ISO 27001 Clause 7.3 requires you to ensure staff are "aware." Unlike other standards, ISO distinguishes between being skilled (competent) and being aware.
Competence vs. Awareness
Clause 7.2 (Competence)
- Focus: Skills
- Example: Admin knows how to configure a firewall
- Verified By: Certifications, Degrees
Clause 7.3 (Awareness)
- Focus: Culture & Why
- Example: Staff knows not to prop doors open
- Verified By: Interviewing random staff
The "Interview" Test
The Audit Reality
An ISO auditor may stop a random employee and ask: "Where is the security policy?" If they don't know, it's a non-conformity. Your training must ensure retention.
Recommended Framework
Induction: Cover policy immediately upon hire.
Refreshers: Keep the 'consequences of non-compliance' fresh.
Simulations: Prove effective awareness (Plan-Do-Check-Act).
Recommended Framework
- Induction Training: Covers the policy immediately upon hire.
- Regular Refreshers: Keeps the "implications of non-conformance" fresh.
- Phishing Simulations: Demonstrates that you are actively testing awareness levels (part of the "Check" phase of Plan-Do-Check-Act).
Conclusion
ISO 27001 certification tells the world you manage risk seriously. A robust awareness program is the visible proof that this management extends to your culture, not just your documentation.
