A single phishing email lands in a finance team member’s inbox. It mimics your payroll provider perfectly. The employee clicks, enters credentials, and within hours an attacker has access to sensitive personnel records. The root cause isn’t a firewall gap or a missing patch. It’s that nobody trained the employee to spot the attack. This is the exact failure that ISO 27001 control 6.3 exists to prevent.
What 6.3 Requires
ISO/IEC 27001:2022 6.3 is the Annex A control that requires organizations to establish and maintain a formal programme for information security awareness, education, and training across all personnel and relevant interested parties. It is not optional guidance. It is a mandatory element of your information security management system (ISMS).
The control asks you to do three distinct things. First, build awareness so every person in your organization understands basic security expectations and their personal responsibilities. Second, deliver education that builds deeper knowledge for those who need it. Third, provide hands-on training that develops practical skills matched to each person’s role.
This distinction matters. Awareness means an office manager knows not to share passwords. Education means a project lead understands why data classification policies exist and how to apply them. Training means a system administrator can configure access controls correctly and respond to a security event in real time.
The scope is deliberately broad. Full-time staff, part-time employees, contractors, and any third party with access to your information assets all fall under this control. Your programme must cover organizational security policies, role-specific duties, and the procedures for reporting incidents.
Importantly, 6.3 demands that this is ongoing. A one-time onboarding session doesn’t satisfy the requirement. You need regular updates whenever policies change, new threats emerge, or people move into different roles. The logic is straightforward: technical controls fail when the people operating them don’t understand what they’re protecting or how attackers work.
Why 6.3 Matters
Picture an organization that checks the training box once a year. Employees sit through a generic slide deck, click “complete,” and move on. Six months later, the company migrates to a new payroll system. No one briefs staff on the new login process or what legitimate emails from the new provider look like. An attacker notices the transition, crafts a convincing phishing campaign targeting the payroll team, and three employees hand over their credentials within a day.
This isn’t hypothetical. It’s the pattern behind the majority of security incidents. Verizon’s 2025 Data Breach Investigations Report found that 60% of breaches involve the human element — errors, social engineering, and misuse. The gap between your last training session and the current threat landscape is where attackers operate.
The business consequences go beyond the breach itself. Regulatory penalties under frameworks like GDPR can reach into the millions. Breach remediation costs drain budgets for months. And if an ISO 27001 certification auditor finds that your training programme is outdated or incomplete, you risk a nonconformity that can delay or block certification entirely.
Underinvesting in 6.3 doesn’t just create a compliance gap. It creates the single largest attack surface most organizations have.
What Attackers Exploit
Every failure mode below represents a gap that control 6.3 is designed to close:
- Untrained staff clicking phishing links: Without regular simulations and education, employees lack the reflexes to question suspicious emails or attachments.
- Ignorance of social engineering tactics: Pretexting, vishing, and business email compromise succeed when staff don’t know these methods exist.
- No clear reporting path: Employees who witness something suspicious but don’t know how to report it create a detection blind spot.
- New hires without security orientation: Staff who begin work before completing security onboarding operate with access but no context for using it safely.
- Unawareness of policy changes: System migrations, new vendors, and updated procedures create confusion that attackers exploit when training doesn’t keep pace.
- Unonboarded contractors and third parties: External personnel with system access but no security briefing represent an uncontrolled risk.
- Stale training content: Programmes that haven’t been updated to cover current threats like QR code phishing or AI-generated deepfakes leave staff defending against last year’s attacks.
How to Implement 6.3
Getting this control right means building a programme that adapts to your organization’s risks and reaches every person who touches your information assets. The approach differs depending on whether you’re establishing internal practices or assessing your vendors.
For Your Organization (First-Party)
Start with your cybersecurity risk assessment. The threats and vulnerabilities you’ve already identified should drive the topics your training covers. A healthcare company handling patient records has different priorities than a software firm managing source code. Let your risk register shape the curriculum.
