What is ISO 27001 Awareness Training

Annex A 6.3 is the ISO 27001:2022 control titled "Information security awareness, education and training." It requires the organization to plan, establish, implement, and maintain an awareness, education, and training program for all employees, and to update it regularly in line with the information security policy and relevant topical policies.

It replaces the 2013 standard's A.7.2.2 control, which sat inside the Human Resource Security domain. The 2022 control sits inside the People controls theme and elevates the operational program from a paragraph in HR security into a named, separately auditable Annex A control.

Yes, in three places. Clause 7.3 (Awareness) requires that every person doing work under the organization's control is aware of the information security policy, their contribution to ISMS effectiveness, and the implications of not conforming. Clause 7.2 (Competence) requires documented competence for roles whose work affects information security performance. Annex A 6.3 is the operational control that delivers both.

An auditor will check that the program exists, that it covers the people inside the ISMS scope (including contractors and third parties holding accounts), and that per-employee evidence is retained. Missing any of the three opens a nonconformity finding.

The standard does not prescribe a fixed cadence. The control text in A.6.3 says the program must be updated "regularly," which auditors interpret in light of the information security policy, the threat landscape, and the topical policies referenced in the SoA. In practice, certification bodies expect at minimum an annual refresh for all staff plus event-driven updates when a new threat or policy change makes existing content out of date.

Best-in-class programs run continuously, with monthly role-based exercises and quarterly all-staff campaigns. The continuous model produces fresher evidence for every surveillance audit and reduces the nonconformity risk from the "updated regularly" clause.

Auditors sample evidence at the employee level. The standard pack includes the awareness program plan, the role-based assignment matrix, signed policy acknowledgments, per-employee completion records (name, module, date, assessment score), phishing simulation results, awareness-campaign artifacts (newsletters, posters, town-hall slides), and a register of new joiner and contractor onboarding completions.

The pack has to cover the full audit period: 12 months for surveillance audits and 36 months for recertification. Aggregate completion rates do not satisfy the requirement. The auditor will sample named individuals across the ISMS scope, including contractors, third parties, and recent acquisitions, and ask for the records.

Stage 1 is a documentation review. The auditor confirms that the awareness program is documented, that it covers Annex A 6.3 and Clauses 7.2 and 7.3, and that the role-based assignment matrix exists. Findings at Stage 1 are usually around documentation gaps rather than evidence gaps.

Stage 2 is the certification audit. The auditor samples per-employee records across the full ISMS scope, tests the policy acknowledgment process, and validates that the program runs as documented. This is where most awareness-related nonconformities open.

Surveillance audits in years 1 and 2 sample a subset of controls. A.6.3 is almost always included because it is the most commonly failed control area in the entire standard. Recertification in year 3 is a full audit again, with the same scope as Stage 2.

The 2013 standard listed awareness as control A.7.2.2 inside the Human Resource Security domain. The 2022 standard moved it to A.6.3 inside the new People controls theme and rewrote the control text to make the program requirement explicit: planned, established, implemented, maintained, and updated regularly in line with the information security policy and relevant topical policies.

The transition deadline from 27001:2013 closed on 31 October 2025. Organizations operating against an old certificate after that date are no longer ISO 27001 certified. The SoA, the program documentation, and the audit evidence pack all need to reference A.6.3, not the legacy A.7.2.2.

Yes. Clause 7.3 applies to "all persons doing work under the organization's control," which extends to contractors, agency staff, and third parties wherever they hold an account or handle information assets inside the ISMS scope. The contracting model does not reduce the requirement; the organization remains accountable for the awareness evidence.

Practical implementation usually assigns the baseline awareness module to every contractor on day one, with a signed policy acknowledgment, and tracks completion in the same LMS or GRC system that holds the employee records. Auditors sample contractor records on the same basis as employees, so missing one contractor is the same finding as missing an employee.

Both frameworks require a documented, role-based, per-employee awareness program. The depth of evidence is similar, and the same training program usually satisfies both with shared evidence packs. The differences are in audit mechanics: SOC 2 is a US AICPA attestation with annual Type 2 cycles, while ISO 27001 is an international ISO standard with three-year certification cycles and accredited certification bodies.

For organizations pursuing both, the practical pattern is to design the awareness program against ISO 27001 A.6.3 (the more prescriptive control) and map the evidence pack to SOC 2 CC1.4 as a secondary view. The same training records, role-based assignments, and policy acknowledgments support both audits.