Overview
Create, validate, and maintain the ISO 27001:2022 awareness and training plan — a standalone audit artifact required by Clauses 7.2 (Competence), 7.3 (Awareness), and Annex A control A.6.3. The plan documents how the organization ensures all personnel are competent to perform their roles, aware of the ISMS, and receive appropriate role-based training.
Auditors specifically verify: documented competence needs per role, evidence of training delivery and completion, effectiveness evaluation (not just attendance), and coverage of all personnel groups including contractors and new hires.
For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the ISO 27001 ISMS workspace tutorial .
What It Covers
- Target audience mapping — defines 6 employee groups (all staff, new hires, IT/development, managers, contractors, incident response team) with training type, frequency, and competence evidence per group
- 12 training modules — IS policy overview, acceptable use, phishing/social engineering, incident reporting, physical security, password management, secure development, access control, risk management, onboarding, third-party requirements, and incident response procedures
- Annual schedule — quarterly phishing simulations, annual general awareness, role-specific training distributed across the year, onboarding as ongoing, and policy-change triggered refreshers
- Effectiveness evaluation — post-training knowledge checks, phishing click rates, completion rates, feedback surveys, incident trend analysis, and competence assessments with specific targets
- Non-conformance implications — explicit coverage of Clause 7.3(c) disciplinary consequences, linking to the organization’s A.6.4 disciplinary process
- Records and evidence — per-individual training records, assessment scores, and certificates as documented information per Clause 7.5
Example Conversation
You: Create an information security awareness and training plan for our ISO 27001 ISMS. We’re a 150-person fintech company with engineering, product, legal, sales, and customer support departments.
Agent: I’ll help you build the awareness and training plan per Clauses 7.2, 7.3, and A.6.3. Let me gather some context first.
Do you have an organization profile from the ISMS scope skill? Also:
- Do you currently have any training programs or an LMS platform?
- Is this a first-time plan or an annual update?
- Do you have contractors or third parties with access to your systems?
You: We use Google Workspace and have a basic LMS (Lessonly). This is our first plan — we’re preparing for Stage 1 audit. We have 5 contractors with system access.
Agent: Loading your organization profile… I’ll now map your employee groups to training requirements. Based on your structure, here are the 6 audience groups:
Employee Group Training Type Frequency Competence Evidence All Staff (150) General Security Awareness Annually + on hire Quiz score >= 80% New Employees Security Onboarding Within first week Completion certificate Engineering (40) Secure Development and Operations Annually Assessment + practical exercise Managers / Leads (15) Risk and Compliance Oversight Annually Quiz score >= 80% Contractors (5) Security Policy Briefing On engagement start Signed acknowledgement Incident Response Team (6) Incident Handling Procedures Semi-annually Tabletop exercise completion report I’ve designed 12 training modules tailored to your fintech context — covering OWASP for engineering, PCI-related awareness for customer support, and phishing simulations via Lessonly. Here’s the annual schedule across all 4 quarters…
I’ve drafted the complete plan. Let me now validate it with all three tools.
Running
training_plan_completeness_checker…Result: 11/11 sections covered, 0 missing
Section Status Objective PASS Scope PASS Roles and Responsibilities PASS Target Audience PASS Training Modules PASS Delivery Methods PASS Training Schedule PASS Effectiveness Evaluation PASS Non-conformance Implications PASS Training Records and Evidence PASS Plan Review and Maintenance PASS Running
audience_coverage_validator…Result: 6/6 audience groups covered with frequency
Running
schedule_gap_detector…Result: All checks passed
- Annual general awareness training: PASS
- Quarterly phishing simulations (4 entries): PASS
- Onboarding for new hires: PASS
- Trainers assigned to sessions: PASS
- Multi-quarter distribution: PASS
- Effectiveness metrics referenced: PASS
- Policy change trigger defined: PASS
Your plan is complete and audit-ready. I’ve written it to
output/Awareness-Training-Plan.md.
Sample Output Excerpt
Below is a representative excerpt from a generated awareness and training plan showing the target audience, training modules, schedule, and effectiveness evaluation sections.
