30 March 2026 • ISO 27001
An ISO 27001 certification is a badge of honor that shows how much your organization cares for the management and protection of sensitive information.
The standard outlines a framework for security management, including a commitment to employee awareness and training.
But getting a complete understanding of exactly what is expected of your organization can be tricky. The ISO 27001 directive consists of a lot of text. And even after reading it a couple of times over, you may still be left with questions.
In this article, we’ll explain what ISO 27001 states about security awareness, what changed in the latest 2022 revision (now fully enforced in 2026), and how you can implement ISO 27001 security awareness training within your organization. We’ve also included a comprehensive checklist to help you prepare for your next audit.
In a nutshell: what is ISO 27001?
ISO 27001 is a standard for information security management systems (often referred to as ISMS). The goal of this standard is to provide an approach to manage and protect sensitive information.
Key components of ISO 27001 are:
- Risk assessment
- Policy development
- Clear roles and responsibilities
- Awareness training
Organizations that choose to adhere to this standard are often government agencies, healthcare organizations, financial institutions, and any other organization that handles sensitive information.
Getting certified isn’t a walk in the park. It involves a rigorous audit process to check if your organization complies with the standard.
The awareness clause is the easiest one to tick off. This week.
Guardey gives every employee weekly training and generates the participation reports your auditor wants to see. Setup takes 5 minutes.
Start your free trialWhat changed in ISO 27001 for 2026?
The ISO 27001:2022 revision brought significant changes to the standard. The transition deadline was October 31, 2025, which means that as of 2026, all certified organizations must comply with the updated version. Here’s what changed and how it affects your security awareness program.
Restructured Annex A controls
The previous version (ISO 27001:2013) had 114 controls organized across 14 categories. The 2022 revision consolidated these into 93 controls across 4 themes:
- Organizational controls (37 controls)
- People controls (8 controls)
- Physical controls (14 controls)
- Technological controls (34 controls)
New controls relevant to awareness training
The 2022 revision introduced 11 new controls. Several of these directly impact security awareness training programs:
- A.5.7 – Threat intelligence: Organizations must now collect and analyze threat intelligence. Your awareness training should reflect current, real-world threats rather than generic scenarios.
- A.6.3 – Information security awareness, education, and training: This is now a standalone control (previously bundled under A.7.2.2). It explicitly requires a formal awareness program with documented evidence of its effectiveness.
- A.8.12 – Data leakage prevention: Employees must understand how data leakage occurs and how to prevent it. This needs to be part of your training content.
- A.8.23 – Web filtering: Staff should understand why certain web content is restricted and how to report suspicious websites.
- A.5.23 – Information security for use of cloud services: With cloud adoption growing, employees need training on secure cloud usage, data sharing, and access management.
What this means for your training program
If your training program was built around the 2013 version, you need to update it. Key actions include:
- Review and update training content to cover new controls
- Add modules on threat intelligence, cloud security, and data leakage prevention
- Ensure your training reflects the new 4-theme structure
- Update documentation references from old control numbers to new ones
What does the ISO 27001 standard state about security awareness?
The ISO 27001 standard mentions the importance of security awareness in multiple clauses.
- Clause 7.2 – Competence: The standard requires organizations to determine the necessary competence of employees involved in information security.
- Clause 7.3 – Awareness: Organizations need to ensure that employees are aware of the information security policy, relevant objectives, and their roles and responsibilities in achieving these objectives.
- Clause 8.2 – Communication: ISO 27001 emphasizes the importance of internal communication regarding the information security management system, including promoting awareness of information security.
- Clause 8.2.2 – Information Security Awareness, Education, and Training: Organizations need to ensure that personnel are aware of the information security policy and are competent in the areas of their work that relate to information security.
ISO 27001 Annex A controls related to security awareness
Beyond the clauses mentioned above, several Annex A controls directly require or benefit from security awareness training. Understanding these helps you build a training program that covers all auditable areas.
A.5.1 – Policies for information security
Your information security policy must be communicated to all employees. Training should ensure every team member understands the policy, what it means for their daily work, and the consequences of non-compliance.
A.6.3 – Information security awareness, education, and training
This is the core awareness control in the 2022 revision. It requires:
- A formal awareness program that covers all employees
- Role-specific training for staff with elevated security responsibilities
- Regular updates to training content reflecting new threats and policy changes
- Documented evidence of training completion and effectiveness
A.6.8 – Information security event reporting
Employees must know how to recognize and report security events. Your training should cover:
- What constitutes a security event vs. a security incident
- How to report events through proper channels
- The importance of timely reporting (even false positives)
- What happens after a report is filed
A.8.7 – Protection against malware
Staff need to understand how malware spreads and how to prevent infections. Training topics should include recognizing suspicious attachments, safe browsing habits, and the importance of keeping software updated.
