Annex A 6.3 verified ISO/IEC 27001:2022
Information security awareness, education and training programme
Ensure everyone gets regular training and updates on information security relevant to their job.
record_voice_over
Plain language
This control is about making sure everyone in the organisation knows how to handle information safely and securely. If people aren’t aware of their responsibilities, sensitive information could be accidentally shared or lost, leading to financial loss, damage to reputation, or legal troubles.
01 — Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
People controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function.
verified ISO/IEC 27001:2022 Annex A 6.3
priority_high
Why it matters
Without regular security awareness and training, staff are more likely to fall for phishing or mishandle data, causing breaches, reputational harm and legal liability.
settings
Operational notes
Deliver role-based security awareness and training at induction and regularly, track completion, and update modules when threats or policies/procedures change.
02 — Implement
build
Implementation tips
- The HR manager should organise regular training sessions for all staff on information security practices, ensuring these sessions cover current company policies. Use a mix of workshops, online modules, and guest speakers to keep the content engaging and relevant.
- The IT manager should tailor additional technical training sessions for staff whose roles involve more complex data management. This can include interactive sessions on safe data handling and configuring security settings, with experts brought in as needed.
- Management needs to lead by example, showing their commitment to the programme by participating in and promoting ongoing security awareness activities. This could include addressing employees during meetings or in newsletters to highlight the importance of security practices.
- The training coordinator should assess the effectiveness of these programmes by collecting feedback and conducting quizzes after sessions. Use this information to continually improve the training content and delivery methods, as guided by the ISO 27002:2022 standards.
- The compliance officer should ensure training aligns with local regulations such as the Privacy Act 1988. They can do this by periodically reviewing training content against relevant legal requirements and capturing these changes in documentation.
03 — Audit
fact_check
Audit / evidence tips
-
Askthe organisation's information security training schedule and materials
-
Askrecords of attendance to training sessions
-
Askfeedback and assessment results post-training
-
Askexamples of management communication supporting the training programme
-
Askevidence of compliance checks against Australian regulations like the Privacy Act 1988
04 — Mappings
link
Cross-framework mappings
How Annex A 6.3 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (10) expand_less | ||
| ISM-0229 | ISM-0229 requires personnel to be advised what sensitivity or classification of information is permitted to be discussed over internal an... | |
| ISM-0230 | ISM-0230 requires personnel to be advised of the security risks of using non-secure telephone systems in areas where sensitive or classif... | |
| ISM-0435 | ISM-0435 requires personnel to receive any necessary briefings before being granted access to systems and their resources | |
| ISM-0610 | ISM-0610 requires users to be trained on the secure use of Cross Domain Solutions (CDSs) before access is granted | |
| ISM-0612 | ISM-0612 requires that system administrators for gateways are formally trained on the operation and management of those gateways | |
| ISM-1298 | ISM-1298 requires that personnel are advised of privacy and security risks when travelling overseas with mobile devices | |
| ISM-1565 | ISM-1565 requires all privileged users to complete tailored privileged user cyber security training annually | |
| ISM-1644 | ISM-1644 addresses operational behaviour to prevent inadvertent disclosure during conversations in public areas | |
| ISM-2022 | ISM-2022 requires an organisation to develop, implement and maintain a cyber security awareness training register to record all awareness... | |
| ISM-2037 | ISM-2037 requires that software developers who lack sufficient cyber security knowledge and skills undertake suitable training in secure ... | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-0252 | Annex A 6.3 requires personnel and relevant interested parties to receive appropriate information security awareness, education, and trai... | |
| ISM-1602 | ISM-1602 requires cyber security documentation and changes to be communicated to all stakeholders | |
| ISM-2035 | ISM-2035 requires security roles, responsibilities and knowledge requirements to be identified and documented to support the software dev... | |
| handshake Supports (11) expand_less | ||
| ISM-0370 | ISM-0370 requires media destruction to be performed under the supervision of at least one cleared person to reduce the risk of mishandlin... | |
| ISM-0701 | ISM-0701 requires the CISO to manage cyber security personnel, which includes ensuring staff capability and ongoing effectiveness of secu... | |
| ISM-0824 | ISM-0824 advises personnel not to send or receive files via unauthorised online file services | |
| ISM-1146 | ISM-1146 advises personnel to maintain separate work and personal online accounts for online services | |
| ISM-1554 | ISM-1554 requires personnel travelling to high or extreme risk countries to follow specific behaviours (use dedicated work devices/accoun... | |
| ISM-1864 | ISM-1864 requires a system usage policy to be created and maintained to define expected system use | |
| ISM-1998 | ISM-1998 requires the board or executive committee to ensure cyber security is integrated across all business functions | |
| ISM-2001 | ISM-2001 requires the board or executive committee to champion a positive cyber security culture by leading by example | |
| ISM-2003 | ISM-2003 requires executives to track cyber security skills and experience gaps (as well as recruitment and retention signals) to ensure ... | |
| ISM-2004 | Annex A 6.3 requires organisations to provide appropriate awareness, education and training with regular policy and procedure updates rel... | |
| ISM-2038 | ISM-2038 requires organisations to implement and maintain a register of software developers’ cyber security knowledge and skills | |
| link Related (5) expand_less | ||
| ISM-0817 | Annex A 6.3 requires organisations to deliver information security awareness and training appropriate to roles, including behavioural exp... | |
| ISM-0821 | Annex A 6.3 requires role-relevant information security awareness and regular updates to policies and procedures | |
| ISM-1083 | Annex A 6.3 requires role-appropriate awareness and regular updates to information security policy and topic-specific procedures | |
| ISM-1740 | Annex A 6.3 requires an organisation-wide, role-appropriate security awareness and training programme with regular updates to relevant po... | |
| ISM-2071 | Annex A 6.3 requires the organisation to provide role-relevant information security awareness, education, and training with regular polic... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.