Does ISO 27001 explicitly require phishing simulation?

ISO/IEC 27001:2022 control A.6.3 requires personnel to receive appropriate information security awareness, education and training relevant to their role. The standard does not literally name 'phishing simulation,' but the implementation guidance in ISO/IEC 27002:2022 explicitly references regular tests of awareness, including simulated attacks. Certified bodies treat ongoing phishing simulation as the most credible evidence A.6.3 is operating effectively.

Which ISO 27001 controls relate to phishing training?

The primary anchor is A.6.3 (Information security awareness, education and training). Supporting controls include A.5.4 (management responsibilities), A.6.2 (terms and conditions of employment), A.6.6 (confidentiality and non-disclosure agreements), A.5.10 (acceptable use), and A.5.24 through A.5.27 (information security incident management - which the phishing reporting workflow exercises continuously).

What evidence does an ISO 27001 auditor want for phishing training?

Stage 1 typically reviews the awareness program policy, training plan and the Statement of Applicability entry for A.6.3. Stage 2 examines operational evidence - campaign reports, click-through rates, training completion records, remediation timelines and personnel coverage including contractors. Surveillance audits in subsequent years focus on continual improvement evidence: trend lines, content updates reflecting new threats and corrective actions.

How often should phishing simulations run for ISO 27001 compliance?

The standard does not prescribe a frequency, but auditors interpret 'regular' as quarterly at minimum and prefer monthly. Annual-only programs typically receive observations or minor non-conformities at surveillance audit on the basis that the awareness materials are not being reinforced through the year. Multi-channel coverage - email, SMS phishing and voice phishing - is increasingly cited as best practice in 27002:2022 implementation guidance.

Does ISO 27001 require remediation training for users who fail simulations?

It does not name remediation training specifically, but A.6.3 expects training to be appropriate to role and updated as needed. Users who repeatedly fall for simulations represent a higher human-layer risk, and assigning targeted remediation training is the operational evidence that the program is responding to that risk. Auditors increasingly look for an automated assignment workflow rather than ad hoc follow-up.

ISO 27001 Phishing Awareness Training Requirements (2022 / 2026 Update)

ISO 27001 Phishing Awareness Training Requirements

ISO/IEC 27001:2022 reorganized Annex A from 114 controls into 93, restructured them into four themes and most consequentially for security awareness teams, rewrote control A.7.2.2 from the 2013 edition into the simpler-but-tighter A.6.3. By 2026 every certified organization is operating against the 2022 edition, and surveillance audits increasingly hinge on whether the awareness program produces evidence - not just whether it exists on paper.

This post covers the controls in Annex A that touch phishing, what stage 1 and stage 2 auditors actually request and the program design that produces clean evidence with the lowest operating cost.

The control language: what A.6.3 actually says

Annex A control A.6.3 reads: "Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization's information security policy and topic-specific policies and procedures, as relevant for their job function."

Three words drive auditor expectations: appropriate, regular, and relevant. Each is doing real work.

Appropriate means the training matches the role. Generic content for everyone is observation territory; differentiated content for executives, finance, IT and general staff is a clean pass.
Regular means the program does not stop after onboarding. Quarterly is the practical floor; annual-only programs draw observations.
Relevant means the content reflects current threats. AI-generated phishing, smishing, vishing and QR-code phishing are now expected mentions in 27002:2022 implementation guidance.

Supporting controls auditors will reference

While A.6.3 is the primary anchor, several adjacent controls touch phishing:

A.5.1 - Policies for information security. The awareness policy lives here.
A.5.4 - Management responsibilities. Senior leadership must sign off on the program; an unsigned policy is a finding.
A.5.10 - Acceptable use of information and other associated assets. Phishing training reinforces acceptable-use rules.
A.5.24, A.5.25, A.5.26, A.5.27 - Information security incident management. The phishing reporting workflow is continuous evidence the incident process is exercised.
A.6.2 - Terms and conditions of employment. Acknowledgment that personnel will complete required training.
A.6.6 - Confidentiality or non-disclosure agreements. Reinforced in awareness training.

What stage 1 auditors check

Stage 1 is documentation-focused. Expect the auditor to review:

The Statement of Applicability entry for A.6.3, including any justification for excluded controls.
The information security awareness, education and training policy.
The training plan (topics, audience, frequency, delivery channel).
Risk assessment outputs that justify the program design - the threats the program addresses should appear in the risk register.
Personnel coverage scope, including contractors and third parties subject to A.5.19 through A.5.23.

The most common stage 1 finding is a policy that says one thing and a training plan that does something else - for example, "monthly phishing simulations" in policy and "annual training" in the plan. Reconcile these before stage 1.

What stage 2 auditors check

Stage 2 is where simulation evidence becomes critical. Expect requests for:

Phishing simulation campaign reports for the past 12 months: dates, target lists, template categories, difficulty levels, click-through rates and reporting rates.
Training completion records tied to specific personnel with timestamps.
Evidence that users who clicked received remediation training, with completion timestamps.
Content samples showing material is updated to reflect threats from the past 12 months.
Records of the awareness program review - typically a written annual review per Clause 9.3 management review inputs.
Personnel acknowledgment records.

