Most ISO 27001 training programmes are built to satisfy an auditor, not to change behaviour. Staff complete an annual e-learning module, click through the acknowledgement, and forget 80% of it within a week. The organisation ticks the box, the auditor sees a completion record, and twelve months later the phishing simulation results look exactly the same as the year before.
This is the gap that Annex A Control 6.3 is designed to close. The standard does not ask you to run training. It asks you to ensure that people actually change how they behave — that they understand the threats, recognise the risks, and know what to do when something goes wrong.
This guide explains what ISO 27001 requires, why so many programmes fall short, and how to build one that works.
What ISO 27001 Actually Requires
Training and awareness in ISO 27001:2022 sits across three requirements that are often conflated but serve different purposes.
Clause 7.2 — Competence requires you to determine the competence needed by people whose work affects information security, ensure those people are competent (through education, training or experience), and where necessary, take action to acquire the competence needed. Competence is a higher bar than awareness — it means someone can actually perform a security-relevant task correctly, not merely that they know it exists.
Clause 7.3 — Awareness requires that people doing work under the organisation’s control are aware of: the information security policy; their contribution to the effectiveness of the ISMS, including the benefits of improved information security; and the implications of not conforming with the ISMS requirements. This is the baseline — every member of staff, contractor and relevant third party must have this awareness.
Annex A 6.3 — Information security awareness, education and training requires that personnel and relevant interested parties receive appropriate awareness education and training, and regular updates of the organisation’s information security policies and procedures relevant to their job function.
Together, these three requirements describe a layered programme: a baseline of policy awareness for everyone, specific competence development for roles with security responsibilities, and ongoing updates as policies and threats evolve.
Why Most Programmes Fail
Annual e-learning completion is not an awareness programme. It is a record-keeping exercise dressed up as one.
The problems are well understood in the security awareness field. One-off training produces short-term knowledge gain and rapid decay — research consistently shows that retention falls sharply within days of a training event without reinforcement. Compliance-framed training (“you must do this or face disciplinary action”) produces resentment rather than engagement. Generic content that bears no relation to actual threats staff encounter produces low attention and low retention.
The organisations with genuinely effective awareness programmes share a few characteristics. They deliver training in short, frequent bursts rather than one long annual session. They make the content relevant — using real examples from their sector, their actual systems, and the threats their people actually encounter. They use practical exercises rather than passive consumption. And they measure whether behaviour has changed, not just whether training has been completed.
If your phishing simulation click rate is the same after three years of annual training, the training is not working. That is a data point, not a judgement — and it is the data point that should drive a change in approach.
The Two Layers: All-Staff and Role-Based
A proportionate, effective awareness programme has two layers.
ISO 27001 Training Programme Structure
Four layers — each addressing a different requirement and a different audience
👤 Policy acknowledgement on update
🎓 Short, targeted — not 45-min modules
🏆 Certifications where applicable
✅ Competence assessments
🚨 Incident self-report rate (trending up?)
✅ Completion rate (target: 100%)
📄 Signed AUP retained in records
🔒 No system access until induction complete
Layer 1: All-Staff Baseline
Every person working under your organisation’s control — employees, contractors, temporary staff, relevant third parties — needs the baseline awareness that Clause 7.3 requires. This covers:
The information security policy — not a recitation of the full document, but a genuine understanding of what the organisation’s approach to information security is, why it matters, and what it means for them personally.
Their role in protecting information — staff are not passive recipients of security controls. They are active participants. They are the ones who decide whether to click the link, whether to share the password, whether to challenge the person who tailors behind them through the secure door. They need to understand this.
What happens when things go wrong — the implications of not following security requirements, both for the organisation and potentially for themselves. This is not about fear — it is about consequence. And critically, they need to know what to do: who to call, how to report an incident, what not to do (cover it up, try to fix it themselves).
Common threats in practical terms — phishing, social engineering, password security, device security, clean desk, data handling. These should be illustrated with examples that feel real, not abstract.
