ISO 27001:2022 Annex A Control 6.3

Information Security Awareness, Education, and Training

Book a demo

business,people,working,in,conference,room

What is ISO 27001:2022 Annex A 6.3?

ISO 27001:2022, Annex A 6.3, Information Security Awareness, Education, and Training, stresses the need for staff to receive suitable instruction in info security, including regular policy refreshers pertinent to their roles.

Information Security Awareness, Education and Training Explained

Information security awareness, education, and training (IT security awareness) involves informing users of the significance of information security and inspiring them to enhance their computer security practices.

Users must be advised of the potential security risks associated with their activities and educated on how to guard against them.

Information security awareness, education and training are essential to any organisation’s success. All personnel must comprehend the significance of information security and the consequences it has for everyone.

The greater the comprehension of staff as to how to shield themselves from cyber dangers, the more secure your organisation will be.

What Is the Purpose of ISO 27001:2022 Annex A 6.3?

The goal of ISO 27001:2022 Annex A 6.3 is to guarantee that personnel and pertinent stakeholders are informed of and suitably educated to meet their info security obligations.

ISO 27001:2022 Annex A 6.3 details the range of activities necessary to ensure personnel possess the knowledge and abilities necessary to operate in the organisation’s information security framework. Primarily, this Annex A Control focuses on raising awareness of the significance of information security, advocating good practice, and encouraging conformity to relevant policies and regulations.

Annex A 6.3 Explained

Information security education, awareness, and training are essential components of an organisation’s risk management strategy and should be incorporated into the security policy. By providing employees with the knowledge and tools they need, organisations can ensure that their security measures are effective.

ISO 27001:2022 Annex A 6.3 outlines the necessity for businesses to have an information security awareness program to grant all personnel the appropriate knowledge and abilities to safeguard information resources. It gives advice regarding what should be included in a productive awareness program.

The organisation might need to provide security awareness training at least once a year, or as the risk assessment dictates, to all personnel with access to sensitive information assets or information systems that store, process, or transmit sensitive data.

What Is Involved and How to Meet the Requirements

Organisations must implement a process that ensures employees are adequately trained to perform their job duties safely and securely, without compromising information security. Training can be conducted in sessions, or through online resources such as videos or webinars. Annex A 6.3 dictates this.

Information security awareness, education, and training programmes should be developed in line with the organisation’s policy, topic-specific policies, and relevant security procedures. This should consider the information that needs protecting and the security controls in place to protect it, and should take place regularly.

Introducing awareness, education, and training to both new employees and those transitioning to roles needing different levels of security is beneficial.

An awareness campaign should comprise multiple activities to heighten understanding. This could involve campaigns, booklets, posters, newsletters, websites, information sessions, briefings, e-learning modules and e-mails.

Per Annex A 6.3, this program should encompass:

  • Management is devoted to ensuring information security across the organisation.
  • Familiarity with, and adherence to, the relevant information security procedures, including the security policy and any additional policies, regulations, laws, contracts and agreements concerning information security.
  • Personal accountability for one’s own actions and inaction’s, responsibility for protecting information belonging to the organisation and its stakeholders; this is essential.
  • Basic security procedures like information security event reporting (see Annex A 6.8) and baseline controls such as password security should be adhered to.
  • Information security contact points and resources, including additional information security awareness materials.

Changes and Differences from ISO 27001:2013

ISO 27001:2022 is not an entirely novel control. This version of ISO 27001, published in October 2022, updates the previous version ISO 27001:2013.

ISO 27001:2013 Annex A Control 7.2.2 lacks the attributes table and statement of purpose that are provided in ISO 27001:2022 Annex A Control 6.3.

Despite the variation in control numbers, there appears to be no other distinctions between the two Annex A Controls. While the wording of the two Annex A Controls varies, their meaning and purpose remain the same.

