Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · People Control

A.6.3 — Information Security Awareness, Education and Training

Updated on 4 min Reviewed by: Cenedril Editorial
A.6.3 ISO 27001ISO 27002BSI ORP.3

An employee receives a well-crafted phishing email, clicks the link and enters their credentials. The attacker gains access to the internal ticketing system, exfiltrates customer data and sells it on a dark-web marketplace. The post-mortem reveals that the employee never received any security training — and the organization has no awareness program. A.6.3 is the control that prevents this starting condition.

The control requires organizations to establish and maintain a security awareness program that covers all personnel and relevant external parties. The program must be tailored to roles, regularly updated and verifiably effective.

What does the standard require?

The core requirements can be grouped into five areas:

  • Awareness program. The organization must establish a program that keeps all personnel informed about information-security policies, procedures and their individual responsibilities.
  • Role-based training. Training content must be tailored to the person’s role and the sensitivity of the information they handle. A developer needs different modules than a receptionist.
  • Onboarding integration. New joiners must receive awareness training before or shortly after they begin their work.
  • Continuous reinforcement. A one-off annual session is a minimum. The standard expects ongoing reinforcement through campaigns, reminders, simulations and updates.
  • Effectiveness measurement. The organization must verify that personnel understand their obligations — through tests, exercises or other measurable means.

In practice

Build a training calendar. Plan the annual cycle: onboarding training for new joiners, annual refresher for all staff, role-specific deep dives (e.g. secure coding, incident response), phishing simulations (quarterly), and ad-hoc sessions after incidents or policy changes.

Use an e-learning platform. E-learning makes it easy to deliver, track and prove training completion. Look for platforms that support quizzes, certificates and automated reminders for overdue training.

Run phishing simulations. Simulated phishing campaigns are the single most effective way to measure and improve awareness. Track click rates, reporting rates and repeat-offender rates over time.

Maintain a training register. For every training event, record: topic, date, delivery method, attendees, completion status and test results. This register is the primary audit artifact (link to Training Register in the Starter Kit).

Typical audit evidence

Auditors typically expect the following evidence for A.6.3:

  • Awareness program documentation — the program plan, calendar and curriculum
  • Training register — per-person completion records with dates and results (link to Training Register in the Starter Kit)
  • Training materials — slide decks, e-learning modules, handouts
  • Phishing simulation reports — campaign results showing click and report rates
  • Onboarding records — proof that new joiners received training within the defined timeframe
  • Effectiveness metrics — quiz pass rates, simulation trends, feedback surveys

KPI

% of employees who completed annual security awareness training

Measured as a percentage: how many of your active personnel (employees, contractors with access) have completed the required awareness training in the current cycle? Target: 100%. Typical starting points range from 50–75%; reaching 95%+ is realistic within one year if automated reminders are in place.

Supplementary KPIs:

  • Phishing simulation click rate (target: below 5%)
  • Average quiz score across all personnel
  • % of new joiners trained within 30 days of start date
  • Number of security events reported by trained personnel (higher is better — it means awareness is working)

BSI IT-Grundschutz

A.6.3 maps directly to BSI ORP.3 (Awareness and Training):

  • ORP.3.A1 (Awareness of information security) — requires that all employees are made aware of their security responsibilities and the relevant policies.
  • ORP.3.A4 (Conception of an awareness and training program) — requires a structured, planned program with defined target groups and content.
  • ORP.3.A6 (Implementation of awareness and training measures) — covers delivery, scheduling and attendance tracking.
  • ORP.3.A7 (Evaluation and improvement) — requires measurement of effectiveness and continuous improvement of the program.
  • ORP.3.A8 (Measurement and reporting of awareness activities) — requires reporting on training KPIs to management.

A.6.3 connects to multiple controls across the ISMS:

Sources

Frequently asked questions

How often must security awareness training be conducted?

ISO 27001 does not prescribe a frequency. Annual training is the most common baseline. Many organizations supplement it with quarterly phishing simulations and ad-hoc updates after significant incidents or policy changes.

Does the training need to include a test?

The standard requires you to verify that personnel understand their responsibilities. A quiz, a practical exercise or a documented acknowledgement can serve this purpose. An untested presentation alone is hard to defend in an audit.

Who needs training — just employees?

All personnel with access to organizational assets: employees, contractors, temporary workers and, where relevant, key external parties such as outsourced IT support.

What topics should the training cover?

At a minimum: the organization's information-security policy, acceptable use, incident reporting, phishing and social engineering, password hygiene and the disciplinary process. Role-specific modules (e.g. secure coding for developers, physical security for facility staff) add further value.