The format and frequency of all-staff awareness matters. A 45-minute annual e-learning module is unlikely to produce lasting behaviour change. A shorter annual module combined with monthly security tips, quarterly phishing simulations, and periodic communications on current threats is significantly more effective — and the individual components are not large efforts to produce.
Layer 2: Role-Based Training
Beyond the baseline, certain roles require specific competence in security-relevant areas. Clause 7.2 addresses this. Common examples:
IT and technical staff need competence in secure configuration, vulnerability management, access control administration, incident response, and the technical controls relevant to their systems. This is not adequately covered by all-staff awareness training — it requires specific technical training, typically from specialist providers or through professional certifications.
Management and ISMS owners need to understand the ISMS as a management system: how to conduct or oversee internal audits, how to run a management review, how to interpret security metrics, and what their obligations are as control owners. They also need to model the right behaviours — a management team that ignores clean desk or uses personal devices without restriction will quickly undermine a broader awareness programme.
Finance and accounts staff face specific threats — invoice fraud, business email compromise, payment redirection scams — that warrant dedicated training beyond the general phishing awareness content in the all-staff module.
HR staff handle significant volumes of sensitive personal data and are involved in the onboarding and offboarding processes that carry significant security risk. Role-specific training on data handling, access provisioning and leaver processes is appropriate.
New starters require induction-level security awareness before or immediately on joining, not three months after when they have already developed habits. Security should be part of the onboarding experience from day one.
Designing the Content
Content that changes behaviour shares a few characteristics regardless of format.
Make it relevant. A generic slide deck about phishing looks nothing like the actual phishing emails your staff receive. Use real examples — redacted real incidents if you have them, sector-specific examples if you do not. Staff in legal services respond better to examples involving client data. Finance staff respond better to examples involving payment fraud. Generic examples produce generic attention.
Make it practical. Tell people what to do, not just what to avoid. “Don’t click suspicious links” is less useful than “Here is how to report a suspicious email, and here is what happens when you do.” The action step is what changes behaviour.
Keep it short. Cognitive load is real. Fifteen minutes of focused, relevant content produces better retention than an hour of comprehensive but abstract material. If you have a lot to cover, break it into modules delivered over time.
Use simulation alongside training. Phishing simulations are the most direct measurement tool available — they tell you who clicks, who reports, and whether your training is producing the right response. Run them regularly (quarterly is common), vary the templates, and use the results to target additional training at those who need it rather than putting everyone through the same content again.
Communicate regularly between training events. Short security updates — one topic, one page, one email — sent monthly keep security visible without demanding significant attention. A brief monthly security bulletin covering a current threat or a recent relevant incident in your sector is significantly more effective than silence punctuated by one annual training event.
Building the Evidence Trail
ISO 27001 requires documented information as evidence that training has taken place. An auditor reviewing your training and awareness programme will typically ask for:
Training completion records — who completed what training, when, and with what outcome. If training includes an assessment, the scores are useful evidence. For e-learning platforms, completion reports are standard. For in-person training, a register of attendees is equivalent.
Training content — what the training covered. A copy of the e-learning module, the slide deck from an awareness session, or the agenda for a training event. This allows the auditor to assess whether the content is appropriate, not just that something happened.
Phishing simulation results — if you run simulations, the results are valuable evidence of both the measurement process and the trend over time. A graph showing click rate declining over multiple simulations is compelling evidence that your programme is working.
New starter training records — specific evidence that new joiners complete security induction before or on joining. This is a common gap — organisations have a training programme for existing staff but cannot demonstrate that new starters complete it promptly.
Role-based training records — for IT staff, evidence of technical training. For the ISMS team, evidence of relevant training or certification. For management, evidence of their involvement in the ISMS beyond attending the annual management review.
Communication records — a log of security communications sent to staff. This does not need to be extensive — a simple record of dates and topics is sufficient.