Stage 2 findings often cluster around the gap between "the policy says we run quarterly" and a campaign log that shows a 7-month gap. Document campaigns the day they run, not at year-end.

Continual improvement under Clause 10

ISO 27001 is built around the management-system idea of continual improvement. For the phishing program that means the auditor will look for evidence the program is changing:

Trend charts showing click-through rate over time, with annotation when notable changes occurred.
Records of corrective actions when an incident occurred or a metric breached its threshold.
Updates to training content reflecting new threat intelligence - AI-generated phishing, deepfake voice attempts, MFA-bypass campaigns.
Expanded scope over time - adding SMS phishing and voice phishing simulations after starting with email-only.

A program that has run identical quarterly campaigns for three years with no content changes will draw an observation under continual improvement, even if the absolute click rate is low.

The Statement of Applicability and program scope

The Statement of Applicability is where many awareness programs go quietly off-track. Two common errors:

A.6.3 marked applicable, but the SoA description is "annual training only." This sets up the auditor to expect minimum effort and makes any later improvement effort a finding rather than continual improvement.
Excluding contractors with system access from scope. The 2022 edition's third-party clauses (A.5.19 through A.5.23) explicitly extend awareness obligations to relevant personnel of suppliers. Contractors with access to organizational systems should be in scope.

Internal audit and management review inputs

Clauses 9.2 and 9.3 of ISO 27001 require internal audit and management review. The phishing program produces evidence for both. Internal audit reviews of the awareness program should examine campaign cadence against policy, training completion against assignment and the link from clicked simulations to remediation completion. Findings from internal audit feed into management review as a Clause 9.3 input.

Management review outputs should include decisions on program changes - frequency increases, channel additions, scope expansions - and the operational evidence of those decisions then flows back into the next campaign cycle. Programs that document this loop visibly (a written internal audit memo, a management-review minutes entry, a campaign change in the next quarter) score noticeably better at surveillance audit.

Multi-language and global workforce considerations

ISO 27001 is a global standard, and many certified organizations operate across language boundaries. Auditors increasingly ask whether awareness materials are delivered in the languages personnel actually use, particularly in EU and APAC operations. Multi-language training delivery is becoming a stage 2 evidence point in larger audits.

Risk treatment plan and the awareness program

Clause 6.1.3 of ISO 27001 requires a risk treatment plan that selects controls from Annex A - or from elsewhere - to address the risks identified in the risk assessment. Phishing should appear as an explicit risk in the assessment, with the treatment plan referencing A.6.3 alongside any technical controls (email security gateway, MFA, EDR) that address the same threat from a different angle.

A common stage 2 finding is that the risk register identifies phishing as a top risk, but the treatment plan only references technical controls and lists "training" generically. Auditors interpret this as the awareness program not being designed against a specific risk. Tightening the link between the risk register and the program design - including the campaign cadence, channel mix and difficulty levels - converts a vague reference into clean evidence.

Five-category, three-difficulty program design

A program that runs across five phishing intent categories at three difficulty levels produces noticeably stronger ISO 27001 evidence than a uniform-template approach:

Categories: credential harvest, malware delivery, business email compromise, link-based info theft, account spoof. These map to the realistic threat scenarios identified in most risk assessments.
Difficulty levels: easy (obvious red flags), regular (representative real-world lures), hard (well-crafted spear-phishing and whaling).

Reporting click-through rate by category and difficulty level gives the auditor a much richer view of where the human-layer risk concentrates, and demonstrates the program is not relying on softball templates to produce flattering numbers.

The clean program design

The ISO 27001 audit experience is materially smoother for organizations operating this pattern:

Annual structured training delivered to all personnel, with role-differentiated content for executives, finance, IT and general staff.
Monthly or quarterly phishing simulations spanning all five common attack intents and three difficulty levels.
SMS phishing and voice phishing campaigns at least quarterly.
Auto-assigned remediation training for users who click, with a 7-day target completion window.
Quarterly written program report to information security committee or equivalent governance body.
Annual program review documented as a management review input under Clause 9.3.

This is the program Bait & Phish is built around, and the platform exports the artifacts in the order an ISO 27001 auditor asks for them. If you're preparing for stage 2 or an upcoming surveillance audit and want to compress the evidence-gathering timeline, a 25-user free trial lets you produce a sample report in your own environment. Pricing for full deployments is on the pricing page, and the team can walk through the SoA mapping with your ISMS lead - start at contact us.

Many ISO 27001-certified organizations also field cyber insurance renewal questions that overlap heavily with stage 2 evidence; our companion guide on what cyber insurers ask about phishing training covers the parallel evidence set.

See also: Phishing training compliance comparison across SOC 2, HIPAA, PCI DSS, NIST CSF, ISO 27001, GDPR and NIS2 - side-by-side table of clauses, expected cadence and audit posture.

This post is informational and not a substitute for guidance from a certified ISMS auditor. Specific control interpretations vary by certification body and audit team.

Related compliance guides

15jul