Control 6.3 : Information Security Awareness, Education and Training

Summary

Personnel and relevant interested parties should receive appropriate information security awareness, education, and training. Regular updates on organizational policies and procedures are necessary to maintain a strong security culture.

Applicability

In-Scope: Critical for all organizations. Human error is a primary cause of breaches; training is the main control for mitigating risks like phishing and social engineering.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Phishing Simulation: Utilize Microsoft Defender for Office 365 (Attack Simulation Training) to run realistic phishing campaigns and identify high-risk users.

• Learning Management: Use Microsoft Viva Learning to distribute mandatory security training modules and track completion rates across the organization.

• Communication: Establish a Security Awareness channel in Microsoft Teams to share regular tips, news about emerging threats, and policy reminders.

Evidence Checklist

• Training Program: A documented plan detailing the topics, frequency, and target audience for security training.

• Completion Records: Reports from Viva Learning or Defender showing which employees have completed their assigned training.

• Awareness Campaign Samples: Copies of security newsletters, posters, or Teams messages used to reinforce security culture.

Practical Audit Advice

Here are some questions the auditor might ask:

• How often is security awareness training updated to reflect new threats like AI-driven deepfakes or sophisticated phishing?

• What actions are taken when an employee consistently fails phishing simulations?

• How do you ensure that specialized roles (e.g., IT admins or developers) receive training that is specific to their high-risk tasks?

• Can you show evidence that the most recent security awareness session was attended by top management?