Next, segment your audience. General staff need awareness-level content covering phishing recognition, password hygiene, and incident reporting. Technical teams need deeper training on secure development, access management, and vulnerability handling. Management needs to understand their oversight responsibilities and the business impact of security failures. Contractors need a focused briefing on your specific policies and acceptable use expectations.
Develop role-based content that maps to these segments. Use a mix of delivery channels. Learning management system (LMS) platforms like KnowBe4 or Proofpoint Security Awareness work well for scalable e-learning. Supplement with in-person sessions for high-risk teams, simulated phishing campaigns to test real-world readiness, and short awareness campaigns through internal communications.
Build triggers into your process. Every new hire should complete security training before receiving system access. Every role change should prompt a review of what additional training the new position requires. Every major policy update should trigger a targeted refresher.
Set a minimum cadence. Annual training is the floor, not the ceiling. Quarterly refreshers for roles with elevated access or exposure to sensitive data keep knowledge current. Monthly phishing simulations build recognition habits that annual tests can’t.
Measure what matters. Completion rates tell you who showed up. Phishing simulation click rates tell you who learned. Quiz scores tell you who retained the material. Incident reporting trends tell you whether the programme is changing behavior. Track all four.
Document everything. Your auditor will need to see the training plan, materials, completion records, and effectiveness data. Use an ISO 27001 implementation checklist to ensure nothing is missed. Build this documentation habit from day one rather than scrambling before an audit.
Common mistakes to avoid:
- Treating training as an annual checkbox: Compliance-only programmes don’t reduce risk. They reduce audit findings temporarily.
- Using generic, one-size-fits-all content: Training that doesn’t reflect your industry, systems, or threat profile fails to engage and fails to protect.
- Excluding contractors and third-party personnel: Anyone with access to your systems needs training on your policies. Full stop.
- Measuring only completion rates: Knowing 95% of staff completed training tells you nothing about whether they can spot a phishing email.
- Skipping refreshers after changes: New systems, new policies, and new threats all demand updated training. Silence after change is a vulnerability.
- No executive sponsorship: Without visible management commitment, staff treat training as a low-priority interruption.
For Your Vendors (Third-Party Assessment)
When you’re assessing a vendor’s compliance with 6.3, your goal is to determine whether their people are genuinely prepared or just checking a box. Verify their alignment with third-party risk requirements under ISO 27001. Start with pointed questions in your security questionnaire:
- “Describe your security awareness training programme, including scope and frequency.”
- “How do you onboard contractors and third-party personnel on security policies?”
- “What metrics do you track to measure training effectiveness?”
Request specific evidence beyond self-attestation. Ask for their training policy document, a sample of training materials, completion rate reports broken down by department, and phishing simulation results with trend data. A mature programme will produce these without hesitation.
Watch for red flags. If a vendor has no documented training programme, that’s a fundamental gap. Training only at hire with no refreshers suggests a static approach that can’t keep up with evolving threats. Inability to provide completion metrics indicates the programme isn’t being managed. And if there’s no role-based differentiation, everyone is getting the same shallow content regardless of their access level.
Go further than the questionnaire. Request recent completion reports, not templates. Ask whether the programme was updated after their last security incident. Confirm that training topics are relevant to the data they handle on your behalf. Vendors who can demonstrate continuous improvement are far more trustworthy than those who simply assert compliance. Pair questionnaire findings with ongoing vendor risk monitoring to catch regressions between assessments.
Audit Evidence for 6.3
Auditors assessing control 6.3 expect documentation that proves your programme is defined, executed, measured, and improved. Below is the evidence you should have ready.
| Evidence Type | Example Artifact |
|---|---|
| Policy | Information Security Awareness, Education and Training Policy defining programme scope, frequency, audience segmentation, and review cadence |
| Training plan | Annual training plan specifying topics, delivery methods, target audiences, and schedules |
| Training materials | Slide decks, e-learning modules, or recorded sessions covering organizational security policies and role-specific content |
| Completion records | LMS reports showing training completion rates by department, role, and date with individual sign-off |
| Phishing simulation results | Quarterly phishing simulation reports showing click rates, reporting rates, and trend improvements |
| Effectiveness assessment | Quiz results, knowledge assessments, or post-training surveys demonstrating comprehension |
| Induction records | New hire onboarding checklists confirming security training completion before system access |
| Programme review minutes | Meeting records showing annual review of training effectiveness and content updates |
Organize this evidence before the audit — our guide on how to prepare for an ISO 27001 audit covers the full process. Auditors look for consistency between your policy, your plan, and your actual records. Gaps between what you say you do and what the evidence shows are the fastest path to a nonconformity finding.
