Skip to main content
Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks Cloud Adoption Agent Azure migration & CAF delivery CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session Helpdesk & SLAs +1 404 689 6434 · response times by plan All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
people Preventive Protect High Priority

A.6.3 Information Security Awareness, Education and Training

M365 Admin Path: Microsoft Defender portal > Email & collaboration > Attack simulation training

Evidence Source: Microsoft Graph (MDO Attack Simulation, Entra ToU, CA)

What is A.6.3 Information Security Awareness, Education and Training?

ISO 27001 control A.6.3 Information Security Awareness, Education and Training ensures that all personnel, contractors, and relevant third parties participate in a continuous information security and privacy awareness programme combining mandatory induction training, monthly education, role-based specialist training, simulated phishing exercises with automated remediation, and formal attestation of policy packs through Microsoft Defender Attack Simulation Training.

How to implement A.6.3 in Microsoft 365

Implement A.6.3 by establishing mandatory induction training programme

Implement A.6.3 by establishing mandatory induction training programme via external LMS as a condition of full system access with Limited Access Conditional Access policy preventing access until completion. Configure Microsoft Defender for Office 365 Attack Simulation Training campaigns targeting all personnel with multiple attack techniques.

Set up simulation automations to assign targeted just-in-time

Set up simulation automations to assign targeted just-in-time training to users who fall for simulations. Create dynamic groups based on job functions for Privileged Users, Developers, Finance, and HR requiring role-specific training.

Implement Conditional Access policies requiring Terms of Use

Implement Conditional Access policies requiring Terms of Use acceptance for specialist training attestation.

What an auditor checks for A.6.3

  • Auditors will verify evidence of attack simulation campaigns with configuration details and multiple attack techniques.
  • They will check simulation automation rules for assigning remedial training to compromised users.
  • Auditors will review Policy Pack Terms of Use policies with Conditional Access enforcement.
  • They will verify role-based dynamic groups with conditional access policies requiring training attestation.
  • Auditors will check simulation summary data showing compromise rate metrics with target of 10% or less.
  • They will review LMS completion reports for induction training.

What your auditor expects for A.6.3

  • security awareness training programme including attack simulation campaigns
  • ToU policy pack enforcement
  • specialist training CA policies
  • compromise rate metrics

Evidence we surface for A.6.3

Awareness and training evidence for A.6.3 includes Microsoft Defender for Office 365 attack-simulation campaigns (with metrics on click-through and reporting), the list of compromised users targeted for remediation, and cross-references to the related people-controls package. Auditors prefer simulation evidence to attendance-sheet evidence; we lead with the simulation and reinforce with the attendance trail.

See how your organisation scores against A.6.3 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

Attack Simulation Training Info Gov

Microsoft Defender Attack Simulation Training for phishing awareness

Related insights