A.6.3 Information Security Awareness, Education and Training

What is this control?

ISO 27001 control A.6.3 Information Security Awareness, Education and Training ensures that all personnel, contractors, and relevant third parties participate in a continuous information security and privacy awareness programme combining mandatory induction training, monthly education, role-based specialist training, simulated phishing exercises with automated remediation, and formal attestation of policy packs through Microsoft Defender Attack Simulation Training.

How to implement in Microsoft 365

Implement A.6.3 by establishing mandatory induction training programme via external LMS as a condition of full system access with Limited Access Conditional Access policy preventing access until completion. Configure Microsoft Defender for Office 365 Attack Simulation Training campaigns targeting all personnel with multiple attack techniques. Set up simulation automations to assign targeted just-in-time training to users who fall for simulations.

Create dynamic groups based on job functions for Privileged Users, Developers, Finance, and HR requiring role-specific training. Implement Conditional Access policies requiring Terms of Use acceptance for specialist training attestation.

What an auditor looks for

Auditors will verify evidence of attack simulation campaigns with configuration details and multiple attack techniques. They will check simulation automation rules for assigning remedial training to compromised users. Auditors will review Policy Pack Terms of Use policies with Conditional Access enforcement.

They will verify role-based dynamic groups with conditional access policies requiring training attestation. Auditors will check simulation summary data showing compromise rate metrics with target of 10% or less. They will review LMS completion reports for induction training.

Related controls

• A.6.1
• A.6.2
• A.6.4
• A.5.37