What ISO 27001:2022 control 6.3 requires on awareness and how to prove it

Pasillo de un archivo moderno bañado por luz cálida de media tarde, con largas filas de carpetas y cajones etiquetados perfectamente ordenados, que transmite trazabilidad y registro completo

What ISO 27001:2022 control 6.3 requires on awareness and how to prove it

The October 2022 revision of ISO/IEC 27001 fully reorganized Annex A, and the window for certified organizations to migrate from the 2013 version closed on 31 October 2025. Anyone certifying or renewing today does so on the new version. In that reorganization, the awareness control changed its number, its grouping and, above all, its evidentiary bar.

This piece does not explain what ISO 27001 is or how to get certified. It assumes you already have that covered. It focuses on something narrower, namely what control 6.3 says about staff awareness, what changed compared to 2013, and what an organization has to be able to show once the auditor starts asking for evidence.

What does control 6.3 of ISO 27001:2022 require on awareness?

Control 6.3 of Annex A, «Information security awareness, education and training», requires that all of the organization’s personnel (and, where relevant, the third parties involved) receive adequate, up-to-date training on the security policies and on their role within them. It sits inside the People theme, one of the four groupings of the new standard.

The weight is carried by three words in the wording. «Adequate» means the content has to match each person’s function and the real risks of the role, not a generic syllabus. «Up-to-date» means the training keeps pace with changes in policies and in the threat landscape. And «all personnel» closes the door on programs that only reach part of the workforce. The control describes a living process, sustained over time and revisited whenever the context changes.

The 6.3 does not stand alone either. It rests on control 6.2, which governs the terms and conditions of employment, and on the security policies that management approves under control 5.1. Training is the mechanism by which those policies stop being a document and become behavior. An auditor reviewing 6.3 almost always checks, in parallel, that there is a policy the training refers to and that the policy is current.

Who is covered by control 6.3 training?

All of the organization’s personnel, regardless of function or seniority, and third parties with access to information or systems where that access warrants it. The control does not allow the logic of training only the technical teams or those who handle sensitive data. Awareness is understood as a layer of protection that covers the entire organization.

Three groups are worth treating separately, because they are the ones the auditor reviews in most detail. General staff need a common baseline on policies, common threats and how to report an incident. Higher-exposure roles, such as systems administration, finance or customer service, require content specific to the risks of their function. And management falls into a category of its own, because it approves the policies and answers for them, so its training has to go beyond the general message. Leaving the leadership layer out of the program is one of the gaps an audit detects fastest.

What changed between ISO 27001:2013 and the 2022 version on awareness?

The underlying requirement did not transform, but its placement and its reading did. In 2013, awareness lived in control A.7.2.2, within a domain dedicated to human resources. In 2022 it became control 6.3 of the People theme, a reorganization that brings it closer to other controls on behavior and individual responsibility.

Aspect ISO 27001:2013 ISO 27001:2022
Awareness control A.7.2.2 6.3
Grouping Domain 7, human resource security People theme
Total Annex A controls 114 93 (11 of them new)
Annex A structure 14 domains 4 themes

The change that matters most for an awareness program is not in the text of 6.3, but in the context. The 2022 version added new controls oriented toward conduct and the use of technology, and that raises the auditor’s expectation of what «raising awareness» means. Showing that people know is no longer enough when the standard, as a whole, turns toward being able to show that people act differently.

How is compliance with control 6.3 evidenced in an audit?

An auditor is not satisfied with seeing that a course exists. It asks for a trail. The evidence that supports control 6.3 usually rests on these elements:

  • A record of who received training, when and on what, covering the whole workforce and not a sample.
  • Content explicitly tied to the organization’s policies and to the risks of each function.
  • A defined cadence sustained over time, not a single course at the moment of onboarding.
  • Proof of comprehension, such as assessments or simulation results, that goes beyond mere attendance.
  • Evidence that management and the highest-exposure profiles received training matched to their responsibility.

The weakest point is almost always the same: the organization has the activity, but it does not have the traceability. That is why it pays to design the program from the start around what data will be recorded, an idea we develop in whether your awareness program is measuring what matters. The same evidence principle appears in other European regulations, such as the training obligations set out in the NIS2 Directive.

How does a modern awareness program meet control 6.3?

Meeting 6.3 with an annual talk and a sign-in sheet is possible on paper, but it leaves the organization exposed the day the auditor pulls on the traceability thread. A program that complies without trouble shares a few traits: it is continuous rather than one-off, it segments content by role and by risk, it combines formats to hold attention, and it automatically records every interaction to turn it into evidence.

Phishing simulations play a double role here. On one hand they train the workforce’s reflex against a realistic attack; on the other, they generate the behavioral data an auditor values more than any sign-in sheet, because it shows how people react and not just what they were told. That progression measured over time is the most solid answer to whether the program changes anything.

That automation is what separates complying from being able to prove it. SMARTFENSE, as an awareness platform present across LATAM and Spain, is built around that idea: every simulation, every piece of content delivered and every assessment is recorded and available as auditable proof, without the security team having to rebuild the trail by hand before each audit. Control 6.3 stops being a race against the clock and becomes a report that already exists. You can see how it works in the SMARTFENSE awareness platform.

Awareness stopped being internal communication the day the standard turned it into an auditable control. The 2022 revision reinforced that premise by surrounding 6.3 with controls on conduct. In front of an audit, what counts is the evidence the program can put on the table, and there traceability weighs more than the number of hours delivered.

Andrea Sona

Da anni nel settore informatico, Analista Informatica di professione, negli ultimi anni specializzata in cybersecurity awareness e formazione digitale, attualmente collaborando in SMARTFENSE. Con esperienza nel supportare aziende e organizzazioni nella diffusione della cultura della sicurezza informatica. Appassionata di innovazione e comunicazione tecnologica, contribuisce attivamente al dibattito sulla sicurezza digitale attraverso contenuti divulgativi.

Leave a Reply