (Target: < 5%).
  • Reporting Rate: The number of staff who use the official reporting channel for suspicious emails. (Target: > 20% of phish tests).
  • Time to Train: The average number of days it takes for a new starter to complete awareness training. (Target: < 5 days).

Related ISO 27001 Controls

Clause 7.3 FAQ

Do I need to train contractors under Clause 7.3?

Yes. Any person doing work under your control must be aware of your security policy. If they have an @yourcompany.com email address, they must be in the programme.

Is a monthly newsletter enough for awareness?

In my experience, no. A newsletter is a great addition, but it doesn’t provide the measurable data (like quiz results) that an auditor needs to see for competence.

What if someone fails a phishing test multiple times?

They should receive “just-in-time” training. If they continue to fail, it becomes a performance issue that should involve their manager and HR.

Does the CEO have to do awareness training?

Absolutely. In fact, high-level executives are often the biggest targets for “Whaling” attacks. No one is exempt from Clause 7.3.

How often should I update the awareness content?

I recommend a full review annually, or whenever there is a major change in the threat environment, such as the rise of generative AI threats.