Annex A Control 6.3 was designed to be more user-friendly, enabling people to better understand its contents.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Organisational ControlsAnnex A 5.1Annex A 5.1.1
Annex A 5.1.2
Policies for Information Security
Organisational ControlsAnnex A 5.2Annex A 6.1.1Information Security Roles and Responsibilities
Organisational ControlsAnnex A 5.3Annex A 6.1.2Segregation of Duties
Organisational ControlsAnnex A 5.4Annex A 7.2.1Management Responsibilities
Organisational ControlsAnnex A 5.5Annex A 6.1.3Contact With Authorities
Organisational ControlsAnnex A 5.6Annex A 6.1.4Contact With Special Interest Groups
Organisational ControlsAnnex A 5.7NEWThreat Intelligence
Organisational ControlsAnnex A 5.8Annex A 6.1.5
Annex A 14.1.1
Information Security in Project Management
Organisational ControlsAnnex A 5.9Annex A 8.1.1
Annex A 8.1.2
Inventory of Information and Other Associated Assets
Organisational ControlsAnnex A 5.10Annex A 8.1.3
Annex A 8.2.3
Acceptable Use of Information and Other Associated Assets
Organisational ControlsAnnex A 5.11Annex A 8.1.4Return of Assets
Organisational ControlsAnnex A 5.12Annex A 8.2.1Classification of Information
Organisational ControlsAnnex A 5.13Annex A 8.2.2Labelling of Information
Organisational ControlsAnnex A 5.14Annex A 13.2.1
Annex A 13.2.2
Annex A 13.2.3
Information Transfer
Organisational ControlsAnnex A 5.15Annex A 9.1.1
Annex A 9.1.2
Access Control
Organisational ControlsAnnex A 5.16Annex A 9.2.1Identity Management
Organisational ControlsAnnex A 5.17Annex A 9.2.4
Annex A 9.3.1
Annex A 9.4.3
Authentication Information
Organisational ControlsAnnex A 5.18Annex A 9.2.2
Annex A 9.2.5
Annex A 9.2.6
Access Rights
Organisational ControlsAnnex A 5.19Annex A 15.1.1Information Security in Supplier Relationships
Organisational ControlsAnnex A 5.20Annex A 15.1.2Addressing Information Security Within Supplier Agreements
Organisational ControlsAnnex A 5.21Annex A 15.1.3Managing Information Security in the ICT Supply Chain
Organisational ControlsAnnex A 5.22Annex A 15.2.1
Annex A 15.2.2
Monitoring, Review and Change Management of Supplier Services
Organisational ControlsAnnex A 5.23NEWInformation Security for Use of Cloud Services
Organisational ControlsAnnex A 5.24Annex A 16.1.1Information Security Incident Management Planning and Preparation
Organisational ControlsAnnex A 5.25Annex A 16.1.4Assessment and Decision on Information Security Events
Organisational ControlsAnnex A 5.26Annex A 16.1.5Response to Information Security Incidents
Organisational ControlsAnnex A 5.27Annex A 16.1.6Learning From Information Security Incidents
Organisational ControlsAnnex A 5.28Annex A 16.1.7Collection of Evidence
Organisational ControlsAnnex A 5.29Annex A 17.1.1
Annex A 17.1.2
Annex A 17.1.3
Information Security During Disruption
Organisational ControlsAnnex A 5.30NEWICT Readiness for Business Continuity
Organisational ControlsAnnex A 5.31Annex A 18.1.1
Annex A 18.1.5
Legal, Statutory, Regulatory and Contractual Requirements
Organisational ControlsAnnex A 5.32Annex A 18.1.2Intellectual Property Rights
Organisational ControlsAnnex A 5.33Annex A 18.1.3Protection of Records
Organisational ControlsAnnex A 5.34 Annex A 18.1.4Privacy and Protection of PII
Organisational ControlsAnnex A 5.35Annex A 18.2.1Independent Review of Information Security
Organisational ControlsAnnex A 5.36Annex A 18.2.2
Annex A 18.2.3
Compliance With Policies, Rules and Standards for Information Security
Organisational ControlsAnnex A 5.37Annex A 12.1.1Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
People ControlsAnnex A 6.1Annex A 7.1.1Screening
People ControlsAnnex A 6.2Annex A 7.1.2Terms and Conditions of Employment
People ControlsAnnex A 6.3Annex A 7.2.2Information Security Awareness, Education and Training
People ControlsAnnex A 6.4Annex A 7.2.3Disciplinary Process
People ControlsAnnex A 6.5Annex A 7.3.1Responsibilities After Termination or Change of Employment
People ControlsAnnex A 6.6Annex A 13.2.4Confidentiality or Non-Disclosure Agreements