A.5.10 – Acceptable use of information and assets
Employees should be trained on the acceptable use policy: what they can and cannot do with company devices, data, and systems. This includes personal use policies, BYOD guidelines, and data handling procedures.
A.8.9 – Configuration management
While primarily a technical control, employees (especially IT staff) need training on maintaining secure configurations and understanding why unauthorized changes are prohibited.
How to implement ISO 27001 security awareness training
ISO 27001 provides a clear framework to help organizations manage information security management. However, it doesn’t explicitly state how to implement those security awareness programs within your organization.
So how do you know if your ISO 27001 security awareness training program is up to par?
We can first take a look at what ISO 27001 auditors look at. During audits, the organization’s compliance with ISO 27001 requirements is assessed, including those related to security awareness.
Auditors often look for the following:
- Documentation: Have you documented your security policy, objectives, roles, and specific requirements related to awareness and training?
- Communication: Can you provide evidence that your employees are aware of your security policy, objectives, and their specific roles in achieving them?
- Training programs: Can you prove that your organization has implemented training programs?
- Monitoring and measurement: Can you show that you are monitoring and measuring the effectiveness of your security awareness programs?
You can either decide to set up your own training program or use a security awareness training platform like Guardey.
With Guardey, your employees take on weekly cyber security challenges that take up to three minutes to complete. The challenges cover all relevant topics such as spear phishing, CEO fraud, password security, and more. By learning small pieces of information every week, employees slowly build up knowledge and security awareness peaks.

In the reporting section, you can monitor how employees are performing and which security topics may need more attention. This makes Guardey the perfect fit for security awareness training compliant with the ISO 27001 standard.
→ Plan a demo with one of Guardey’s cyber security specialists.
ISO 27001 checklist (2026)
Use this comprehensive checklist to verify your organization meets all ISO 27001 requirements. This checklist is aligned with the ISO 27001:2022 revision and covers everything auditors will look for – from policy and documentation to training, monitoring, and audit readiness.
1. Policy and documentation
- Information security policy is documented and approved by management
- Security awareness training objectives are clearly defined and aligned with business goals
- Roles and responsibilities for managing the awareness program are assigned
- A formal training plan/calendar exists for the current year
- The acceptable use policy is documented and accessible to all employees
- Incident reporting procedures are documented and communicated
- Data classification policy is in place and employees understand the classification levels
- The awareness program is reviewed and updated at least annually
2. Training content and topics
Your training program should cover all of the following topics to meet ISO 27001 requirements:
- Phishing and social engineering – How to recognize and report phishing emails, vishing, smishing, and pretexting attacks
- Password security – Creating strong passwords, using password managers, and understanding multi-factor authentication
- Data handling and classification – How to handle sensitive data, data classification levels, and proper storage/disposal procedures
- Incident reporting – How to recognize security events and report them through proper channels
- Physical security – Clean desk policy, visitor management, secure printing, and tailgating prevention
- Remote work security – Secure home office practices, VPN usage, and public Wi-Fi risks
- Malware prevention – Recognizing suspicious attachments, safe browsing, and software update hygiene
- Cloud security – Secure use of cloud services, data sharing best practices, and access management (new in 2022 revision)
- BYOD and mobile device security – Securing personal devices used for work purposes
- Data leakage prevention – Understanding how data leaks occur and preventive measures (new in 2022 revision)
- CEO fraud and business email compromise – Recognizing impersonation attacks and verifying unusual requests
- Privacy and GDPR basics – Understanding personal data handling obligations
- AI and emerging threats – Risks of AI-generated phishing, deepfakes, and new attack vectors
3. Training delivery and frequency
- New employees receive security awareness training during onboarding (within the first week)
- All employees receive ongoing, regular training (at minimum monthly; weekly micro-learnings recommended)
- Training is available in languages spoken by your workforce
- Training is accessible on multiple devices (desktop, tablet, mobile)
- Role-specific training is provided for high-risk roles (IT staff, management, finance, HR)
- Management and leadership participate in the training program
- Training content is updated when new threats emerge or policies change
- Contractors and third-party personnel with system access receive appropriate training
4. Phishing simulations
- Regular phishing simulations are conducted (at minimum quarterly)
- Simulations cover different attack types (email phishing, spear phishing, SMS phishing)
- Employees who click on simulated phishing emails receive immediate feedback and additional training
- Simulation results are tracked and reported to management
- Click rates are trending downward over time
- Reporting rates (employees flagging the phishing email) are tracked and improving
5. Employee engagement and participation
- Training completion rates are tracked and above 90%
- Gamification elements are used to increase engagement (quizzes, leaderboards, rewards)
- A communication plan exists to promote security awareness beyond formal training
- Management visibly supports and participates in the awareness program
- Employees can ask questions or report concerns through an accessible channel
- Positive security behaviors are recognized and rewarded
6. Monitoring, measurement, and reporting
- Training completion rates are monitored per employee and per department
- Quiz and assessment scores are tracked to measure knowledge retention
- Phishing simulation click rates and reporting rates are measured over time
- Security incident trends are correlated with awareness training efforts
- Regular reports are provided to management on the effectiveness of the program
- KPIs are defined for the awareness program (e.g., <90% click rate, >95% completion)
- Improvement actions are documented based on monitoring results
7. Audit readiness and evidence
- Training records are stored and accessible for at least the last certification cycle (3 years)
- Certificates of completion are available for each employee
- Phishing simulation reports are archived with dates and results
- Policy acknowledgment forms are signed and stored
- Minutes from security awareness review meetings are documented
- Corrective actions from previous audits related to awareness are tracked and closed
- Evidence of management review of the awareness program is available
8. Continuous improvement
- Lessons learned from security incidents are incorporated into training content
- Training content is updated based on new threats and threat intelligence (A.5.7)
- Employee feedback on training quality and relevance is collected
- Annual gap analysis is performed comparing the program to ISO 27001 requirements
- Benchmarking against industry standards or peer organizations is considered
- The training program roadmap for the next 12 months is documented
Common mistakes during ISO 27001 awareness audits
Many organizations fail their ISO 27001 audit on awareness-related controls. Here are the most common mistakes – and how to avoid them.
