ISO 27001 Security Awareness Requirements Explained

Many organisations pursuing ISO/IEC 27001 certification treat security awareness as a box-ticking exercise: deliver one training video a year, collect a few signatures, move on. Then the auditor asks how you know the training actually worked, and the gaps appear fast. ISO/IEC 27001:2022 does not just ask whether you trained your people, it asks whether they are competent, whether they are aware of their responsibilities, and whether you can produce the evidence to prove both.
This guide breaks down exactly where security awareness lives in the standard, what auditors expect to see, and how to build a program that survives scrutiny rather than scrambling the week before your audit.
Where Awareness Lives in ISO/IEC 27001:2022
Security awareness is not confined to a single line in ISO/IEC 27001. It is woven through the core management-system clauses and reinforced by an Annex A control. Three areas matter most:
- Clause 7.2 (Competence) requires you to determine the competence needed for roles that affect information security performance, ensure people are competent through education, training or experience, and retain documented information as evidence of that competence.
- Clause 7.3 (Awareness) requires that people doing work under your control are aware of the information security policy, their contribution to the effectiveness of the information security management system (ISMS), and the implications of not conforming with ISMS requirements.
- Annex A control 6.3 (Information security awareness, education and training) in the 2022 revision calls for personnel and relevant interested parties to receive appropriate awareness, education and training, plus regular updates of organisational policies and procedures relevant to their job function.
The distinction between clauses 7.2 and 7.3 trips up a lot of teams. Competence is role-specific capability; awareness is the baseline understanding every person needs regardless of role. Your program has to address both.
An auditor is not looking for a single training certificate. They are looking for a closed loop: you defined what people need to know, you delivered it, you confirmed it landed, and you kept the records to prove it.
What 'Ongoing' Really Means to an Auditor
The word that catches organisations off guard is ongoing. ISO/IEC 27001 frames awareness as a continual activity, not an annual event. The threat landscape shifts, your policies change, and new staff join throughout the year. A program that delivers identical content once every twelve months and never adapts is hard to defend as effective.
In practice, a defensible program tends to include:
- Awareness delivered at onboarding, before new joiners gain meaningful access to systems and data
- Regular refreshers and timely updates when policies or threats change materially
- Role-based content so that, for example, finance teams learn about invoice fraud and developers learn secure-coding basics
- A way to measure whether the message is actually changing behaviour
That last point is where many programs are weakest, and where phishing simulation earns its place. Running controlled phishing simulation campaigns gives you objective data on how your workforce responds to realistic lures, which is far more persuasive than a completion report. With empowsec, the click-rate and reporting-rate trends over time become tangible evidence that your security awareness training is improving the human layer, not just being consumed.
Evidencing Your Program for Certification
ISO/IEC 27001 is explicit that documented information must be retained. When the auditor sits down, the difference between a smooth assessment and a painful one is almost always the quality of your records. Aim to be able to produce, on request:
- The awareness policy or plan describing what is delivered, to whom, how often, and why
- Training content and delivery records showing topics covered and dates
- Completion and attendance data mapped to individuals and roles
- Effectiveness evidence such as phishing simulation results, knowledge-check scores, or incident-reporting trends
- Records of review and improvement demonstrating that the program changed in response to results or new threats
That fifth item is the one that turns a static program into a continually improving one, which aligns directly with the Plan-Do-Check-Act mindset at the heart of any ISMS. If you can show an auditor that a spike in simulated phishing clicks led to targeted follow-up training, and that the next campaign showed improvement, you have demonstrated effectiveness in a way a slide deck never could.
A platform that timestamps campaigns, stores per-user results, and exports clean reports removes most of the audit-week panic. empowsec keeps this documentation and evidence for audits in one place, so assembling the awareness section of your ISMS pack is a matter of exporting reports rather than reconstructing a year of activity from memory.
Common Pitfalls That Cost Organisations a Finding
Across certification and surveillance audits, the same weaknesses recur. Watch for these:
- Treating awareness and competence as the same thing. Clauses 7.2 and 7.3 are related but distinct, and a generic all-staff video does not evidence role-specific competence.
- No coverage of contractors and third parties. Annex A control 6.3 references relevant interested parties, so people working under your control who are not employees still need appropriate awareness.
- Measuring delivery but not effect. Completion rates prove people opened the training; they do not prove behaviour changed.
- Stale content. Material that never references current threats undermines the claim that the program is ongoing and responsive.
- Records that cannot be reconstructed. If evidence lives in scattered spreadsheets and inboxes, expect a difficult audit.
None of these are hard to fix, but each is a realistic route to a nonconformity if left unaddressed.
The official standard text is available from the International Organization for Standardization at iso.org, and it remains the authoritative reference for the precise wording of every clause and control.
Building a Program That Improves Year on Year
The strongest awareness programs are not the ones with the slickest content; they are the ones that demonstrably get better over time. ISO/IEC 27001 rewards that trajectory, because the standard is built around continual improvement. A program that can show measurable progress, and the decisions that drove it, is far easier to defend than one that simply repeats.
A practical operating rhythm looks like this across a year:
- Establish a baseline. Run an initial phishing simulation and knowledge check so you know where your workforce actually stands, rather than assuming. This baseline becomes the reference point your auditor can see you improving against.
- Deliver targeted education. Use the baseline to prioritise topics and roles, focusing effort where susceptibility is highest instead of spreading generic content evenly.
- Re-test and compare. Subsequent campaigns reveal whether click rates are falling and reporting rates rising. The trend, not any single number, is the evidence of effectiveness.
- Review and adjust. At least annually, and whenever threats or policies shift, review the program, document what changed, and feed the outcome back into the next cycle.
This loop maps cleanly onto the management-review and continual-improvement expectations that run through an ISMS. It also gives leadership a genuine risk signal rather than a vanity metric. When the security committee can see that simulated phishing susceptibility dropped over three quarters, the awareness program stops looking like a cost centre and starts looking like a control that works.
empowsec supports this rhythm directly: schedule recurring simulations, deliver follow-up training automatically to those who need it, and capture the per-campaign trend lines that make improvement visible. The result is a program you can run on autopilot between reviews, with the evidence assembling itself as you go rather than being reconstructed at audit time.
Key Takeaways
Security awareness under ISO/IEC 27001:2022 is a continual, evidenced discipline, not an annual formality. To stay on the right side of your auditor:
- Address competence and awareness separately per clauses 7.2 and 7.3, with role-based content where it matters
- Treat the program as ongoing, with onboarding training, refreshers, and updates tied to changing threats and policies
- Cover contractors and relevant third parties, not just direct employees, in line with Annex A control 6.3
- Measure effectiveness, not just delivery, using phishing simulation and reporting trends as objective evidence
- Retain clean, exportable records so assembling your ISMS evidence pack is straightforward rather than a last-minute scramble
Build the loop once, run it consistently, and certification becomes a demonstration of something you already do well rather than a project you bolt on at the deadline.


