ISO 27001:2022 Annex A Control 6.3: Information Security Awareness, Education and Training

Staff must receive the necessary instruction for effective information security, including regular refreshment of any policies pertinent to their roles. This is what is covered by control 6.3, which deals with information security awareness, education and training.

What is information security awareness, education, and training?

IT security awareness explores the importance of informing users of the significance of information security. This is in an effort to inspire enhanced computer security practices. Users should be made aware of any potential security risks associated with their role, as well as how to defend against them.

It is essential for all personnel within an organisation to possess a clear understanding of the significance of information security and its consequences. To achieve this, stringent information security awareness, education and training must be carried out. The greater the understanding, the more secure the organisation becomes.

Understanding control 6.3

Guaranteeing that staff and stakeholders alike are educated in meeting information security obligations is the key goal of control 6.3. To achieve this, the control deals with a range of activities relating to an organisation’s information security framework.

The key to achieving this can be found in three key areas, all promoted by control 6.3:

• Raising awareness of the significance of information security

• Advocating good information security practices

• Encouraging policy and regulation conformity

Why is control 6.3 necessary?

To ensure their security measures are effective, organisations must provide employees with the knowledge and tools they need.

Control 6.3 addresses the requirements for a productive awareness programme. Information security awareness programmes are necessary for ensuring personnel have the appropriate abilities and knowledge to protect data assets.

Training should be carried out as the risk assessment dictates, though control 6.3 recommends no less than once a year.

Meeting the requirements of control 6.3

To ensure employees are trained to perform their roles safely and securely, without putting information security at risk, a process of training and awareness must be put in place. This might involve in-person sessions, webinars or access to online resources.

Awareness, education, and training should be developed to meet the demands of the organisation’s information security policy and topic-specific policies, considering the nature of protected information and the controls in place to protect it.

Training and awareness should be introduced to people at all levels of the organisation and should comprise multiple activities, such as booklets, campaigns, posters, websites, info sessions, learning modules, emails and more.

Developing a training and awareness programme

According to control 6.3, an organisation’s training and awareness programme should cover:

• A clear commitment to information security across the organisation, and familiarity with relevant information security procedures, including regulations and laws.

• Personal accountability for one’s own actions or inactions, including failure to protect information belonging to organisations or stakeholders.

• Information security event reporting and baseline controls, including password security.

• Contact points and resources for information security, such as additional information security awareness materials.

What’s changed since 2013?

Control 6.3 replaces the earlier ISO 27001:2013 Annex A Control 7.2.2, but though it covers some of the same material, the earlier iteration lacked the 2022 version’s statement of purpose.

Barring this and some of the wording, there are no other significant differences between the 2013 control and its 2022 counterpart. The more recent version has been designed to be more user-friendly.