# ISO 27001 Awareness and Training Plan > Create, validate, and maintain the ISO 27001:2022 awareness and training plan per Clauses 7.2 (Competence), 7.3 (Awareness), and Annex A control A.6.3. Defines target audiences with role-based training requirements, training modules, delivery methods, annual schedule with quarterly phishing simulations, and effectiveness evaluation metrics. Validates section completeness, audience coverage, and schedule gaps. Produces a standalone audit-ready training plan document. Tags: ISO 27001, ISMS, Training, Awareness, GRC, Compliance, Clause 7.2, Clause 7.3, A.6.3 ## Example Prompts - Create an information security awareness and training plan for our ISO 27001 ISMS - Validate our training plan covers all employee groups and ISO 27001 requirements - Build a training schedule with phishing simulations and effectiveness metrics - Check that our awareness training plan has all required sections for audit - Draft a role-based training program for ISO 27001 compliance URL: https://rakenne.app/skills/iso27001-awareness-training-plan/index.md Try this skill: https://rakenne.app/a/?skill=iso27001-awareness-training-plan ## Overview Create, validate, and maintain the ISO 27001:2022 awareness and training plan — a standalone audit artifact required by Clauses 7.2 (Competence), 7.3 (Awareness), and Annex A control A.6.3. The plan documents how the organization ensures all personnel are competent to perform their roles, aware of the ISMS, and receive appropriate role-based training. Auditors specifically verify: documented competence needs per role, evidence of training delivery and completion, effectiveness evaluation (not just attendance), and coverage of all personnel groups including contractors and new hires. For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the [**ISO 27001 ISMS workspace tutorial**](/learn/tutorials/iso27001-isms-workspace-guide/). ### What It Covers - **Target audience mapping** — defines 6 employee groups (all staff, new hires, IT/development, managers, contractors, incident response team) with training type, frequency, and competence evidence per group - **12 training modules** — IS policy overview, acceptable use, phishing/social engineering, incident reporting, physical security, password management, secure development, access control, risk management, onboarding, third-party requirements, and incident response procedures - **Annual schedule** — quarterly phishing simulations, annual general awareness, role-specific training distributed across the year, onboarding as ongoing, and policy-change triggered refreshers - **Effectiveness evaluation** — post-training knowledge checks, phishing click rates, completion rates, feedback surveys, incident trend analysis, and competence assessments with specific targets - **Non-conformance implications** — explicit coverage of Clause 7.3(c) disciplinary consequences, linking to the organization's A.6.4 disciplinary process - **Records and evidence** — per-individual training records, assessment scores, and certificates as documented information per Clause 7.5 ## Example Conversation > **You:** Create an information security awareness and training plan for our ISO 27001 ISMS. We're a 150-person fintech company with engineering, product, legal, sales, and customer support departments. > > **Agent:** I'll help you build the awareness and training plan per Clauses 7.2, 7.3, and A.6.3. Let me gather some context first. > > Do you have an organization profile from the ISMS scope skill? Also: > 1. Do you currently have any training programs or an LMS platform? > 2. Is this a first-time plan or an annual update? > 3. Do you have contractors or third parties with access to your systems? > > **You:** We use Google Workspace and have a basic LMS (Lessonly). This is our first plan — we're preparing for Stage 1 audit. We have 5 contractors with system access. > > **Agent:** Loading your organization profile... I'll now map your employee groups to training requirements. Based on your structure, here are the 6 audience groups: > > | Employee Group | Training Type | Frequency | Competence Evidence | > |---------------|--------------|-----------|-------------------| > | All Staff (150) | General Security Awareness | Annually + on hire | Quiz score >= 80% | > | New Employees | Security Onboarding | Within first week | Completion certificate | > | Engineering (40) | Secure Development and Operations | Annually | Assessment + practical exercise | > | Managers / Leads (15) | Risk and Compliance Oversight | Annually | Quiz score >= 80% | > | Contractors (5) | Security Policy Briefing | On engagement start | Signed acknowledgement | > | Incident Response Team (6) | Incident Handling Procedures | Semi-annually | Tabletop exercise completion report | > > I've designed 12 training modules tailored to your fintech context — covering OWASP for engineering, PCI-related awareness for customer support, and phishing simulations via Lessonly. Here's the annual schedule across all 4 quarters... > > I've drafted