ISO 27001 Information Security - Clause 7.3 Awareness

ISO 27001 Clause 7.1 Resources

14 July 2022 - ISO 27001 Information Security in plain English - Blog post #12.

ISO 27001 - Clause 7.3 Awareness. This article discusses the topic of people working for your organization needing to be aware of your information security policy, how they can contribute to the ISMS, and the consequences of them not conforming to requirements.


ISO 27001 Information Security in plain English

Information Security is becoming critical to every business, and there is a fast-growing trend towards developing management systems based on the ISO 27001 standard.  However, the subject and its terminology can certainly be a little daunting. So, we set out to cut through that in 'ISO 27001 Information Security in plain English' - a series of blogs articles that explains all clauses and controls in the standard.

7.3 Awareness

The requirements of ISO 27001 clause 7.3 may be briefly summarised as: You should ensure that your workers (not just direct employees, but everyone doing work under your control), are aware of:

  • Your information security policy
  • How they can help to make the ISMS being effective
  • Any implications of them not conforming with ISMS requirements

The above may be supplemented by promoting a general awareness of information security: What does it mean and how does it apply in your organization.

As we already seen in other articles in this series, ISO 27001 expresses a requirement, but is not prescriptive about how you must achieve it. Their approach allows for a great deal of flexibility but does lead to the question "OK, I get what's needed, but how should we implement it?". The following offers some practical options.

How to build awareness

Awareness of your information security policy

You can create an awareness of your information security policy by various means, including:

  • For workers and visitors, putting one or more printed copies on display in prominent locations in your business premises e.g in reception, on notice boards etc.
  • For new workers, it could be included in induction packs.
  • For existing workers, a discussion on the policy could be included in a team meeting, a 'town hall', or a specific infosec awareness session.
  • For anyone, by publishing it on your web site. That's an easy win for just about any organisation. You have the policy, you have the web site. So, why not? If you follow our advise of keeping the policy to the basics, it doesn't give away any secrets, it facilitates awareness and may also provide some assurance to clients (and potential clients) of your commitment to information security.

The requirements for an information security policy are discussed in an earlier article in this series - see clause 5.2 Policy.

Awareness of how they can contribute to the ISMS being effective

  • All workers can be made aware of how they can contribute to the ISMS being effective by making relevant corporate infosec objectives known to them. That can be achieved by the same methods listed above, and by communications from top management and the IT / Compliance team. We will discuss communication futher in the next article in this series.
  • Employees can be made aware of information security objectives that are specifically for them by reference in their own personal KPI's.
  • Contractors may be made aware of relevant objectives by use of appropriate wording in requests for tenders or contract documents.

Awareness of any implications of them not conforming with ISMS requirements

  • For workers, the Implications of not conforming with ISMS requirements can be expressed in policies, code of conduct, employment contract etc.
  • For contractors, they may be made aware of such implications in contract documents.

The above are not the only methods of building awareness. The best options for your organisation will depend on a range of factors, but hopefully, our examples will give you some food for thought.

About the series 'ISO 27001 Information Security in plain English'

This blog post is part of a series where we will work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.

This blog series began with an introductory webinar. A copy of the slide deck is available for you here:

Qudos_ISO_27001 Information_Security_in_plain_English (PDF)

Click the LinkedIn Follow button below to receive notifications.

There's nothing like word of mouth to share creative content. So, if you found this blog useful, please share it with a colleague or business associate.

Ready to start your journey to ISO 27001?

The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.

Contact us today to discuss your needs!

Find out more about Qudos management system consultancy services

Man at desk photo by Tyler Franta on Unsplash. Consultancy photo by Annie Spratt on Unsplash