Loading...
We deliver Annex A 6.3 awareness, education, and training across your workforce β covering the ISMS, information security policies, acceptable use, incident reporting, and role-specific modules. Managed rollout, audit-ready evidence accepted by certification bodies and customers. Live for your team in under a week.
Tell us your team size β receive a tailored proposal within 1 business day.
Trusted by Compliance Teams at Leading Organizations
Staff training is your first line of defence β and the first piece of evidence regulators ask for.
ISO/IEC 27001:2022 makes information security awareness, education, and training a Statement-of-Applicability control at Annex A 6.3, with corresponding management-system requirements at Clauses 7.2 (Competence), 7.3 (Awareness), and 7.5 (Documented information). Certification bodies will not issue, maintain, or renew a certificate without evidence that all workforce members understand the ISMS, the information security policy, and their individual contribution. Customer audits, SOC 2 reviews, and procurement tenders typically require the same evidence.
Annex A 6.3 β information security awareness, education and training is a mandatory SoA control
Clause 7.2 (Competence) β staff must be competent for the work they perform within the ISMS
Clause 7.3 (Awareness) β all staff must be aware of the ISMS, the information security policy, and their contribution
Clause 7.5 β documented information must be available; training records are the primary evidence
Curated from our full library and tailored to your ISMS scope, your sector, and your role mix β you don't pick modules from a menu, we propose the right curriculum.
ISO 27001:2022 structure, Annex A controls, and Statement of Applicability
Information security policy and topic-specific policies
Roles, responsibilities, and segregation of duties (A.5)
People controls β screening, terms of employment, awareness (A.6)
Acceptable use, clean desk, and physical security (A.7)
Access control, identity, authentication (A.8)
Cryptographic controls and information classification
Incident reporting, evidence collection, lessons learned (A.5.24βA.5.28)
Business continuity, backups, and ICT readiness (A.5.29βA.5.30)
Supplier relationships and ICT third-party security (A.5.19βA.5.23)
Dedicated customer success manager handles enrolment, role mapping, kickoff communications, and reminder cadence.
Dated certificates per workforce member, exportable completion logs, and role-mapped curriculum records that satisfy stage 1 / stage 2 / surveillance audit checks under Clauses 7.2, 7.3, and 7.5.
Track completion across teams, business units, and ISMS scope boundaries. Export evidence packages for certification bodies, customer audits, and SOC 2 reviewers.
SAML 2.0, OIDC, and SCIM provisioning. New joiners enrolled automatically. Leavers de-provisioned. Zero admin overhead.
Multi-year licensing rolls workforce members forward each year. Refresher content tracks ISO/IEC 27002:2022 control updates and ISMS Forum guidance.
Your logo on certificates, co-branded learner emails, and the option to attach your information security policy, acceptable use, or incident response procedure to any module.
We don't sell self-checkout seats to enterprises pursuing certification. We propose a curated curriculum mapped to your Statement of Applicability, manage the rollout, and hand you an evidence package your certification body and customers will accept.
βWe pursued ISO 27001:2022 certification across our entire technology organisation. The certification body explicitly reviewed Annex A 6.3 evidence at stage 2. Role-mapped curriculum records and dated certificates passed without findings.β
βOur procurement team was losing deals because customers wanted ISO 27001 certification. We rolled out the awareness program in week one of our certification project β it was the easiest control to evidence and our certification body cleared it on first review.β