People ControlsAnnex A 6.7Annex A 6.2.2Remote Working
People ControlsAnnex A 6.8Annex A 16.1.2
Annex A 16.1.3
Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Physical ControlsAnnex A 7.1Annex A 11.1.1Physical Security Perimeters
Physical ControlsAnnex A 7.2Annex A 11.1.2
Annex A 11.1.6
Physical Entry
Physical ControlsAnnex A 7.3Annex A 11.1.3Securing Offices, Rooms and Facilities
Physical ControlsAnnex A 7.4NEWPhysical Security Monitoring
Physical ControlsAnnex A 7.5Annex A 11.1.4Protecting Against Physical and Environmental Threats
Physical ControlsAnnex A 7.6Annex A 11.1.5Working In Secure Areas
Physical ControlsAnnex A 7.7Annex A 11.2.9Clear Desk and Clear Screen
Physical ControlsAnnex A 7.8Annex A 11.2.1Equipment Siting and Protection
Physical ControlsAnnex A 7.9Annex A 11.2.6Security of Assets Off-Premises
Physical ControlsAnnex A 7.10Annex A 8.3.1
Annex A 8.3.2
Annex A 8.3.3
Annex A 11.2.5
Storage Media
Physical ControlsAnnex A 7.11Annex A 11.2.2Supporting Utilities
Physical ControlsAnnex A 7.12Annex A 11.2.3Cabling Security
Physical ControlsAnnex A 7.13Annex A 11.2.4Equipment Maintenance
Physical ControlsAnnex A 7.14Annex A 11.2.7Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control TypeISO/IEC 27001:2022 Annex A IdentifierISO/IEC 27001:2013 Annex A IdentifierAnnex A Name
Technological ControlsAnnex A 8.1Annex A 6.2.1
Annex A 11.2.8
User Endpoint Devices
Technological ControlsAnnex A 8.2Annex A 9.2.3Privileged Access Rights
Technological ControlsAnnex A 8.3Annex A 9.4.1Information Access Restriction
Technological ControlsAnnex A 8.4Annex A 9.4.5Access to Source Code
Technological ControlsAnnex A 8.5Annex A 9.4.2Secure Authentication
Technological ControlsAnnex A 8.6Annex A 12.1.3Capacity Management
Technological ControlsAnnex A 8.7Annex A 12.2.1Protection Against Malware
Technological ControlsAnnex A 8.8Annex A 12.6.1
Annex A 18.2.3
Management of Technical Vulnerabilities
Technological ControlsAnnex A 8.9NEWConfiguration Management
Technological ControlsAnnex A 8.10NEWInformation Deletion
Technological ControlsAnnex A 8.11NEWData Masking
Technological ControlsAnnex A 8.12NEWData Leakage Prevention
Technological ControlsAnnex A 8.13Annex A 12.3.1Information Backup
Technological ControlsAnnex A 8.14Annex A 17.2.1Redundancy of Information Processing Facilities
Technological ControlsAnnex A 8.15Annex A 12.4.1
Annex A 12.4.2
Annex A 12.4.3
Logging
Technological ControlsAnnex A 8.16NEWMonitoring Activities
Technological ControlsAnnex A 8.17Annex A 12.4.4Clock Synchronization
Technological ControlsAnnex A 8.18Annex A 9.4.4Use of Privileged Utility Programs
Technological ControlsAnnex A 8.19Annex A 12.5.1
Annex A 12.6.2
Installation of Software on Operational Systems
Technological ControlsAnnex A 8.20Annex A 13.1.1Networks Security
Technological ControlsAnnex A 8.21Annex A 13.1.2Security of Network Services
Technological ControlsAnnex A 8.22Annex A 13.1.3Segregation of Networks
Technological ControlsAnnex A 8.23NEWWeb filtering
Technological ControlsAnnex A 8.24Annex A 10.1.1
Annex A 10.1.2
Use of Cryptography
Technological ControlsAnnex A 8.25Annex A 14.2.1Secure Development Life Cycle
Technological ControlsAnnex A 8.26Annex A 14.1.2
Annex A 14.1.3
Application Security Requirements
Technological ControlsAnnex A 8.27Annex A 14.2.5Secure System Architecture and Engineering Principles
Technological ControlsAnnex A 8.28NEWSecure Coding
Technological ControlsAnnex A 8.29Annex A 14.2.8
Annex A 14.2.9
Security Testing in Development and Acceptance
Technological ControlsAnnex A 8.30Annex A 14.2.7Outsourced Development
Technological ControlsAnnex A 8.31Annex A 12.1.4
Annex A 14.2.6
Separation of Development, Test and Production Environments
Technological ControlsAnnex A 8.32Annex A 12.1.2
Annex A 14.2.2
Annex A 14.2.3
Annex A 14.2.4
Change Management
Technological ControlsAnnex A 8.33Annex A 14.3.1Test Information
Technological ControlsAnnex A 8.34Annex A 12.7.1Protection of Information Systems During Audit Testing