the complete plan. Let me now validate it with all three tools. > > Running `training_plan_completeness_checker`... > > **Result: 11/11 sections covered, 0 missing** > > | Section | Status | > |---------|--------| > | Objective | PASS | > | Scope | PASS | > | Roles and Responsibilities | PASS | > | Target Audience | PASS | > | Training Modules | PASS | > | Delivery Methods | PASS | > | Training Schedule | PASS | > | Effectiveness Evaluation | PASS | > | Non-conformance Implications | PASS | > | Training Records and Evidence | PASS | > | Plan Review and Maintenance | PASS | > > Running `audience_coverage_validator`... > > **Result: 6/6 audience groups covered with frequency** > > Running `schedule_gap_detector`... > > **Result: All checks passed** > - Annual general awareness training: PASS > - Quarterly phishing simulations (4 entries): PASS > - Onboarding for new hires: PASS > - Trainers assigned to sessions: PASS > - Multi-quarter distribution: PASS > - Effectiveness metrics referenced: PASS > - Policy change trigger defined: PASS > > Your plan is complete and audit-ready. I've written it to `output/Awareness-Training-Plan.md`. ## Sample Output Excerpt Below is a representative excerpt from a generated awareness and training plan showing the target audience, training modules, schedule, and effectiveness evaluation sections. --- ## 4. Target Audience and Training Requirements | Employee Group | Training Type | Frequency | Competence Evidence | |---------------|--------------|-----------|-------------------| | All Staff | General Security Awareness | Annually + on hire | Quiz score >= 80% | | New Employees | Security Onboarding | Within first week | Completion certificate | | IT / Development | Secure Development and Operations | Annually | Assessment + practical exercise | | Managers / Supervisors | Risk and Compliance Oversight | Annually | Quiz score >= 80% | | Contractors / Third Parties | Security Policy Briefing | On engagement start | Signed acknowledgement | | Incident Response Team | Incident Handling Procedures | Semi-annually | Tabletop exercise completion report (signed by facilitator) | ## 5. Training Modules | Module ID | Module | Description | Target Group | Delivery Method | Duration | |-----------|--------|-------------|-------------|----------------|----------| | MOD-01 | Information Security Policy Overview | IS policy, scope, objectives, roles | All Staff | E-learning | 45 min | | MOD-02 | Acceptable Use and Data Classification | Acceptable use rules, classification levels, handling procedures | All Staff | E-learning | 30 min | | MOD-03 | Phishing and Social Engineering | Recognizing phishing, social engineering tactics, reporting procedures | All Staff | E-learning + Simulation | 30 min | | MOD-04 | Incident Reporting | How to identify and report security incidents, escalation paths | All Staff | E-learning | 20 min | | MOD-05 | Physical Security Awareness | Access controls, visitor management, clean desk, secure disposal | All Staff | E-learning | 20 min | | MOD-06 | Password Management and Credential Hygiene | Password policies, MFA, credential sharing risks, password manager use | All Staff | E-learning | 20 min | | MOD-07 | Secure Development Practices | OWASP Top 10, secure coding, code review, vulnerability management | IT / Development | Instructor-led | 2 hours | | MOD-08 | Access Control and Privilege Management | Least privilege, access reviews, MFA enforcement, privileged account security | IT / Development | E-learning | 30 min | | MOD-09 | Risk Management for Managers | Risk assessment process, risk appetite, treatment decisions, oversight | Managers | Instructor-led | 1 hour | | MOD-10 | Security Onboarding | Policies, acceptable use, incident reporting, physical security, non-compliance consequences (Clause 7.3c) | New Employees | Instructor-led | 1.5 hours | | MOD-11 | Third-Party Security Requirements | Applicable policies, data handling, incident reporting obligations | Contractors | E-learning / Briefing | 30 min | | MOD-12 | Incident Response Procedures | Incident handling, escalation, post-incident review | Incident Response Team | Instructor-led + Tabletop | 2 hours | ## 7. Training Schedule | Quarter | Session | Target Group | Duration | Delivery Method | Trainer / Owner | |---------|---------|-------------|----------|----------------|-----------------| | Q1 | General Security Awareness (annual) | All Staff | 45 min | E-learning | Security Officer | | Q1 | Phishing Simulation #1 | All Staff | — | Simulation | IT Security | | Q2 | Secure Development Practices | IT / Development | 2 hours | Instructor-led | External trainer / CISO | | Q2 | Risk Management for Managers | Managers | 1 hour | Instructor-led | Security Officer | | Q2 | Phishing Simulation #2 | All Staff | — | Simulation | IT Security | | Q3 | Incident Response Tabletop | IR Team | 2 hours | Tabletop exercise | Security Officer | | Q3 | Phishing Simulation #3 | All Staff | — | Simulation | IT Security | | Q4 | Policy Refresher (scheduled) | All Staff | 30 min | E-learning / Webinar | Security Officer | | Q4 | Phishing Simulation #4 | All Staff | — | Simulation | IT Security | | Ongoing | Security Onboarding | New Employees | 1.5 hours | Instructor-led | HR + Security Officer | | Ongoing | Third-Party Briefing | Contractors | 30 min | E-learning / Briefing | Security Officer | ## 8. Effectiveness Evaluation | Method | What It Measures | Target | Frequency | |--------|-----------------|--------|-----------| | Post-training knowledge checks | Comprehension of training content | >= 80% pass rate | After each module | | Phishing simulation click rate | Real-world susceptibility to phishing | < 5% click rate | Quarterly | | Training completion rate | Percentage of staff who completed required training | >= 95% within deadline | Tracked continuously | | Feedback surveys | Training quality, relevance, suggestions for improvement | >= 4.0/5.0 average rating | After each session | | Incident trend analysis | Whether training correlates with fewer user-caused incidents | Downward trend year-over-year | Annually | | Competence assessments | Role-specific competence validation | All roles assessed | Annually | ## Extension Tools ### `training_plan_completeness_checker` Validates the training plan document against ISO 27001:2022 Clauses 7.2, 7.3, and A.6.3 required sections. Checks for 11 mandatory sections: | # | Required Section | Clause Reference | Severity if Missing | |---|-----------------|-----------------|:-------------------:| | 1 | Objective / Purpose | A.6.3 | ERROR | | 2 | Scope | A.6.3 | ERROR | | 3 | Roles and Responsibilities | 7.2 | ERROR | | 4 | Target Audience / Training Requirements | 7.2(a) | ERROR | | 5 | Training Modules | A.6.3 | ERROR | | 6 | Delivery Methods | A.6.3 | ERROR | | 7 | Training Schedule | A.6.3 | ERROR | | 8 | Effectiveness Evaluation | 7.2(c) | ERROR | | 9 | Non-conformance Implications | 7.3(c) | ERROR | | 10 | Training Records and Evidence | 7.2(d), 7.5 | ERROR | | 11 | Plan Review and Maintenance | A.6.3 | ERROR | Sections present but with insufficient content (below minimum character threshold) are marked WARNING. ### `audience_coverage_validator` Validates that the training plan covers all required employee groups with training type and frequency defined: | # | Required Audience Group | Severity if Missing | |---|------------------------|:-------------------:| | 1 | All Staff / All Employees | ERROR | | 2 | New Employees / Onboarding | ERROR | | 3 | IT / Development / Technical Staff | ERROR | | 4 | Managers / Supervisors / Leadership | ERROR | | 5 | Contractors / Third Parties / External | ERROR | | 6 | Incident Response Team | ERROR | Groups mentioned without a training frequency specified are marked WARNING. Each group's patterns support both English and Portuguese (pt-BR). ### `schedule_gap_detector` Validates the training schedule for year-round coverage across 7 checks: | # | Schedule Check | Severity if Failing | |---|---------------|:-------------------:| | 1 | Annual general security awareness training | ERROR | | 2 | Quarterly phishing simulations (4+ schedule entries) | ERROR (< 2) / WARNING (2-3) | | 3 | Onboarding training for new hires | ERROR | | 4 | Trainer / owner assigned to sessions | ERROR (none) / WARNING (partial) | | 5 | Training distributed across multiple quarters | ERROR (1 quarter) / WARNING (2 quarters) | | 6 | Effectiveness evaluation methods referenced | WARNING | | 7 | Policy change trigger for out-of-cycle training (ISO 27002:2022 S.6.3) | WARNING | The phishing simulation check counts only schedule table rows (not module descriptions) to avoid false positives. ## Getting Started Activate the *ISO 27001 Awareness and Training Plan* skill. For best results, complete the **Organization Profile** skill first — it provides the organizational context (industry, size, departments, regulations) that the training plan is tailored to. Have this information ready: - **Employee groups** — departments, headcount per group, and any contractors or third parties with system access - **Existing training** — current training programs, LMS platform (if any), and delivery preferences - **Maturity level** — first-time plan or annual update? Any previous training records? - **ISMS policies** — existing information security policy, acceptable use policy, and incident management procedure (the training plan references these) - **Compliance context** — industry-specific requirements (e.g., PCI DSS for payments, HIPAA for health) that may require additional training topics The agent guides you through a 7-step workflow: gather organizational context, define target audiences and competence requirements, design training modules, build the annual schedule, define effectiveness evaluation, validate with all three tools, and cross-reference with other ISMS documents. The plan satisfies ISO 27001:2022 Clauses 7.2 (Competence), 7.3 (Awareness), and Annex A control A.6.3 (Information security awareness, education and training). --- Back to [Skill Library](https://rakenne.app/skills/index.md)