An awareness program encompasses all measures that sensitize employees to information security risks and enable secure behavior. This includes training sessions, phishing simulations, posters, intranet articles, and micro-learnings.
ISO 27001 Clause 7.3 (Awareness) and Annex A control A.6.3 (Awareness, Education and Training) require a documented program. The key point is that awareness is an ongoing effort: the standard requires regular measures adapted to the current threat landscape. Measure success through concrete metrics — for example, click rates in phishing simulations, number of reported incidents, or completion rates of e-learning modules. Role-specific content (IT team, management, new hires) increases effectiveness.