What the auditor wants to verify
Audit objective
Verify that people receive appropriate awareness, education, training, and updates for their role before they need to apply the requirement.
The auditor wants evidence that training is role-relevant, current, recorded, repeated where needed, and improved based on effectiveness feedback.
Evidence to request
| Evidence | Purpose |
|---|---|
| Awareness and training policy | Shows training expectations are defined |
| Role-based training matrix | Shows training is matched to job function |
| Training plan or calendar | Shows training is planned and repeated |
| Induction records | Shows baseline training was delivered before work/access |
| Specialist training records | Shows higher-risk roles receive deeper training |
| Training content and version history | Shows material is current and aligned to policies |
| Assessment or test results | Shows understanding was checked |
| Contractor or third-party training records | Shows non-employees are included where relevant |
| Trainer or supplier approval records | Shows provider suitability was assessed |
| Effectiveness review records | Shows the program is reviewed and improved |
| Incident or audit finding training updates | Shows lessons learned feed awareness content |
Strong evidence
Strong evidence test
Prefer sampled records that connect person, role, required training, completion date, content version, and result.
- Training covers employees, contractors, third-party users, and relevant interested parties in scope.
- Role-based matrix defines baseline and supplementary training.
- Training is completed before access or before the relevant work is performed.
- Content aligns with current policies, topic-specific policies, and procedures.
- Individual records show completion, scope, date, provider, and assessment where applicable.
- Effectiveness is measured using tests, feedback, exercises, incidents, and audit findings.
- Training is refreshed after policy, threat, incident, system, or role changes.
- Claimed prior experience or qualifications are verified where used in place of training.
Weak evidence
Weak evidence warning
Weak evidence proves activity happened, but not that people received suitable training for their responsibilities.
- Generic annual training only.
- Attendance list without content, version, date, or role mapping.
- Contractors and third-party users omitted.
- No specialist training for administrators, managers, or security-relevant roles.
- Training delivered after access was granted.
- No assessment or effectiveness review.
- Outdated training material.
- CV claims accepted as competence evidence without verification.
Sample interview questions
Ask personnel
- What information security policy or procedure topics apply to your role?
- How do you report a security incident or weakness?
- What training did you receive before you started using the system or handling information?
- What changed in your training after your role or access changed?
Ask HR or training owners
- How do you decide which training each role requires?
- How do you track induction, refresher, and specialist training?
- How do contractors and third-party users receive training?
- How is training material updated after policy changes, incidents, or emerging threats?
Ask managers or control owners
- How do you know your team completed required training before access?
- What specialist training is required for privileged or security-sensitive roles?
- How do training metrics influence corrective actions or management review?
Common nonconformities
- No role-based training matrix.
- Training not completed before access or work begins.
- Contractors and third-party users excluded without justification.
- Training content not aligned to current policies and procedures.
- No supplementary training for specialist roles.
- No effectiveness metrics or review.
- Training records incomplete or not individual-specific.
- Equivalent experience accepted without verification.
Related notes
- Iso27001
- ISO27002
- Audit
- Evidence
- A6 3
Note Metadata
Aliases: A.6.3 Evidence
Source: 04 Audit Evidence Packs/A.6.3 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- ISO 27001 A.5.27 - Learning from Information Security Incidents
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- Audit Evidence MOC
- AQ-ISO27001-A.6.3 Information Security Awareness, Education and Training
- A.6 People Controls Audit Guide
- ISO27001-A.6.3 Information Security Awareness, Education and Training
- A.6.3 Audit Checklist
- Role-Based Security Training Matrix
- Security Awareness and Training Plan
- Security Training Record
- Audit Evidence Index