What Is ISO 27001 Annex A Control 6.3?
Control 6.3 of ISO 27001:2022 Annex A requires that all personnel in your organisation, and relevant contractors, receive appropriate information security awareness, education and training. It also requires that they receive regular updates on your organisation's information security policies and procedures as they relate to their job function.
On this page
In plain terms, this control is about making sure your people actually understand how to protect information, not just that they have signed a policy document they never read. It sits within the People controls category of Annex A, which tells you something important: ISO 27001 recognises that your biggest information security risk is often not your technology. It is your people.
If you are working toward ISO 27001 certification, this control will come up in your Stage 2 audit. Auditors will want to see evidence that your training programme is real, relevant, and ongoing. A one-page induction checklist from three years ago will not cut it.
Why This Control Exists
The vast majority of information security incidents involve human error. Phishing emails that get clicked, passwords written on sticky notes, files sent to the wrong recipient, USB drives plugged into company computers without a second thought. These are not technology failures. They are awareness failures.
ISO 27001 addresses this directly through Control 6.3. The standard recognises that technical controls like firewalls, encryption and access management can only do so much. If your staff do not understand why those controls exist, or what behaviour is expected of them, the technical layer will eventually be bypassed by a well-timed social engineering attack or a simple mistake.
The control is also closely linked to your information security risk assessment, because the training you provide should be shaped by the risks you have identified. A financial services firm faces different human-factor risks than a software development company, and your training programme should reflect that.
What the Control Actually Requires
The language in ISO 27001:2022 is intentionally broad, which gives organisations flexibility but also creates confusion about what is actually required. Here is a practical breakdown of what Control 6.3 expects.
Awareness for All Personnel
Every person who works for your organisation, whether full-time, part-time, casual, or on a fixed-term contract, needs to be made aware of your information security policies and their responsibilities under those policies. This includes contractors and third-party staff who have access to your systems or data.
Awareness is the baseline. It means people understand that information security matters, know what the key policies are, and can recognise common threats like phishing or social engineering. You do not need to turn every employee into a cybersecurity expert, but they do need to know enough to avoid being the weakest link.
Education and Training Relevant to Job Function
Beyond general awareness, the control requires that training be relevant to what people actually do. A developer who writes code handling personal data needs to understand secure coding practices. A finance officer with access to banking credentials needs to understand password hygiene and how to spot business email compromise attacks. A receptionist who handles physical documents needs to understand clean desk policy and document disposal.
This is where many organisations fall short. They run a single annual cybersecurity awareness video for everyone and call it done. That approach satisfies almost nothing. Role-based training is not optional under this control. It is the point.
Regular Updates
Control 6.3 requires that training and awareness activities are kept current. The threat landscape changes. Your policies change. New systems get introduced. Your training programme needs to reflect those changes, not sit static on an intranet page that nobody visits.
In practice, this means you need a defined review cycle for your training content, a mechanism for pushing updated information to relevant staff when something significant changes, and records showing that updates have been communicated and acknowledged.
How to Implement Control 6.3 in Practice
Implementation does not need to be complicated or expensive, but it does need to be deliberate. Here is how to approach it in a way that will satisfy an auditor and, more importantly, actually reduce your risk.
Step 1: Map Your Roles and Their Information Security Risks
Start by identifying the different roles in your organisation and the specific information security risks associated with each. A simple table works fine. List each role, the systems and data they access, and the most likely human-factor risks for that role. This becomes the foundation for your training programme.
For example, a customer service team that handles personal data over the phone has different risks to a warehouse team that uses a tablet-based inventory system. Mapping this out first means your training is targeted rather than generic.
Step 2: Build a Training Matrix
Once you have your role-based risk map, build a training matrix that shows which training modules apply to which roles, how frequently each module needs to be completed, and where the evidence of completion is stored. If you want a head start on this, there is a detailed guide on how to build an ISO training matrix for your team that covers the structure and documentation requirements.
Your matrix does not need to be complex. A spreadsheet with staff names, roles, training modules, completion dates and next due dates is entirely sufficient for most small to medium businesses. What matters is that it is maintained and that it reflects your actual training activities.
Step 3: Develop or Source Your Training Content
You have several options here. You can develop training content in-house, purchase an off-the-shelf awareness platform, engage a consultant to build a custom programme, or use a combination of all three. The right choice depends on your budget, the size of your team, and the complexity of your information security environment.
For small businesses, a well-structured set of internal briefings, policy acknowledgement forms, and quarterly team discussions can satisfy this control without significant investment. For larger organisations or those in high-risk sectors, a dedicated learning management system with tracked completions will be expected.
Whatever format you choose, make sure your content covers at minimum: phishing and social engineering, password management, acceptable use of systems and devices, data classification and handling, incident reporting, and physical security basics like clean desk and screen lock policies.
Step 4: Deliver Training and Keep Records
Delivery without records is worthless from a certification perspective. Every training activity needs to be documented. This means completion records, attendance registers, assessment results where applicable, and acknowledgement of policy updates.
Your auditor will ask to see this evidence. They will also test whether the training has had any effect by asking staff questions during the audit. This is not uncommon. If an auditor asks a random staff member what they would do if they received a suspicious email, and the answer is a blank stare, that is a problem regardless of what your training records say.
Step 5: Review and Improve
Set a schedule for reviewing your training content. Annually is the minimum. You should also trigger a review whenever there is a significant change to your systems, a new threat emerges that affects your sector, or an incident occurs that reveals a gap in awareness. Treat your training programme the same way you treat any other part of your management system: review it, identify gaps, and improve it.
