June 2026. ISO 27001 requires demonstrable awareness — not only an intranet policy. Certification bodies look at participation, follow-up and effect: who completed training, what happened after phishing failures, how you report trends to leadership.
Programme at SME scale
- onboarding within week 1: MFA, report phishing, password policy;
- quarterly micro-learning (5–10 min) instead of annual marathon;
- simulated phishing with coaching, not blame games;
- metrics: click rate, report rate, training completion — in management review.
Link with controls
Map awareness to Annex A (personnel, access, incident reporting). Record in SoA how you measure effect — e.g. falling click rate or rising report rate. Auditors accept pragmatic metrics for SMEs.
Practical tips
- Leadership participates — visible in first campaign.
- Reward reporting suspicious mail, not only punish misclicks.
- Link to ISMS and NCSC-style baselines.
Ransomware often starts with a user — awareness is not nice-to-have but part of risk treatment. Document budget and owner; “HR does something” is insufficient at surveillance.
Measure culture without blame
Phishing simulations work best with immediate explanation after misclick — what should have been reported, how to report, why it matters. Publish aggregate metrics to leadership, not name-and-shame lists.
Link awareness to HR: onboarding, role change, offboarding. New staff are often the weakest point in the first weeks.
Document budget and tooling in management review — “free YouTube” without owner and plan is insufficient at ISO 27001 surveillance.
Next steps in your ISMS
Turn this article into one concrete action in your risk register or improvement plan: owner, deadline, expected evidence. Discuss progress in the next management review — auditors and chain partners want decisions, not policy intent alone. Link where possible to existing ISO 27001, NIS2 or GDPR documentation so you do not maintain parallel folders.
Questions on scope, certification or chain requirements? Use our readiness overview and knowledge base for deeper guidance. This article does not replace legal or audit advice for your situation.
Share relevant findings briefly with line management and procurement — compliance becomes workable when the whole organisation recognises the same priorities. Repeat the chosen action quarterly in team meetings and update evidence locations in your SoA or control plan so surveillance samples are easy to answer.
What to do this week
Pick one concrete action from this article, assign an owner and add it to your risk or improvement register with a deadline. Share briefly in team meetings so compliance is something the line recognises. Repeat quarterly in management review so leadership sees progress, not only intent.
Note: this article is educational and does not replace legal, privacy or audit advice for your specific situation.
Evidence and governance
Record who owns the measures in this article and how you prove operation in the sample period — logs, tickets, approved changes or exercise reports. Certification bodies and chain partners do not accept intent without samples. Link evidence locations to your SoA or control plan so internal and external audit use the same sources.
Chain and contracts
Many 2026 requirements come via customers, not only formal law scope. Align contract SLAs with your ISMS: incident notification, audit rights, patch timelines and exit. Document where contract is stricter than internal policy — management review must explicitly accept that gap or plan investment.
Continual improvement
Plan a short quarterly review: what worked, which near-miss stood out, which control needs extra attention? Record three improvement actions with owners — that is what ISO 27001, NIS2 and GDPR supervision want to see: PDCA in practice, not paper only.
Knowledge base and readiness
For deeper guidance see our knowledge base on ISMS, ISO 27001, NIS2 and GDPR. Use the readiness overview to compare priorities with your current maturity. This article is educational; engage specialists for legal or audit decisions.
Evidence and governance
Record who owns the measures in this article and how you prove operation in the sample period — logs, tickets, approved changes or exercise reports. Certification bodies and chain partners do not accept intent without samples. Link evidence locations to your SoA or control plan so internal and external audit use the same sources.
Chain and contracts
Many 2026 requirements come via customers, not only formal law scope. Align contract SLAs with your ISMS: incident notification, audit rights, patch timelines and exit. Document where contract is stricter than internal policy — management review must explicitly accept that gap or plan investment.