4. Target Audience and Training Requirements
| Employee Group | Training Type | Frequency | Competence Evidence |
|---|---|---|---|
| All Staff | General Security Awareness | Annually + on hire | Quiz score >= 80% |
| New Employees | Security Onboarding | Within first week | Completion certificate |
| IT / Development | Secure Development and Operations | Annually | Assessment + practical exercise |
| Managers / Supervisors | Risk and Compliance Oversight | Annually | Quiz score >= 80% |
| Contractors / Third Parties | Security Policy Briefing | On engagement start | Signed acknowledgement |
| Incident Response Team | Incident Handling Procedures | Semi-annually | Tabletop exercise completion report (signed by facilitator) |
5. Training Modules
| Module ID | Module | Description | Target Group | Delivery Method | Duration |
|---|---|---|---|---|---|
| MOD-01 | Information Security Policy Overview | IS policy, scope, objectives, roles | All Staff | E-learning | 45 min |
| MOD-02 | Acceptable Use and Data Classification | Acceptable use rules, classification levels, handling procedures | All Staff | E-learning | 30 min |
| MOD-03 | Phishing and Social Engineering | Recognizing phishing, social engineering tactics, reporting procedures | All Staff | E-learning + Simulation | 30 min |
| MOD-04 | Incident Reporting | How to identify and report security incidents, escalation paths | All Staff | E-learning | 20 min |
| MOD-05 | Physical Security Awareness | Access controls, visitor management, clean desk, secure disposal | All Staff | E-learning | 20 min |
| MOD-06 | Password Management and Credential Hygiene | Password policies, MFA, credential sharing risks, password manager use | All Staff | E-learning | 20 min |
| MOD-07 | Secure Development Practices | OWASP Top 10, secure coding, code review, vulnerability management | IT / Development | Instructor-led | 2 hours |
| MOD-08 | Access Control and Privilege Management | Least privilege, access reviews, MFA enforcement, privileged account security | IT / Development | E-learning | 30 min |
| MOD-09 | Risk Management for Managers | Risk assessment process, risk appetite, treatment decisions, oversight | Managers | Instructor-led | 1 hour |
| MOD-10 | Security Onboarding | Policies, acceptable use, incident reporting, physical security, non-compliance consequences (Clause 7.3c) | New Employees | Instructor-led | 1.5 hours |
| MOD-11 | Third-Party Security Requirements | Applicable policies, data handling, incident reporting obligations | Contractors | E-learning / Briefing | 30 min |
| MOD-12 | Incident Response Procedures | Incident handling, escalation, post-incident review | Incident Response Team | Instructor-led + Tabletop | 2 hours |
7. Training Schedule
| Quarter | Session | Target Group | Duration | Delivery Method | Trainer / Owner |
|---|---|---|---|---|---|
| Q1 | General Security Awareness (annual) | All Staff | 45 min | E-learning | Security Officer |
| Q1 | Phishing Simulation #1 | All Staff | — | Simulation | IT Security |
| Q2 | Secure Development Practices | IT / Development | 2 hours | Instructor-led | External trainer / CISO |
| Q2 | Risk Management for Managers | Managers | 1 hour | Instructor-led | Security Officer |
| Q2 | Phishing Simulation #2 | All Staff | — | Simulation | IT Security |
| Q3 | Incident Response Tabletop | IR Team | 2 hours | Tabletop exercise | Security Officer |
| Q3 | Phishing Simulation #3 | All Staff | — | Simulation | IT Security |
| Q4 | Policy Refresher (scheduled) | All Staff | 30 min | E-learning / Webinar | Security Officer |
| Q4 | Phishing Simulation #4 | All Staff | — | Simulation | IT Security |
| Ongoing | Security Onboarding | New Employees | 1.5 hours | Instructor-led | HR + Security Officer |
| Ongoing | Third-Party Briefing | Contractors | 30 min | E-learning / Briefing | Security Officer |
8. Effectiveness Evaluation
| Method | What It Measures | Target | Frequency |
|---|---|---|---|
| Post-training knowledge checks | Comprehension of training content | >= 80% pass rate | After each module |
| Phishing simulation click rate | Real-world susceptibility to phishing | < 5% click rate | Quarterly |