Who Is in Charge of This Process?

This response hinges on your organisation. Many organisations’ security teams manage their information security consciousness, teaching, and training programmes. Some organisations, however, entrust the HR department or another branch to handle it.

Ensuring that somebody takes charge of formulating and executing your organisation’s security awareness program is vital. The information security manager should oversee this individual/department (if different from themselves).

This individual should possess sound knowledge of information security and be able to converse with staff regarding various security protocols. Furthermore, they should be able to create content for your training programmes and conduct recurrent training for personnel.

It is essential to comprehend that information security is not merely the duty of IT. All employees should be held accountable. Companies should create a team devoted to security, but they must also ensure everyone grasps the significance of confidentiality and reliability.

What Do These Changes Mean for You?

ISO 27001:2022 Annex A 6.3 is a revision of ISO 27001:2013 Annex A 7.2.2 and not a new Annex A Control. Consequently, most organisations won’t require to modify anything.

If you’ve already implemented the 2013 version of ISO 27001, you must evaluate whether these changes are pertinent to your company. Likewise, if you’re planning ISMS certification, you need to review your security processes to guarantee they meet the revised standard.

How ISMS.Online Helps

ISMS.online provides a comprehensive solution for ISO 27001:2022 implementation. It is a web-based platform that enables organisations to demonstrate their compliance with ISO 27001 standards through streamlined processes, procedures and checklists.

This platform not only facilitates the implementation of ISO 27001 but also provides an excellent resource for training personnel on information security best practices and documenting all efforts.

The benefits of using ISMS.Online are plentiful:

  • This platform is easy to use and can be accessed from any device.
  • It is fully adjustable to suit your requirements.
  • Custom workflows and processes to suit your business requirements.
  • Training resources to aid new staff members in attaining proficiency faster.
  • The library contains templates for various documents, including policies, procedures, plans, and checklists.

ISMS.online streamlines the implementation of ISO 27001, offering all the resources, information and tools you need in one place. Just a few clicks of your mouse are all it takes to ensure your ISMS meets the standard.

Contact us now to arrange a demonstration.

I’ve done ISO 27001 the hard way so I really value how much time it saved us in achieving ISO 27001 certification.

Carl Vaughan
Infosec Lead, MetCloud

Book your demo

Say hello to ISO 27001 success

Get 81% of the work done for you and get certified faster with ISMS.online

Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.