Cross-Framework Mapping
If you’re managing compliance across multiple frameworks, 6.3 maps cleanly to several parallel controls. This saves effort when you’re building a unified training programme that satisfies more than one standard.
| Framework | Equivalent Control(s) | Coverage |
|---|---|---|
| NIST 800-53 | AT-02 (Security and Privacy Literacy Training) | Full |
| NIST 800-53 | AT-03 (Role-Based Security and Privacy Training) | Full |
| NIST 800-53 | CP-03 (Contingency Training) | Partial |
| NIST 800-53 | IR-02 (Incident Response Training) | Partial |
| NIST 800-53 | PM-13 (Security and Privacy Workforce Development) | Full |
| SOC 2 | CC1.4 (COSO Principle 4: Demonstrates Commitment to Competence) | Partial |
| CIS Controls v8.1 | Control 14 (Security Awareness and Skills Training) | Full |
| NIST Cybersecurity Framework 2.0 | PR.AT (Awareness and Training) | Full |
| DORA (EU) | Article 13.6 (ICT security awareness programmes and digital operational resilience training) | Partial |
“Full” coverage means the external control addresses the same scope as 6.3. “Partial” means it covers a subset, such as incident-specific or contingency-specific training only. Where coverage is partial, you’ll need supplementary controls from the same framework to fully satisfy 6.3’s breadth.
Related ISO 27001 Controls
Control 6.3 doesn’t operate in isolation. It connects to several other controls that together form the people-security lifecycle within your ISMS.
| Control ID | Control Name | Relationship |
|---|---|---|
| 6.1 | Screening | Pre-employment screening informs training risk level |
| 6.2 | Terms and conditions of employment | Employment agreements reference security training obligations |
| 6.4 | Disciplinary process | Consequences for non-compliance with trained security practices |
| 6.5 | Responsibilities after termination or change of employment | Training records support access revocation decisions |
| 6.8 | Information security event reporting | Training teaches staff how and when to report |
| 5.1 | Policies for information security | Training content derives from security policies |
| 5.4 | Management responsibilities | Management must support and participate in training |
| 5.10 | Acceptable use of information and other associated assets | Training covers acceptable use expectations |
When building or auditing your ISMS, review these controls alongside 6.3 to ensure your people-security practices are cohesive rather than siloed.
Frequently Asked Questions
What is ISO 27001 6.3?
ISO 27001 6.3 is the Annex A control requiring organizations to implement a formal programme for information security awareness, education, and training. It applies to all personnel, contractors, and relevant third parties with access to organizational information assets. The programme must be ongoing, role-based, and updated to reflect changes in policies, systems, and the threat landscape.
What happens if 6.3 is not implemented?
Failure to implement 6.3 leaves your organization exposed to the most common attack vector: human error and social engineering. Without a documented training programme, you risk nonconformity findings during ISO 27001 certification audits, which can delay or block certification. You also face increased likelihood of data breaches, regulatory penalties, and reputational damage.
How do you audit 6.3?
Auditors assess 6.3 by reviewing documented evidence that a training programme exists, is executed, and is measured for effectiveness. They expect to see a formal training policy, completion records from your LMS, phishing simulation results, and evidence of programme reviews. The key test is consistency: your records must show that what your policy promises is actually happening across the organization.
How UpGuard Helps
Managing your own training programme is only half the equation. You also need confidence that your vendors maintain the same standard. UpGuard gives you visibility into vendor security posture, including compliance with controls like 6.3, so you can identify gaps before they become your problem. Explore the platform to see how continuous monitoring replaces point-in-time assessments.