Clause 7.3 vs Control A.6.3: where ISO 27001 requires awareness
ISO/IEC 27001:2022 addresses awareness in two different places, and the distinction matters at audit time. ISO 27001 Clause 7.3 sits in the mandatory main body of the standard (clauses 4–10), which means you cannot scope it out: every organization that wants certification must meet it. The clause requires that all persons doing work under the organization's control are aware of three things:
- the information security policy - not just that it exists, but what it means for their daily work;
- their contribution to the effectiveness of the ISMS, including the benefits of improved information security performance;
- the implications of not conforming with ISMS requirements - what actually happens when someone ignores the rules.
Control A.6.3 (information security awareness, education and training) lives in Annex A. Annex A controls are selected through your risk assessment and documented in the Statement of Applicability, so in theory A.6.3 is optional. In practice, no auditor will accept a justification for excluding it. The control requires that personnel and relevant interested parties receive appropriate awareness, education and training, plus regular updates of the security policy and topic-specific policies, as relevant for their job function.
The simplest way to keep them apart: Clause 7.3 defines the outcome (people are aware), Control A.6.3 defines the mechanism (a program that creates and maintains that awareness). Auditors test the outcome by interviewing staff, and the mechanism by sampling your records. You need to pass both.
What must ISO 27001 awareness training cover?
Clause 7.3 fixes the minimum content. Whatever format your program takes - e-learning, live sessions, intranet campaigns - it must demonstrably cover the information security policy, each person's individual role in the ISMS, and the consequences of nonconformity. The third point is the one programs most often skip: employees should be able to say what happens if they bypass security controls, both for the organization and for themselves.
Control A.6.3 then adds role relevance. Generic annual e-learning covers the baseline, but the control expects content relevant to each job function. In practice that means finance teams train on invoice fraud and CEO impersonation, developers on secure coding, administrators on privileged-access handling - and everyone on recognizing phishing, which ENISA's Threat Landscape reporting consistently ranks among the top threats to EU organizations.
The corridor test: how auditors check awareness in person
Auditors verify coverage live, not just on paper. A standard technique is to stop employees far from the IT department - a receptionist, a warehouse coordinator - and ask what they would do with a suspicious email or where the security policy lives. If the answer is "no idea, ask IT", your documented training just failed its field test.
How often should ISO 27001 awareness training run?
ISO 27001 does not set a number. Clause 7.3 says nothing about frequency, and Control A.6.3 only requires training and policy updates to be regular. The standard's recurring logic - the same "planned intervals" wording it uses for internal audits and management reviews - applies here too: you define the interval, justify it against your risks, document it, and then keep to it. Most findings come not from choosing the wrong cadence, but from not following the one you chose.
A cadence that holds up in certification audits looks like this:
- Onboarding: security awareness before a new joiner gets system access, evidenced per person;
- Annual refresher: all staff, updated content, completion tracked;
- Continuous reinforcement: short monthly or quarterly activities such as phishing simulations, micro-lessons or security bulletins;
- Event-driven updates: after a policy change, a relevant incident, or a significant role change.
If your organization also falls under NIS2, national implementing rules may take the choice away: Slovakia's decree no. 227/2025 Coll., for example, mandates initial training before system access, regular refreshers and documented effectiveness evaluation. The NIS2 security awareness training requirements overlap heavily with ISO 27001, so one well-designed program can serve both.
What evidence do certification auditors sample?
Since the IAF transition deadline of 31 October 2025, every valid certificate runs on the 2022 revision - all ISO 27001:2013 certificates have expired. That means every surveillance and recertification audit now tests Clause 7.3 and Control A.6.3 in their current form. And auditors do not linger on policy documents; they sample records.
ISO 27001 awareness training evidence checklist
- A documented awareness and training plan: topics, target groups, schedule, owner;
- Completion logs with names, dates, topics and the content version delivered;
- Policy acknowledgments - signed or digitally confirmed, tied to the current policy version;
- Onboarding evidence for recent joiners, including contractors and temporary staff;
- Effectiveness measurements: quiz results, phishing simulation metrics, trend reports;
- Management review minutes showing awareness results were evaluated and acted on (Clauses 9.1 and 9.3).
Sampling is targeted, not random. A typical auditor pulls the HR list, picks two people hired in the last six months, one contractor and one leaver, and asks for their complete awareness trail. Gaps for exactly these edge cases - not for long-tenured core staff - are where most evidence findings start.
How phishing simulations prove training effectiveness
Clause 9.1 requires the organization to evaluate the performance and effectiveness of the ISMS - awareness included. This is where e-learning certificates hit their structural limit: a completion certificate proves the training was delivered, not that anyone behaves differently afterwards. Auditors increasingly ask the obvious follow-up: how do you know the training works?
Phishing simulations are the most direct answer, because they measure behavior rather than attendance. A baseline campaign before training and quarterly campaigns afterwards produce exactly the metrics an effectiveness review needs: click rate, credential-submission rate, report rate and the population of repeat clickers. A falling click rate and a rising report rate across quarters is effectiveness evidence in a single chart - see our phishing click-rate benchmarks for realistic targets and the step-by-step phishing simulation playbook for running campaigns cleanly.
