ISO/IEC 27001:2022 Clause 7.3 makes awareness a mandatory ISMS requirement. Annex A.6.3 goes further — personnel and interested parties "shall receive appropriate information security awareness, education and training" tailored to their job function.
The Aware Front is a fully-managed e-learning and compliance platform delivering role-based, continually reinforced, evidence-generating training that stands up to a certification body audit — whether you're pursuing first-time certification or maintaining a surveillance cycle.
ISO 27001 sets mandatory awareness requirements in two places — the main body and the Annex A controls. Your certification depends on meeting both.
Persons doing work under the organisation's control shall be aware of:
(a) the information security policy;
(b) their contribution to the effectiveness of the information security
management system, including the benefits of improved information security
performance; and
(c) the implications of not conforming with the information security
management system requirements.
The companion control in Annex A sets the delivery standard: "Personnel of the organisation and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organisation's information security policy, topic-specific policies and procedures, as relevant for their job function."
"Persons doing work under the organisation's control" — not just employees. Contractors, temporary staff, third parties, and anyone with access to information assets within the ISMS scope are all in scope.
Annex A.6.3 in the 2022 edition is the revised successor to A.7.2.2 in the 2013 edition. Certification bodies now audit against the 2022 structure. Our programme is mapped to the current edition — not the retired one.
ISO 27001 audits fail awareness not because organisations don't train — but because the evidence doesn't hold up. Here's what surveillance auditors actually write into their findings.
A one-off induction session or an annual workshop isn't a programme. Auditors expect a documented, structured, risk-based training plan with defined objectives, audiences, topics, and frequency — reviewed at management review and updated against the risk register.
Annex A.6.3 says "as relevant for their job function." One generic deck for everyone doesn't meet the standard. Auditors want evidence that finance, IT, HR, developers, and executives each see content tailored to their risks — and that attendance is tracked per role.
Completion ≠ awareness. Auditors increasingly want behavioural evidence: phishing simulation click rates, knowledge assessment scores, and trend data showing the programme actually changes behaviour. A signed register is no longer enough.
A non-conformity raised at surveillance is a major certification risk. The cheapest way to avoid one is to run the programme auditors already know how to audit.
Every awareness-relevant clause in Clause 7 and the 2022 Annex A controls maps to a specific programme component. This is the crosswalk your information security manager shares with the external auditor.
ISO 27001 auditors evaluate awareness on the quality of the evidence, not the enthusiasm of the programme. We produce a structured, timestamped evidence pack that maps directly to what the surveillance auditor will sample.
Name, department, modules enrolled, completion dates, assessment scores, reinforcement assignments. Exportable CSV and PDF.
70% pass threshold enforced per module. First-attempt and final scores, remediation attempts, time-to-pass by cohort.
Per-campaign detail — delivered, viewed, replied, clicked, submitted credentials, reported. Department-level heatmaps and trajectory versus baseline.
Annual vishing test of reception, finance, and procurement. Script, call log, staff response, and per-recipient outcome — the drill auditors ask about but nobody runs.
Baseline (Month 1) to Month 12 risk-score timeline, per employee and per department. 12-month forecasting curves showing programme impact.
Digital acknowledgement records with timestamp, IP, and device — aligned with Clause 7.3(a) and the topic-specific policies referenced in Annex A.6.3.
Kick-off, role-based workshops, and the 3-hour incident-response tabletop. Signed attendance, facilitator debriefs, and lessons-learned — evidence of continual improvement under Clause 10.
Board-ready narrative document feeding directly into Clause 9.3 management review. Before/after comparison, department analysis, effectiveness metrics, and Year-2 recommendations.
Signed organisational certificate for board minutes, insurance renewal, and certification-body submission. Individual completion certificates for every employee.
ISO 27001's awareness requirement is only as strong as its relevance. Generic Western content won't prepare a Kampala reception desk for the real attacks they see. Our custom modules reflect how organisations in East Africa actually get compromised — so Annex A.6.3's "relevant for their job function" bar is met in substance, not just in form.
The most common East African social-engineering attack. A finance officer receives a WhatsApp message from what appears to be the MD's number, requesting urgent payment processing. Our module walks staff through the verification workflow required before acting — and how the incident is logged against Annex A.5.24 incident management.
A hospital clerk answers the phone. The caller claims to be calling on behalf of an insurer and needs patient records faxed urgently. Our healthcare-sector module covers the identity verification standard, the data-handling procedures, and the circumstances that justify disclosure under your topic-specific policies.
Staff receive SMS or WhatsApp messages purporting to be from MTN MoMo, Airtel Money, or a bank — requesting PIN confirmation, transaction approval, or account linking. Module covers recognition, reporting, and the asset-classification implications where work phones sit inside the ISMS scope.
Annex A.5.19–5.21 covers supplier relationships; A.6.3 requires your staff be aware of these controls. Our module builds real cases of supplier staff requesting unauthorised access or pressure around shared credentials — and the refusal-and-escalation workflow your auditor expects.
Request a proposal tailored to your ISMS scope, staff structure, and certification cycle — whether you're preparing for first-time certification or maintaining a surveillance schedule. We'll come back with a scoped plan, not a generic deck.