1. Training only once a year
Annual training sessions are one of the biggest red flags for auditors. A single yearly session doesn’t demonstrate a culture of continuous awareness. ISO 27001 expects an ongoing program that keeps security top-of-mind throughout the year. Weekly or monthly micro-learnings are far more effective and easier to evidence.
2. No evidence of effectiveness
Having a training program is not enough. You must prove it works. Auditors will ask for metrics showing that employees have improved their security behavior over time. If you can’t show declining phishing click rates, improving quiz scores, or reduced incident numbers, your program may be found insufficient.
3. One-size-fits-all training
Not all employees face the same risks. A finance team member processing payments needs different training than a developer or a receptionist. ISO 27001 expects role-specific training that addresses the unique risks each role faces. Generic training for everyone won’t cut it.
4. No management participation
If leadership doesn’t participate in the awareness program, auditors notice. Management must not only sponsor the program but actively participate in it. This demonstrates the “tone from the top” that ISO 27001 requires.
5. Outdated content
If your training material still references threats from 2020 but ignores AI-generated phishing, QR code attacks, or cloud security risks, auditors will flag this. Training content must reflect current threats and be updated regularly.
6. Missing onboarding training
New employees often have a grace period before they start training. This is a risk and an audit finding. Security awareness training should be part of the first-week onboarding process, not something that starts months later.
7. Ignoring contractors and third parties
If external personnel have access to your systems, they need awareness training too. Auditors will check whether your program extends to all personnel with access, not just full-time employees.
How to measure the effectiveness of your security awareness program
ISO 27001 clause 9.1 requires organizations to monitor, measure, analyze, and evaluate the performance of the ISMS, including your awareness program. Here are the key metrics to track.
Phishing simulation results
Run regular phishing simulations and track two critical metrics:
- Click rate: The percentage of employees who click on the simulated phishing link. A good target is below 5%. Above 15% signals a significant training gap.
- Report rate: The percentage of employees who correctly report the phishing email. This is arguably more important than click rate. A high report rate shows employees are actively engaged.
Training completion and scores
- Completion rate: Target 95%+ across all departments. Track which departments lag behind and follow up.
- Assessment scores: Track average quiz scores per topic. Low scores on specific topics indicate where additional training is needed.
- Time to completion: Monitor how quickly new employees complete onboarding training.
Security incident metrics
- Number of reported incidents: An increase in reported incidents (especially near-misses) often indicates better awareness, not worse security.
- Mean time to report: How quickly do employees report security events? Faster reporting means better trained staff.
- Incidents caused by human error: Track whether human-error-related incidents decrease over time as training matures.
Engagement metrics
- Voluntary participation: Do employees engage beyond mandatory training (e.g., reading security newsletters, attending optional sessions)?
- Feedback scores: Collect feedback on training relevance and quality. Low engagement often signals content that doesn’t resonate.
How to introduce ISO 27001 security awareness training to your employees
Once you have decided on an ISO 27001 security awareness training solution, it’s time to introduce it to your employees. This isn’t always an easy task. Not everybody may immediately grasp the importance of security awareness training, which is why simply sending them their logins may not suffice.
That’s why you need a strong introduction. Below, we’ve added two examples.
EyeOn organized a cyber security week to kick off their ISO 27001 certification process. During this week, they started every day with an interview of 15 minutes, which they called the safety catch-up. Each day had a specific cyber security theme, and during challenges (both in Guardey and in real life), employees could score points. At the end of the week, the best-performing employees were rewarded with a trophy and a small gift.