This is the gap PhishGun was built to close: realistic campaigns with localized templates in English, Slovak and Czech, in-the-moment micro-training the second an employee clicks, and human-risk dashboards that export as audit-ready evidence for ISO 27001, NIS2 and DORA.
Common A.6.3 nonconformities and how to avoid them
Most awareness-related findings are minor nonconformities - but a minor ISO 27001 audit nonconformity that repeats across surveillance audits gets escalated, and weak awareness evidence erodes the auditor's confidence in the rest of the ISMS. The recurring findings:
- No records for new joiners or contractors. Fix: make security onboarding a blocking step in the joiner workflow, owned by HR rather than goodwill.
- Staff cannot articulate their responsibilities (the corridor test). Fix: shorter, more frequent messaging beats one annual deep-dive nobody remembers.
- One-off training with no refresh cycle. Fix: put the cadence in the training plan and put the dates in the calendar.
- No effectiveness measurement. Fix: quiz scores at minimum; ideally a regular phishing test for employees with trend reporting.
- Consequences of nonconformity never communicated. Fix: state them in the policy and the training, and have people acknowledge both.
- Training content outdated after policy changes. Fix: version your content and tie updates to the policy review cycle.
One program, three frameworks: ISO 27001, NIS2 and DORA
If ISO 27001 is your first framework, design the awareness program so its records satisfy the next regulations in line. The EU's NIS2 Directive (2022/2555) requires basic cyber hygiene practices and cybersecurity training, and DORA (Regulation 2022/2554) makes ICT security awareness programs compulsory staff training modules for financial entities. The same training plan, completion logs and simulation metrics can serve all three.
| Requirement | ISO 27001:2022 | NIS2 | DORA |
|---|---|---|---|
| All-staff awareness training | Clause 7.3 + Control A.6.3 | Art. 21(2)(g) - cyber hygiene and training | Art. 13(6) - compulsory training modules |
| Management training | Clause 7.3 applies to everyone; Clause 5.1 leadership | Art. 20(2) - management body training | Art. 13(6) includes senior management |
| Role-specific depth | A.6.3 - relevant to the job function | Risk-based under Art. 21 | Art. 13(6) - complexity matches the role |
| Contractors and third parties | Clause 7.3 - persons working under the organization's control | Supply-chain measures, Art. 21(2)(d) | Art. 30(2)(i) - ICT providers in training where appropriate |
| Effectiveness evidence | Clause 9.1 - monitoring and evaluation | National decrees require documented evaluation (e.g. SK, CZ) | Continuous learning under Art. 13 |
One program, one set of records, several reporting destinations - GDPR accountability and cyber-insurance underwriters ask very similar questions. Build the record structure once and tag each artifact with the frameworks it serves.
Next steps: build the evidence before your audit
Across Central Europe, ISO 27001 certification - ISO 27001 certifikácia, as Slovak tender documents put it - is usually the first framework an SMB adopts, because customer contracts demand it. Treat the awareness program as a contract asset, not a checkbox: a documented plan, complete records, and behavioral metrics that prove the training changes what people do.
A practical 90-day pre-audit sequence: confirm the training plan is current, close record gaps for joiners and contractors, run a baseline phishing campaign, deliver the refresher, then run a second campaign to show the trend. PhishGun's first phishing campaign is free - no credit card - and per-employee pricing is public, so you can put real effectiveness evidence in front of the auditor before the certification cycle starts.
Frequently asked questions
Do contractors need ISO 27001 awareness training?
Yes. Clause 7.3 applies to persons doing work under the organization's control, which includes contractors, temporary staff and interns working inside the ISMS scope. Auditors deliberately sample contractor records because that is where gaps usually hide. Cover contractors with the same onboarding awareness, policy acknowledgment and, where practical, the same phishing simulations as employees.
Is a signed attendance sheet enough evidence for Clause 7.3?
No. A sign-off sheet proves attendance, not awareness. Auditors corroborate records by interviewing staff and checking whether effectiveness was evaluated, as Clause 9.1 requires. Keep the sign-offs, but record the topic, date and content version, and pair them with at least one effectiveness measure - quiz scores or phishing simulation results - so records show outcomes, not just presence.
What should we do about employees who repeatedly click in phishing simulations?
Define a documented, graduated response: instant micro-training at the moment of the click, a targeted refresher after a second failure, then a conversation involving the manager. Avoid harsh punishment - it discourages incident reporting, which auditors also check. A documented repeat-clicker process is strong evidence that your improvement loop under Clause 10 actually works.
Does ISO 27001 require phishing simulations?
Not explicitly - the standard never names them. But Clause 9.1 requires you to evaluate the effectiveness of security measures, including awareness, and simulations are the most direct behavioral measurement available. In practice, many certification auditors treat regular phishing simulations with trend reporting as the strongest effectiveness evidence an awareness program can produce.
Is my older ISO 27001:2013 certificate still valid?
No. Under the IAF transition arrangement, all ISO 27001:2013 certificates expired on 31 October 2025, regardless of the date printed on them. Organizations that missed the transition are treated as new applicants and must pass a full initial certification audit against ISO 27001:2022 - including its awareness requirements in Clause 7.3 and Control A.6.3.