Memory cue
A.6.3 Information Security Awareness Education and Training asks whether the right people receive the right security knowledge at the right time, with updates when things change.
What the exam is likely testing
- Awareness, education, and training are related but not identical.
- Training must be appropriate to job function and security responsibility.
- Baseline induction is expected for all relevant personnel.
- Contractors, third-party users, and relevant interested parties may be in scope.
- Specialist roles need supplementary training.
- Training should be repeated and updated when threats, policies, procedures, roles, or systems change.
- Attendance alone is weak evidence without role mapping, content, timing, and effectiveness review.
Common wrong answers
| Wrong answer | Why it is wrong |
|---|---|
| Annual awareness training alone satisfies A.6.3 | The control also expects role relevance, education/training, and regular updates |
| Only employees need training | Contractors, third-party users, and relevant interested parties can be in scope |
| Attendance proves effectiveness | Effectiveness needs assessment, feedback, metrics, incidents, or other review evidence |
| Technical staff only need technical training | They still need relevant policy, procedure, and ISMS awareness |
| Prior experience always replaces training | Experience should be current, relevant, and verified |
Practical mentor takeaway
Last-day cue
A.6.3 is the bridge between written rules and actual behavior. If people do not understand the policy or role-specific procedure before using information, the control is weak.
- Iso27001
- Exam
- People controls
- Training
Note Metadata
Aliases: A.6.3 exam cues
Source: 09-Exam-Preparation/EXAM-017-Awareness-Education-and-Training.md