ISO 27001:2022 Requirements: Clause 7.3 Awareness

Awareness can be linked to competence in the standard, as a person cannot be competent if they are not aware of their ISMS roles and responsibilities. As per the standard, any person working in the organisation must be aware of the information security policy that is in force at the time, as per clause 5.2.

Senior leadership must, therefore, ensure that they communicate clearly and regularly with all relevant interested parties. It is also vital that the senior leadership of an organisation communicate any changes to the information security policy, or update the interested parties if a new policy is implemented.

Individuals should know what and how much they are contributing to the effectiveness of the ISMS and what this improved efficiency will bring to the information security performance, in line with the ISO 27001 focus on continual improvement.

Anyone working under the organisation's control must also be aware of the consequences if they are not conforming to the ISMS requirements.