Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
people Preventive Protect High Priority

A.6.3 Information Security Awareness, Education and Training

M365 Admin Path: Microsoft Defender portal > Email & collaboration > Attack simulation training

Evidence Source: Microsoft Graph (MDO Attack Simulation, Entra ToU, CA)

What is A.6.3 Information Security Awareness, Education and Training?

ISO 27001 control A.6.3 Information Security Awareness, Education and Training ensures that all personnel, contractors, and relevant third parties participate in a continuous information security and privacy awareness programme combining mandatory induction training, monthly education, role-based specialist training, simulated phishing exercises with automated remediation, and formal attestation of policy packs through Microsoft Defender Attack Simulation Training.

How to implement A.6.3 in Microsoft 365

Implement A.6.3 by establishing mandatory induction training programme

Implement A.6.3 by establishing mandatory induction training programme via external LMS as a condition of full system access with Limited Access Conditional Access policy preventing access until completion. Configure Microsoft Defender for Office 365 Attack Simulation Training campaigns targeting all personnel with multiple attack techniques.

Set up simulation automations to assign targeted just-in-time

Set up simulation automations to assign targeted just-in-time training to users who fall for simulations. Create dynamic groups based on job functions for Privileged Users, Developers, Finance, and HR requiring role-specific training.

Implement Conditional Access policies requiring Terms of Use

Implement Conditional Access policies requiring Terms of Use acceptance for specialist training attestation.

What an auditor checks for A.6.3

  • Auditors will verify evidence of attack simulation campaigns with configuration details and multiple attack techniques.
  • They will check simulation automation rules for assigning remedial training to compromised users.
  • Auditors will review Policy Pack Terms of Use policies with Conditional Access enforcement.
  • They will verify role-based dynamic groups with conditional access policies requiring training attestation.
  • Auditors will check simulation summary data showing compromise rate metrics with target of 10% or less.
  • They will review LMS completion reports for induction training.

What your auditor expects for A.6.3

  • security awareness training programme including attack simulation campaigns
  • ToU policy pack enforcement
  • specialist training CA policies
  • compromise rate metrics

See how your organisation scores against A.6.3 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

CyberAware Security Awareness Platform Foundation

Branded CyberAware platform with 80+ animated videos dramatising real-world cyber events, 100+ phishing templates updated for current threats, auto-enrolment across all tenants, branded 'You've Been Phished' contextual training pages, human risk scoring with visual graphs, gamified leaderboards, and exportable branded PDF reports. Average 80% risk reduction from baseline within 8 months.

Attack Simulation Training Endpoint

Phishing simulations delivered directly to user mailboxes via Microsoft Defender for Office 365 Plan 2 — credential harvesting, malware attachments, and QR code lures that mirror real attacker tactics. Automated remedial training triggers on failure. Results integrate with Defender XDR alongside real threat data, giving a unified view of simulated and actual phishing resilience.

Awareness Register & Compliance Evidence Endpoint

Automated awareness tracking in the Audit Agent — per-learner completion (due, completed, overdue, failed), risk scoring with trend analysis (improving/worsening/stable), engagement flags (never engaged, low, good), campaign history, and overdue alerts. Cross-references CyberAware data via UPN matching. Feeds directly into ISO 27001 A.6.3 evidence — when the auditor asks, the register is already there.

Training Register & Capability Mapping Endpoint

Tracks professional development across the team in the Audit Agent — Microsoft certifications (AZ-500, SC-300, MS-700), vendor qualifications, and capability coverage mapping for workloads including Exchange, Intune, Sentinel, and Purview. Monitors training plans with target completion dates and flags single-point-of-failure risks where only one individual holds certification for a capability. Feeds into ISO 27001 A.6.3 and A.6.6 evidence alongside the awareness data.