Delta Wines first arranged a spear phishing simulation. During this simulation, employees got a phishing email to test if they would click the link and leave personal information. And it turns out that many of the employees did just that. The IT manager shared the final results of the phishing test during a quarterly meeting, which shocked quite a few of his colleagues. This made introducing Guardey as their security awareness training solution much easier.
How Fendix gets organizations ISO 27001 certified with the help of Guardey
Fendix helps companies get ISO 27001 certified. Killian Houthuijzen, information security consultant at Fendix, explains what role Guardey’s security awareness solution plays in this process: “An important part of getting an ISO 27001 certification is investing in the security awareness of your employees. A while back, we were trying to set up our own version of a security awareness training in preparation for that. But creating all that new content would have taken us at least 8 hours every single month. That’s just not efficient.”
![]()
He continues: “With Guardey, security awareness training becomes affordable and you don’t need to invest any time in setting it up. All you need to do is monitor the performance of your team, which is easy in Guardey’s learning management system. That’s why we often advise our clients to simply use Guardey instead of doing all the heavy lifting of setting up their own training.”
ISO 27001 vs NIS2 vs SOC 2: awareness training requirements compared
Many organizations need to comply with multiple security frameworks. Here’s how the awareness training requirements compare across the three most common standards.
| Requirement | ISO 27001 | NIS2 | SOC 2 |
|---|---|---|---|
| Awareness training mandatory? | Yes (Clause 7.3, A.6.3) | Yes (Article 20) | Yes (CC1.4, CC2.2) |
| Minimum frequency | Ongoing / regular | Regular (not specified) | Annual minimum |
| Management participation | Required | Required (board-level) | Recommended |
| Phishing simulations | Recommended | Not specified | Common practice |
| Effectiveness measurement | Required (Clause 9.1) | Required | Required |
| Role-specific training | Required | Recommended | Required |
| Third-party coverage | Required | Supply chain focus | Required for service org |
| Penalties for non-compliance | Loss of certification | Up to €10M or 2% of turnover | Loss of SOC 2 report |
The good news: a strong ISO 27001 awareness program covers most NIS2 and SOC 2 requirements. By using a comprehensive training platform like Guardey, you can meet the requirements of all three frameworks with a single solution.
Frequently asked questions about ISO 27001 security awareness training
Is security awareness training mandatory for ISO 27001?
Yes. ISO 27001 requires organizations to ensure that employees are aware of the information security policy and are competent in the areas of their work that relate to information security. Clause 7.3 (Awareness) and Annex A control 6.3 explicitly require a formal awareness program.
How often should employees receive security awareness training?
ISO 27001 requires ongoing awareness rather than a one-time event. While the standard does not specify an exact frequency, best practice is to provide training at least monthly. Weekly micro-learnings (like Guardey’s 3-minute challenges) are considered optimal because they keep security top-of-mind without overwhelming employees.
What topics should ISO 27001 awareness training cover?
At a minimum, your training should cover: phishing and social engineering, password security, data handling and classification, incident reporting, physical security, remote work security, malware prevention, cloud security, and acceptable use policies. The 2022 revision also emphasizes threat intelligence, data leakage prevention, and web filtering awareness.
Can online training replace in-person security awareness sessions?
Yes. ISO 27001 does not prescribe a specific training delivery method. Online training platforms like Guardey are widely accepted by auditors, especially when they provide documented evidence of completion, assessment scores, and ongoing engagement. Many organizations find that online micro-learnings are more effective than traditional classroom sessions because they reach all employees consistently.
How do you prove security awareness training during an ISO 27001 audit?
Auditors will look for documented evidence, including: training completion records per employee, assessment/quiz scores, phishing simulation results, policy acknowledgment forms, meeting minutes from awareness program reviews, and evidence of management participation. A training platform with built-in reporting capabilities makes this significantly easier.
Do contractors and temporary staff need ISO 27001 awareness training?
Yes, if they have access to your information systems or handle sensitive data. ISO 27001 requires that all personnel who could impact information security receive appropriate awareness training. This includes contractors, temporary workers, and third-party service providers.
What happens if you fail the awareness part of an ISO 27001 audit?
If auditors identify a non-conformity related to security awareness, you will receive either a minor or major non-conformity finding. A major non-conformity means your certification could be suspended until you address the issue. A minor non-conformity gives you a defined period (typically 90 days) to implement corrective actions before the next follow-up audit.
Try out Guardey’s ISO 27001 security awareness training solution
Security awareness plays a significant role in protecting your organization from cyber attacks and complying with ISO 27001. If you’re looking for a training solution that is implemented within hours, consider using Guardey.
With Guardey’s gamified learning process, your employees will get 3-minute micro-learnings every single week. Over time, they learn how to recognize cyber threats and act accordingly.