Awareness for ISO 27001 Information Security

ISO 27001 Clause 7.3

This sub-clause requires people working under the organisation's control to be aware of the information security policy, their contribution and the implications of not conforming.

ISO 27001 Clause 7.3 - Awareness

Clause 7.3 sits between Clause 7.2 Competence and Clause 7.4 Communication. Where competence is about being able to do the job, and communication is about getting messages in and out, awareness is about everyone in scope of the ISMS understanding what they personally need to know and do.

What ISO 27001 Clause 7.3 Requires

People doing work under the organisation's control must be aware of the information security policy, their contribution to the effectiveness of the ISMS including the benefits of improved information security performance, and the implications of not conforming with the ISMS requirements. The clause has no specific documentation requirement of its own - the evidence comes from the awareness activities and from being able to demonstrate that people understand the basics.

What Awareness Looks Like in Practice

Awareness usually starts at induction. New starters cover the policy, the basic rules, the consequences of breaking them and the channels for reporting issues. From there, awareness is maintained through refresher training, regular communications, posters, intranet content, simulated phishing exercises and other reminders that information security is part of how the organisation operates.

The standard does not specify the format. An e-learning course is one option. A face-to-face session is another. A combination - induction face-to-face plus annual e-learning plus monthly reminders - is common. What matters is that the people in scope know what they need to know, and that the organisation can show how that awareness is being maintained.

Implications of Not Conforming

The third element of Clause 7.3 is often overlooked. Staff need to understand what happens if they do not follow the ISMS requirements. This is not about threats - it is about being clear that there are consequences. For minor breaches the consequence might be a refresher and a record. For serious breaches it could be disciplinary action, and for actions that breach the law it could be police involvement.

Linking the awareness content to the disciplinary policy and the staff handbook makes this clear without needing to dwell on it. The point is that there is a connection, and that staff understand it.

Awareness is the bit of the standard most often confused with training. They are different things. Training is about being able to do something. Awareness is about understanding what you need to know. A receptionist does not need to be trained to configure a firewall, but they do need to know what to do if a stranger walks in claiming to be from IT support.

I test awareness by talking to people. Not in a hostile way - I just ask staff what they would do if they got a suspicious email, where they would find the information security policy, what their role does that affects information security. If the answers are vague across the board, the awareness programme is not working regardless of how much e-learning has been completed.

Practical Compliance Guidance

Awareness is most efficiently delivered through a combination of induction content, an annual refresher and ongoing communications. The alphaZ ISO 27001 Awareness Training Course provides a ready-made baseline that can be used directly or adapted to the organisation's needs.

The documents below support the planning, delivery and recording of information security awareness.

alphaZ document	How to use it
ISO 27001 Toolkit	Complete documentation set for ISO 27001:2022 including the awareness training course and the training matrix.
ISO 27001:2022 Awareness Training Course	Ready-made awareness training course covering the policy, individual responsibilities and the consequences of non-conformance.
ER2 Staff Training Competency Matrix	Records who has completed awareness training and when, and triggers refresher training when due.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How often should awareness training be refreshed?

Annually is typical. Some organisations refresh more frequently for higher-risk roles or when there has been a significant change. The cycle is for the organisation to decide based on the threat landscape and how often the underlying content changes.

Does awareness apply to contractors and temporary staff?

Yes. The clause applies to anyone doing work under the organisation's control that affects information security. Short-term contractors and agency staff usually go through a streamlined induction that covers the awareness essentials.

What records does Clause 7.3 require?

Clause 7.3 itself does not specify documented information requirements, but the related Clause 7.2 Competence does. In practice, organisations record awareness training completions in the training matrix to evidence both clauses.

UK Legislation

UK GDPR includes implicit awareness requirements through its accountability principle and the expectation that staff handling personal data understand their responsibilities.

Further Resources