Measuring Effectiveness
Control 5.35 (information security review by independent parties) and Clause 9.1 (monitoring and measurement) both push towards measuring the effectiveness of your controls — and training is a control.
The most direct metrics for awareness programme effectiveness:
Phishing simulation click and report rates — the percentage of staff who click simulated phishing links, and the percentage who report them. Both matter. A declining click rate with a rising report rate indicates the programme is working in the right direction.
Incident report volumes — if your awareness programme is effective, staff should be more likely to report suspected incidents. An increase in self-reported incidents is often a positive sign (more awareness) rather than a negative one (more incidents).
Training completion rates — not a measure of effectiveness in themselves, but a prerequisite. Less than 100% completion means some staff are not receiving the programme at all.
Assessment scores — if your training includes assessments, score trends over time show whether understanding is improving. A consistently low score on a particular topic is a prompt to revise the content or delivery.
Policy acknowledgement rates — when you update policies, tracking who has acknowledged the update closes a common audit gap and gives you a record of policy communication.
Training Evidence & Effectiveness Metrics
What to retain as documented information — and how to prove the programme is working
Review these metrics at least annually, ideally quarterly, and report them at management review. They should drive decisions about programme content and format — not just be recorded and forgotten.
What Auditors Look For
When a certification body auditor reviews your training and awareness programme, they will ask:
- Can you show me your training completion records for the past year?
- What training do new starters receive, and when?
- What training do IT staff and the ISMS team receive beyond the all-staff module?
- How do you know the training is effective?
- What do you do when someone fails to complete training?
The most common gaps found at audit:
New starters completing training late or not at all — the onboarding process does not reliably trigger security training, so people join and start working without completing it.
No evidence of role-based training — the IT team is assumed to know what they are doing, but there is no documentation of training, certifications or competence assessment.
Completion rates below 100% with no follow-up — training is available, some staff have not completed it, and nothing happens as a result. An auditor will note that the control is incomplete if a proportion of staff have not received the required awareness training.
No measurement of effectiveness — training happens, records are kept, but there is no evidence of whether it is working.
FAQs
Does ISO 27001 specify what format training must take?
No. The standard requires appropriate awareness education and training but does not specify format, frequency or duration. E-learning, in-person sessions, workshops, videos, newsletters and simulations are all valid approaches. What matters is that the content is appropriate to the audience, covers the required topics, and is effective — meaning it actually influences behaviour, not just completes a record.
How often does training need to happen?
The standard requires regular updates, but does not define a frequency. Annual all-staff training is the minimum most organisations implement, but this is rarely sufficient on its own to maintain awareness. Most certification bodies will expect to see at least annual formal training supplemented by ongoing awareness activities. If your only evidence is a once-a-year e-learning module, expect the auditor to probe whether this constitutes an adequate programme.
Do contractors and temporary staff need to complete our training?
Yes, if they work under your organisation’s control. Clause 7.3 applies to “persons doing work under the organisation’s control,” which includes contractors with access to your systems or data. This is a common gap — permanent staff have a robust training record while contractors who have had access for years have completed nothing. Your onboarding process for contractors should be equivalent to that for permanent staff.
What should we do if someone repeatedly fails to complete required training?
This is both a process and a culture question. Practically, you need a process for chasing non-completion — automated reminders, escalation to line managers, and ultimately a documented consequence for non-compliance. Annex A 6.4 (disciplinary process) provides the framework for this. An auditor who sees that 15% of staff have not completed training and nothing has been done about it will note this as a gap in your programme.
Our staff say the training is boring — what can we do?
This is the right problem to be solving. Boring training produces low attention, low retention, and resistance. Practical improvements that do not require significant budget: shorten the sessions, use real-world examples relevant to your sector, add interactive elements or short assessments, and vary the delivery method. Phishing simulations with immediate, non-punitive feedback are often more engaging than passive e-learning because they are personal and immediate. If budget allows, platforms like KnowBe4, Proofpoint Security Awareness or similar provide professionally produced content with sector-specific examples and built-in simulation tools.
