Skip to content
27kay27kay

ISO 27001 Clause 7.3: Awareness

(updated: ) · 7 min read · 27kay
ISO 27001ISMScompliance

Clause 7.3 requires that everyone working under your organization’s control is aware of three things: the information security policy, their contribution to the ISMS, and what happens when they do not follow the rules. This is the clause that turns your security policy from a document nobody reads into something every employee can reference and act on. Without awareness, even well-designed controls fail because people do not know they exist.

What the clause requires

ISO 27001:2022 Clause 7.3 states that persons doing work under the organization’s control shall be aware of:

a) The information security policy. Not just that it exists - people need to know what it says and how it applies to their work. If your policy commits to protecting customer data, employees should understand what that means for how they handle data day to day.

b) Their contribution to the effectiveness of the ISMS, including the benefits of improved information security performance. People need to understand that their actions directly affect information security outcomes. A developer who writes secure code, an HR manager who follows data handling procedures, a support agent who verifies identity before sharing account details - each contributes to the ISMS.

c) The implications of not conforming with ISMS requirements. People need to know what happens when they do not follow security procedures. This covers both organizational consequences (disciplinary measures, access revocation) and broader impacts (data breaches, regulatory penalties, loss of customer trust).

Awareness is different from competence. Competence (Clause 7.2) is about having the specific skills to perform a security function. Awareness is about everyone understanding the security environment they work in. Your ISMS manager needs competence to run risk assessments. Your marketing intern needs awareness to avoid clicking phishing links and to know what to do if they receive a suspicious email.

How to implement awareness

What awareness actually looks like

For a 20-person SaaS company, awareness implementation typically includes:

  • Onboarding session - every new employee reads and acknowledges the information security policy within their first week. This is not a signature on a form nobody reads. Walk new hires through the policy and explain how it connects to their specific role.
  • Annual refresher training - a focused session (30-60 minutes) covering the current security policy, any changes since last year, common threats the organization faces, and what to do when something goes wrong. This is where you cover phishing recognition, password expectations, and incident reporting.
  • Regular communications - short, targeted reminders throughout the year. A Slack message after a relevant industry breach. A brief update when a policy changes. A quarterly reminder about the reporting channel for security concerns.
  • Phishing simulations - periodic simulated phishing emails to test and reinforce awareness. Track results over time - click rates dropping from 25% to under 5% is a meaningful metric that demonstrates the awareness program is working.

The key distinction from a security awareness training program is scope. Clause 7.3 does not require an extensive training platform with gamification and leaderboards. It requires evidence that people are aware of the three things listed above. A well-run onboarding session plus annual refresher plus regular communications often satisfies the clause.

Evidence to retain

Like most ISO 27001 requirements, you need documented evidence that awareness activities happened:

  • Policy acknowledgment records (signed or digital) for every employee
  • Training attendance logs with dates and topics covered
  • Phishing simulation results and trend data
  • Communications sent (emails, Slack messages, newsletter items about security topics)
  • Records of new hire onboarding security sessions

Store this evidence in your document management system or compliance platform. Auditors will sample it during certification and surveillance visits.

Connecting 7.3 to the rest of your ISMS

Clause 7.3 sits in the support cluster between competence and communication (Clause 7.4). Together with resources, they ensure the ISMS has the people, skills, knowledge, and communication channels to function.

Clause 5.2 connection. The security policy is the first thing people must be aware of under Clause 7.3. If your policy is a 30-page document written in legal language, awareness becomes difficult. A clear, concise policy makes awareness achievable.

Clause 7.2 connection. Competence and awareness serve different purposes but are often delivered together. Your annual security session can cover both awareness topics (policy, roles, consequences) and competence elements (role-specific training). The difference matters for auditors: competence evidence shows people can do their security job, awareness evidence shows everyone knows the basics.

Clause 5.1 connection. Leadership commitment includes ensuring the ISMS achieves its intended outcomes. If employees are not aware of basic security expectations, those outcomes are at risk. Leadership visibly supporting awareness - attending training sessions, reinforcing messages - signals that security matters.

Clause 6.1 connection. Your risk assessment may identify human-error risks that awareness directly mitigates. Phishing susceptibility, mishandling of sensitive data, or failure to report incidents are all risks where awareness is the primary control.

What auditors check

Auditors assess Clause 7.3 through documentation review and interviews. Both matter.

Policy awareness across roles. Auditors ask random employees - not just the security team - whether they know the information security policy exists, where to find it, and what it says. If a developer or finance team member cannot describe the organization’s key security commitments, that is a finding.

Evidence of awareness activities. Auditors want to see that you ran awareness activities and that people participated. Training attendance records, policy acknowledgment logs, and phishing simulation reports all serve as evidence. Missing records for specific employees are flagged.

Understanding of consequences. Auditors ask employees what would happen if they violated security procedures. The answer does not need to be word-perfect, but people should understand that non-conformance has consequences - both for the organization and for themselves.

New hire coverage. Auditors check whether awareness is part of onboarding. If someone joined six months ago and has no record of security awareness onboarding, auditors will raise it. Every person working under the organization’s control - including contractors - should have awareness evidence.

Ongoing nature. A single training session from two years ago does not satisfy the clause. Auditors look for evidence that awareness is maintained over time - annual refreshers, regular communications, or updated training content that reflects current threats.

Common mistakes to avoid

Treating awareness as an annual checkbox. Running a single 30-minute session once a year and forgetting about security for the remaining 364 days is the minimum viable approach - and auditors can tell. Supplement annual training with regular touchpoints throughout the year. Even brief, informal reminders keep security visible.

Generic off-the-shelf training with no organizational context. A video about phishing threats is useful, but if it does not reference your organization’s actual policies, reporting channels, and incident response procedures, it misses the point of Clause 7.3. Customize at least part of your awareness content to your specific ISMS.

No metrics to show effectiveness. If you cannot demonstrate that awareness is improving over time, you have activity without outcomes. Track at least one metric - phishing simulation click rates, policy quiz scores, or incident reporting frequency. Downward phishing click trends and upward reporting trends show your program works.

Excluding contractors and part-time staff. The clause applies to “persons doing work under the organization’s control” - not just full-time employees. Contractors, freelancers, and outsourced teams who access your systems or handle your data need awareness too. Include them in your program or verify their own organization provides equivalent awareness.

Confusing awareness with competence. Awareness answers “do people know the rules?” Competence answers “can people perform their security responsibilities?” Sending your ISMS manager to a policy awareness session does not give them the skills to manage the ISMS. Keep the two distinct in your documentation and evidence.

How 27kay can help

We help organizations build awareness programs that satisfy Clause 7.3 without becoming a bureaucratic exercise. As part of ISO 27001 implementation, we set up the awareness framework - onboarding materials, annual training structure, and evidence collection - tailored to your team size and culture. For the full picture, see our ISO 27001 knowledge hub.

Want to know if your awareness program meets auditor expectations? Get in touch - we will review what you have and tell you what needs to change.