Compliance · ISO 27001
ISO 27001 A.6.3 awareness training, phishing simulation and evidence.
Vigil covers the awareness, education and training expectations of ISO/IEC 27001:2022 Annex A.6.3, phishing simulation against current AI-era threats, role-based training, and the audit-ready evidence your assessor signs off on. Setup in 30 minutes.
Where Vigil fits in an ISO 27001 ISMS
| ISO 27001:2022 reference | Expectation | Vigil coverage |
|---|---|---|
| A.6.3 Awareness, education and training | Ongoing programme, role-based, measured for effectiveness. | Full coverage, content, delivery, measurement, evidence. |
| A.5.10 Acceptable use | Awareness of acceptable-use policies. | Policy-attestation module + just-in-time nudges. |
| A.5.7 Threat intelligence | Awareness of evolving threats. | AI-era attack content updated continuously (deepfake, vishing). |
| A.5.24 Incident planning | Staff know how to report incidents. | Reporting training + 1-click "Report Phishing" button training. |
| A.6.4 Disciplinary process | Awareness of consequences. | Out of scope. HR/policy domain. Vigil supplies the awareness signal. |
| Clause 9.1 Monitoring & evaluation | Measure ISMS performance. | Continuous human-risk score + trended dashboard. |
ISO 27001 evidence Vigil produces
- Per-employee training register, attributable and date-stamped (A.6.3).
- Phishing-simulation campaign results with click/report/training-completion metrics.
- Content update log showing the awareness programme tracks current threats (A.5.7).
- Effectiveness measurement: improvement trend per role / department (Clause 9.1).
- Auditor portal: read-only, time-boxed self-serve access for the assessor.
- CSV exports compatible with Vanta, Drata, Secureframe, Tugboat Logic.
ISO 27001 + Vigil, common questions
Which ISO 27001 control covers security awareness training?
In ISO/IEC 27001:2022 the relevant Annex A control is A.6.3 (Information security awareness, education and training). The corresponding ISO 27002:2022 guidance describes ongoing awareness programmes, role-based training, and verification that the programme is effective. The 2013 version of the standard referred to this as A.7.2.2, many older audit reports still use that reference.
Does ISO 27001 require phishing simulation specifically?
ISO 27001 is risk-based, not control-prescriptive. It doesn't name phishing simulation explicitly, but it does require the awareness programme to address the actual threats the organisation faces, and phishing is the most-cited initial-access vector in every credible threat report. Most ISO 27001 auditors expect to see phishing simulation as part of a defensible awareness programme.
What evidence does an ISO 27001 audit want for A.6.3?
Auditors typically ask for: (1) the awareness programme plan and content list, (2) records of training delivery and completion per employee, (3) evidence the content is updated as threats evolve, (4) evidence the programme is measured for effectiveness. Vigil produces all four as one PDF or via the auditor portal.
Will Vigil's evidence pack satisfy a Stage 1 / Stage 2 audit?
For the awareness, training and human-risk elements of A.6.3, yes. Vigil's pack contains the per-employee register, simulation results, content update log, and effectiveness metrics auditors expect. We do not replace your ISMS documentation, risk register, or technical-control evidence.
Does Vigil work alongside our ISMS / GRC tool?
Yes. Vigil exports CSV and PDF artefacts that drop into Vanta, Drata, Secureframe, OneTrust, ServiceNow GRC, or any platform that consumes evidence artefacts. We also support a direct API for evidence ingest on Enterprise plans.
Does this map to ISO 27001:2022 transition timelines?
Yes. The 2022 standard introduced 11 new controls and reorganised the Annex A clauses; A.6.3 absorbed the old A.7.2.2 awareness language. Vigil's framework mapping uses the 2022 references with 2013 cross-references included so audits in transition can use either.
A.6.3 evidence, ready before your Stage 2 audit.
30-day free trial. No credit card. ISO 27001-ready evidence pack on day 1.