Real World Examples of Control 6.3 in Action
Abstract requirements are easier to understand when you see how they play out in real organisations. Here are some practical examples across different business types.
Example 1: A 30-Person Accounting Firm
An accounting firm handling client financial data implements Control 6.3 by running a 45-minute onboarding session for all new staff covering their information security policy, acceptable use policy, and how to report a suspected incident. All staff complete a quarterly phishing simulation through a third-party platform. The results are tracked, and anyone who clicks a simulated phishing link is automatically enrolled in a short remediation module. Senior accountants with access to client banking details complete an additional annual module on business email compromise. All completions are logged in a shared spreadsheet maintained by the practice manager.
Example 2: A 200-Person Healthcare Technology Company
A healthcare software company uses a learning management system to deliver role-based training. Developers complete secure coding and data handling modules. Customer support staff complete modules on handling sensitive health data and recognising social engineering. All staff complete a general information security awareness module at onboarding and annually thereafter. When the company updates its data classification policy, an automated notification is sent to all staff with a link to the updated policy and a short acknowledgement quiz. Completion is tracked and reported to the CISO monthly.
Example 3: A Small IT Managed Services Provider
A small MSP with 12 staff uses a combination of internal team meetings and free resources from the Australian Cyber Security Centre to run quarterly security briefings. Each briefing covers a specific topic such as ransomware, multi-factor authentication, or supply chain attacks. The team leader keeps a simple attendance register and notes what was covered. Staff sign a policy acknowledgement form annually. This approach is proportionate to the size of the business and satisfies the intent of Control 6.3 without requiring significant investment.
Common Mistakes Organisations Make With Control 6.3
Having audited and consulted on ISO 27001 implementations across many industries, the same mistakes come up repeatedly. Here is what to avoid.
Treating Awareness as a Tick-Box Exercise
Running a single annual video and collecting signatures is not a training programme. It is a liability document. Auditors know the difference, and more importantly, it does not reduce your actual risk. If your training programme is designed around satisfying an audit rather than changing behaviour, it will fail both tests eventually.
No Role-Based Differentiation
Giving everyone the same generic training regardless of their role misses the entire point of the control. A warehouse worker does not need to understand SQL injection. A developer does. Segment your training by role and make sure the content is relevant to what each group actually does.
No Records of Completion
If you cannot demonstrate that training happened, in the eyes of an auditor it did not happen. Keep records. This is non-negotiable. The format does not matter as much as the fact that records exist, are accurate, and are retrievable.
Not Updating Content When Things Change
A training module written in 2022 that still references old policies or outdated threat examples is worse than no training in some ways, because it creates false confidence. When your policies change, your training needs to change too. Build this into your change management process.
How Control 6.3 Connects to Other Parts of ISO 27001
Control 6.3 does not exist in isolation. It connects to several other requirements within the standard that you should understand when implementing your information security management system.
Clause 7.2 of the main standard addresses competence, which overlaps significantly with this control. The difference is that Clause 7.2 focuses on ensuring people have the skills to do their job effectively, while Control 6.3 focuses specifically on information security awareness and training. Both need to be addressed, and your training matrix can serve both purposes if structured correctly.
Control 6.1 addresses screening of personnel before they are hired, and Control 6.2 covers terms and conditions of employment relating to information security. Together with Control 6.3, these three controls form a comprehensive approach to managing the human factor in your information security programme.
Your incident management process under Control 5.26 also connects here. If staff are not trained to recognise and report incidents, your incident management capability is undermined from the start. Training people to report suspicious activity is as important as training them to avoid it.
If you are also working toward related certifications, it is worth noting that ISO 27701 for privacy information management has similar requirements around staff awareness of privacy obligations, and the two programmes can be run in parallel efficiently.
What Auditors Look For in Control 6.3
When an ISO 27001 auditor reviews this control, they are looking for evidence across several dimensions. Understanding what they want helps you prepare properly.
First, they will ask to see your training records. They want to verify that training has actually been delivered to all relevant personnel, not just planned. Gaps in records for certain staff or roles will be questioned.
Second, they will review the content of your training programme to assess whether it is relevant and current. Generic off-the-shelf content that has not been reviewed or adapted to your context may attract a finding if it does not address the specific risks in your organisation.
Third, they will often interview staff members, particularly those in roles with elevated access or handling sensitive data. These conversations are informal but informative. An auditor asking a staff member to explain your incident reporting process is testing whether training has actually landed, not just whether it was delivered.
Fourth, they will look at whether your training programme is part of a documented process with defined responsibilities, review cycles, and improvement mechanisms. A training programme that exists but has no owner and no review schedule is a gap waiting to be flagged.
Getting Help With ISO 27001 Implementation
Implementing Control 6.3 properly requires understanding your organisation's specific risk profile, building a training programme that reflects that profile, and maintaining it over time. For many businesses, this is manageable internally once you understand the requirements. For others, particularly those in regulated industries or handling large volumes of sensitive data, working with an experienced ISO 27001 consultant makes sense.
If you are at the stage of planning your ISO 27001 implementation or looking to strengthen your existing programme, CertBetter can connect you with verified ISO 27001 consultants who have real experience with the standard. Submit one form and receive up to three competing quotes from vetted providers. The service is completely free for businesses seeking certification help.
