Skip to main content
← All controls
A.6.3 / A.7.2.2 ISO/IEC 27001:2022 Annex A ISO 27001

Beyond compliance: do staff understand cyber risk well enough to make sensible day-to-day decisions?

Demonstrate that staff across all roles exhibit practical understanding of cybersecurity risks sufficient to make contextually appropriate security decisions in everyday work scenarios without requiring explicit procedural guidance for every situation.

Description

What this control does

This control evaluates whether staff possess practical cybersecurity risk awareness that enables them to make appropriate security decisions during routine work activities, beyond rote compliance with policies. It assesses whether employees understand the 'why' behind security controls and can apply risk-based judgment when encountering novel situations, suspicious communications, shadow IT requests, or data-handling scenarios not explicitly covered by procedure. Organizations typically measure this through scenario-based assessments, simulated phishing with decision points, and observation of real-world security behaviors.

Control objective

What auditing this proves

Demonstrate that staff across all roles exhibit practical understanding of cybersecurity risks sufficient to make contextually appropriate security decisions in everyday work scenarios without requiring explicit procedural guidance for every situation.

Associated risks

Risks this control addresses

  • Employees approve or execute unauthorized data transfers because they do not understand data classification sensitivity or exfiltration risks
  • Staff fall victim to social engineering attacks that deviate from standard phishing patterns because they lack understanding of attacker tactics beyond memorized warning signs
  • Workers bypass security controls or create unauthorized workarounds when facing productivity friction, not recognizing the security implications of their actions
  • Employees fail to report security incidents or suspicious activity because they cannot distinguish normal anomalies from genuine threats
  • Staff share credentials or sensitive information with external parties believing they are helping business operations without recognizing trust boundary violations
  • Workers mishandle customer or proprietary data during legitimate business processes due to insufficient understanding of confidentiality obligations and data protection principles
  • Management approves technology purchases or vendor relationships without conducting appropriate security due diligence because they lack awareness of supply chain and third-party risks

Testing procedure

How an auditor verifies this control

  1. Identify a representative sample of employees across different roles, departments, and seniority levels including technical staff, business users, and management
  2. Review records of security awareness training completion, phishing simulation results, and any documented security culture assessments conducted in the past 12 months
  3. Conduct scenario-based interviews with sampled staff presenting realistic workplace situations requiring security judgment, such as requests from unfamiliar vendors, unusual data access requests from colleagues, or technology workarounds for business needs
  4. Analyze documentation of actual security decisions made by staff, including incident reports where employees identified and escalated threats, help desk tickets involving security questions, and exception requests showing risk reasoning
  5. Review phishing simulation campaigns specifically designed to test decision-making rather than simple link-clicking, examining whether staff recognize pretexting, urgency manipulation, and authority spoofing across varied scenarios
  6. Interview security team members and line managers about observed staff behaviors when encountering ambiguous security situations, including examples of good judgment and poor decisions
  7. Examine whether staff have access to and utilize mechanisms for seeking security guidance when uncertain, such as security help channels, decision trees, or consultative support, and review logs of such inquiries
  8. Validate that staff understanding extends beyond policy compliance to include comprehension of threat landscape, organizational risk appetite, and the business rationale behind security controls through knowledge assessment
Evidence required Collect scenario-based assessment results showing staff responses to realistic security dilemmas, phishing simulation reports with analysis of decision-making patterns beyond click rates, records of security consultations or help requests demonstrating staff seeking guidance on ambiguous situations, incident reports showing employee-initiated threat identification, interview notes documenting risk reasoning quality, security awareness training materials that emphasize judgment development rather than procedural compliance, and documentation of security culture measurement activities such as surveys or behavioral observations.
Pass criteria Staff demonstrate practical risk understanding through scenario responses showing appropriate security judgment in at least 80% of tested situations, incidents logged by employees trend upward indicating detection capability, and interviews reveal ability to articulate security rationale beyond policy requirements across all sampled departments and role levels.