What Clause 7.3 Requires
Clause 7.3 requires that every person doing work under the organization's control is aware of three specific things: the information security policy — that it exists, where it lives, and what it commits the organization to; their own contribution to the effectiveness of the ISMS, including the benefits the organization gains when security performance improves; and the implications of not conforming with ISMS requirements — what a failure to follow the rules means for the organization, and for them.
Two phrasing choices in the clause carry real weight. First, the obligation attaches to people working under the organization's control, not to employees — contractors, temporary staff, interns, and outsourced personnel operating inside your ISMS scope all count. Second, the clause defines an outcome, not a mechanism: it never mandates a training course, an e-learning platform, or any specific documented information. How you create the awareness is your choice; whether the awareness actually exists in people's heads is what gets tested.
Why This Clause Exists
To make sure the ISMS lives in people's behavior rather than only in documents — a management system only functions when the people operating under it know it exists, understand their part in it, and know that nonconformity has consequences.
What This Really Means
Awareness is the floor, not the ceiling. Clause 7.3 does not ask every employee to become a security expert — it asks for a working baseline that any person in scope can demonstrate by answering three questions: Do you know the organization has an information security policy, and where would you find it? What does security mean for your specific job? And what happens — to the organization and to you — if the rules are ignored?
The cleanest way to keep this clause straight is the split with Annex A: Clause 7.3 sets the outcome; control A.6.3 delivers the program. The clause says people must be aware of three things. The control — Information security awareness, education and training — is the vehicle nearly every organization uses to get there: onboarding modules, refreshers, role-based content. The clause is mandatory for every certified organization regardless of how A.6.3 is implemented; if your awareness program exists but those three outcomes are missing from it, you can pass A.6.3's mechanics and still fail 7.3.
How auditors test it is famously low-tech: corridor interviews at Stage 2. After the scheduled sessions with the CISO and the ISMS team, the auditor talks to a support engineer, someone in finance, the person at the printer — deliberately off the interview plan. They are not testing recall of the policy text. One person who has never heard of the policy is a data point; several across departments is a nonconformity. An answer like "we have a security policy on the intranet, I acknowledged it during onboarding, and I would report anything odd to the security channel" is a clean pass.
The population is broader than payroll. Because the clause covers everyone working under the organization's control, the contractor who started three weeks ago and the outsourced support team inside your scope need the same baseline — and auditors like sampling exactly those people, because they are the ones onboarding processes most often miss.
Why It Matters
Most incident chains begin with a person, not a firewall: the phishing click, the attachment sent to the wrong recipient, sensitive data pasted into an unapproved tool. Awareness is the cheapest control you will ever deploy against that class of failure — and Clause 7.3 is the standard's way of guaranteeing a minimum dose of it reaches every person inside the ISMS, not just the security team.
For certification, 7.3 is one of the few requirements tested primarily by sampling humans rather than documents. At Stage 2, a single vague answer is survivable; a pattern of staff who have never heard of the policy is a nonconformity — usually minor, but widespread ignorance across interviews can escalate, because it tells the auditor that 7.3 and A.6.3 are both failing in practice and the documented ISMS is theater.
When awareness fails, the pattern looks like this:
- •Stage 2 interview findings – auditors triangulate across several staff; coached answers from the five people you briefed collapse the moment the auditor picks a sixth
- •Incidents that surface late – people who were never told what nonconformity means also tend not to know that reporting a suspicious event is expected of them
- •Unenforceable consequences – disciplinary action against someone who was never made aware of the rules is hard to defend; awareness records are what make the disciplinary process usable
- •Contractor blind spots – third-party staff inside your scope who skipped onboarding become the unmanaged edge of the ISMS, and the population auditors most enjoy sampling
- •Policy theater – documents that pass Stage 1 while day-to-day behavior contradicts them, which Stage 2 interviews are specifically designed to expose
Documented Information Required
Security awareness plan or program outline
RecommendedA short plan mapping who needs which awareness messages, through which channels, and how often — ideally tying each of the three Clause 7.3 outcomes (policy, contribution, consequences) to onboarding, refreshers, and ongoing reinforcement.
Awareness and acknowledgment records
RecommendedCompletion logs, attendance lists, LMS exports, or signed acknowledgments showing that each person in scope — contractors included — received the baseline and acknowledged the information security policy.
Awareness materials
RecommendedThe onboarding deck, intranet page, chat posts, or posters actually used, retained as evidence that the content genuinely covers the policy, individual contribution, and the implications of nonconformity.
See the full ISO 27001 mandatory documents checklist for every document and record the standard requires.
How to Implement Clause 7.3
Define the awareness baseline
Write down, in one page, what every person in scope must know: that the information security policy exists and where it lives, what good security behavior looks like in their work, and what happens when ISMS requirements are ignored. Map each Clause 7.3 outcome to an explicit message — this mapping is what you show the auditor when asked how the clause is met.
List every population under ISMS control
Pull the full set: employees, contractors, temporary staff, interns, and outsourced personnel working inside scope. Reconcile HR and procurement lists so nobody enters through a side door. Assign an owner — usually HR together with the ISMS manager — for keeping the population list current.