| Training completion rate | Percentage of staff who completed required training | >= 95% within deadline | Tracked continuously |
| Feedback surveys | Training quality, relevance, suggestions for improvement | >= 4.0/5.0 average rating | After each session |
| Incident trend analysis | Whether training correlates with fewer user-caused incidents | Downward trend year-over-year | Annually |
| Competence assessments | Role-specific competence validation | All roles assessed | Annually |
Extension Tools
training_plan_completeness_checker
Validates the training plan document against ISO 27001:2022 Clauses 7.2, 7.3, and A.6.3 required sections. Checks for 11 mandatory sections:
| # | Required Section | Clause Reference | Severity if Missing |
|---|---|---|---|
| 1 | Objective / Purpose | A.6.3 | ERROR |
| 2 | Scope | A.6.3 | ERROR |
| 3 | Roles and Responsibilities | 7.2 | ERROR |
| 4 | Target Audience / Training Requirements | 7.2(a) | ERROR |
| 5 | Training Modules | A.6.3 | ERROR |
| 6 | Delivery Methods | A.6.3 | ERROR |
| 7 | Training Schedule | A.6.3 | ERROR |
| 8 | Effectiveness Evaluation | 7.2(c) | ERROR |
| 9 | Non-conformance Implications | 7.3(c) | ERROR |
| 10 | Training Records and Evidence | 7.2(d), 7.5 | ERROR |
| 11 | Plan Review and Maintenance | A.6.3 | ERROR |
Sections present but with insufficient content (below minimum character threshold) are marked WARNING.
audience_coverage_validator
Validates that the training plan covers all required employee groups with training type and frequency defined:
| # | Required Audience Group | Severity if Missing |
|---|---|---|
| 1 | All Staff / All Employees | ERROR |
| 2 | New Employees / Onboarding | ERROR |
| 3 | IT / Development / Technical Staff | ERROR |
| 4 | Managers / Supervisors / Leadership | ERROR |
| 5 | Contractors / Third Parties / External | ERROR |
| 6 | Incident Response Team | ERROR |
Groups mentioned without a training frequency specified are marked WARNING. Each group’s patterns support both English and Portuguese (pt-BR).
schedule_gap_detector
Validates the training schedule for year-round coverage across 7 checks:
| # | Schedule Check | Severity if Failing |
|---|---|---|
| 1 | Annual general security awareness training | ERROR |
| 2 | Quarterly phishing simulations (4+ schedule entries) | ERROR (< 2) / WARNING (2-3) |
| 3 | Onboarding training for new hires | ERROR |
| 4 | Trainer / owner assigned to sessions | ERROR (none) / WARNING (partial) |
| 5 | Training distributed across multiple quarters | ERROR (1 quarter) / WARNING (2 quarters) |
| 6 | Effectiveness evaluation methods referenced | WARNING |
| 7 | Policy change trigger for out-of-cycle training (ISO 27002:2022 S.6.3) | WARNING |
The phishing simulation check counts only schedule table rows (not module descriptions) to avoid false positives.
Getting Started
Activate the ISO 27001 Awareness and Training Plan skill. For best results, complete the Organization Profile skill first — it provides the organizational context (industry, size, departments, regulations) that the training plan is tailored to.
Have this information ready:
- Employee groups — departments, headcount per group, and any contractors or third parties with system access
- Existing training — current training programs, LMS platform (if any), and delivery preferences
- Maturity level — first-time plan or annual update? Any previous training records?
- ISMS policies — existing information security policy, acceptable use policy, and incident management procedure (the training plan references these)
- Compliance context — industry-specific requirements (e.g., PCI DSS for payments, HIPAA for health) that may require additional training topics
The agent guides you through a 7-step workflow: gather organizational context, define target audiences and competence requirements, design training modules, build the annual schedule, define effectiveness evaluation, validate with all three tools, and cross-reference with other ISMS documents.
The plan satisfies ISO 27001:2022 Clauses 7.2 (Competence), 7.3 (Awareness), and Annex A control A.6.3 (Information security awareness, education and training).