Wire awareness into onboarding
Make the security baseline a day-one step: a short session or module plus a captured policy acknowledgment, completed before system access is granted. Use the joiner checklist as the enforcement point — access requests stay blocked until the acknowledgment lands. The same gate must exist on the contractor onboarding path.
Run continuous reinforcement, not an annual event
An annual refresher satisfies the calendar; retention comes from drip. Short monthly posts in the company channel, a two-minute security moment in all-hands, posters or screensavers where they fit the culture. Keep each touch under five minutes — frequency beats duration for keeping the baseline alive between formal sessions.
Tailor the message to the role
A developer, a finance analyst, and a receptionist face different versions of the same threats, and generic awareness produces generic indifference. Keep the common baseline, then layer two or three role-specific scenarios on top: leaked credentials for engineering, invoice fraud for finance, tailgating and visitor handling for front-of-house.
Test awareness, not attendance
Completion rates prove delivery, not awareness. Add checks that measure the outcome: short quizzes after sessions, an occasional question in team meetings, and internal-audit corridor interviews that mirror what the certification auditor will do at Stage 2. Feed weak results back into the content rather than filing them.
Track coverage and chase the gaps
Maintain a coverage view — an LMS dashboard or a simple sheet — showing completion by population, contractors included. Chase non-completers through their managers rather than mass reminders, and retain the records: coverage evidence is among the first things requested at audit.
Audit Evidence
During Stage 1 and Stage 2 of your ISO 27001 certification audit, auditors will expect the following evidence to demonstrate conformity with Clause 7.3:
Documentation
- Awareness plan or program outline mapping content to the three Clause 7.3 outcomes
- Onboarding checklist showing the security awareness step and policy acknowledgment gate
- Completion and acknowledgment records covering employees and contractors alike
- Samples of the awareness materials actually delivered — decks, intranet pages, chat posts
- Results of awareness checks: quiz scores, internal audit interview notes, and follow-up actions taken
Interviews
- Randomly selected staff — do they know the policy exists, where to find it, their role in security, and the consequences of nonconformity
- A recent joiner or contractor on what security content their onboarding actually included
- HR or the awareness program owner on how coverage is tracked and non-completion is chased
Observations
- A staff member locating the information security policy live from their own workstation
- The LMS or tracking sheet showing real-time completion status across all populations
- Visible reinforcement in the environment — intranet banner, chat channel, posters — matching what the program claims to run
Practitioner Insights
Stage 2 awareness findings follow a pattern I see constantly: the organization briefs the five people scheduled for interviews, and the auditor talks to a sixth. Experienced auditors deliberately pick staff who are not on the interview plan — the engineer in the corridor, the person at the coffee machine. The defense is not coaching; it is making the baseline so routine that any sampled person can say what the policy is, where it lives, and what their part in it is. If you find yourself preparing interview scripts the week before the audit, the awareness program has already failed.
Small organizations overspend here. You do not need an awareness platform for forty people — a twenty-minute onboarding session, a quarterly reminder in the team channel, and a tracked acknowledgment sheet satisfy Clause 7.3 completely. The two mistakes I keep finding are not about under-investment at all: sessions that genuinely happened but left no record of who attended, and contractors excluded because onboarding belongs to HR and contractors never pass through HR. Fix the record-keeping and the contractor path before you spend anything on tooling.
Common Challenges & Solutions
Challenge
Awareness is treated as a once-a-year training event, and by month six nobody remembers it.
Solution
Shift effort from one long annual session to short, frequent touches: a monthly two-minute post in the company channel, a security moment in all-hands, a quarterly micro-quiz. Keep the annual refresher as the formal anchor, but let reinforcement carry the retention. A visible drumbeat also reads well at audit, because it proves the program runs continuously rather than performing for audit week.
Challenge
Contractors and outsourced staff never receive the baseline because onboarding is owned by HR and they do not pass through HR.
Solution
Create a second trigger in procurement or vendor management: no contractor receives system access until the awareness step and policy acknowledgment are complete. Put the obligation into the contract or statement of work, and include contractor completion in the same coverage dashboard as employees. The auditor will sample a contractor — make sure the record exists before they ask.
Challenge
Staff completed the training but cannot connect the policy to their actual job when asked.
Solution
Rebuild the content around roles instead of rules. Give each function two or three concrete scenarios drawn from its own work — what a developer does about a leaked API key, what finance does with a payment-change email, how support verifies a caller. People retain what visibly applies to them; the generic slide about confidentiality applies to no one in particular.
Challenge
Sessions happen, but there is no retained evidence of who received what.
Solution
Make the channel generate the record: LMS completion exports, calendar invites with recorded attendance, a signed sheet for in-person sessions, acknowledgment clicks for the policy. Store them with the rest of the ISMS records. From the auditor's side of the table, delivery without evidence is indistinguishable from no delivery.
Challenge
The awareness program covers phishing and passwords but never mentions the policy, individual contribution, or consequences — the three things the clause actually requires.
Solution
Audit your own content against the clause. Somewhere in onboarding and the refresher cycle, people must hear that the policy exists and where it is, why their behavior matters to the ISMS, and what nonconformity means. Add one slide and one quiz question per outcome. Topical content like phishing simulations is valuable, but it supplements the Clause 7.3 baseline rather than replacing it.
