What does control A.3.17 require?
Personnel of the organisation and relevant interested parties shall receive appropriate information security awareness education and training, and regular updates of the organisation’s information security policy, topic-specific policies and procedures, as relevant for their job function, as they relate to PII processing.
This control sits within the Shared security controls annex (A.3) and recognises that even the best technical controls fail if the people operating them do not understand their responsibilities. Training must be tailored to each person’s role and must be refreshed regularly, not delivered as a one-off exercise.
What does the Annex B implementation guidance say?
Annex B (section B.3.17) provides the following guidance:
- Incident reporting awareness — Raise awareness of how to recognise and report potential PII incidents, ensuring that all staff understand the reporting channels and the importance of timely escalation
- Consequences of breaches — Ensure staff are aware of the consequences of breaching privacy and security rules, covering three dimensions:
- For the organisation — Legal sanctions, loss of business, reputational damage
- For the staff member — Disciplinary consequences including potential dismissal
- For the PII principal — Physical, material and emotional harm that individuals may suffer
- See also A.3.19: Clear Desk and Clear Screen for related requirements
- Periodic training for PII access — Include appropriate periodic training specifically for personnel who have access to PII, going beyond general security awareness
The guidance stresses that awareness is not enough on its own. Staff need to understand the real-world consequences of mishandling PII — not just abstract policy statements but the tangible impact on individuals whose data is compromised.
How does this map to GDPR?
Control A.3.17 maps to GDPR Article 39(1)(b) (related provision, not formally mapped in Annex D), which assigns the Data Protection Officer the task of monitoring compliance including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations. While not all organisations have a DPO, the GDPR makes clear that training is a core compliance activity.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was covered by Clause 6.4.2.2 (information security awareness, education and training). The 2025 edition retains the core requirements as A.3.17, with clearer separation between the control statement and the implementation guidance in B.3.17. The three-dimensional approach to consequence awareness (organisation, staff member, PII principal) remains a distinctive feature of the guidance. See the Annex F correspondence table for the full mapping.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
What evidence do auditors expect?
When assessing compliance with A.3.17, auditors will typically look for:
- Training programme — A documented programme covering privacy and security awareness, with content tailored to different roles and levels of PII access
- Completion records — Evidence that all relevant personnel have completed the required training, with dates, scores (if applicable) and records of any retraining
- Regular updates — Evidence that training content is refreshed when policies change and that staff are notified of policy updates
- Role-specific training — Additional training for personnel with elevated PII access or specialised processing roles, beyond general awareness
- Effectiveness measurement — Evidence that the training programme is evaluated for effectiveness, such as through knowledge assessments, phishing simulations or incident trend analysis
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.11 Incident management planning | Training should cover how to recognise and report PII incidents |
| A.3.18 Confidentiality agreements | Training reinforces the confidentiality obligations staff have signed |
| A.3.9 Access rights | Personnel with PII access need targeted training on their access responsibilities |
| A.3.16 Compliance with policies | Compliance review findings may reveal training gaps that need addressing |
| A.3.12 Response to incidents | Incident response training ensures staff know their role when a breach occurs |
Who does this control apply to?
A.3.17 is a shared control that applies to both PII controllers and PII processors. All personnel who process PII or who could affect the security of PII need appropriate training. This includes not only permanent employees but also contractors, temporary staff and relevant interested parties who interact with personal data or the systems that process it.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Why choose ISMS.online for privacy awareness training?
ISMS.online provides practical tools for building and maintaining a privacy-aware workforce:
- Training module management — Create, assign and track completion of training modules tailored to different roles and levels of PII access
- Automated scheduling — Set training frequencies by role, with automated reminders for initial completion and periodic refresher courses
- Policy acknowledgement tracking — Ensure all staff read and acknowledge updated privacy policies, with completion dashboards and escalation for non-responders
- Completion reporting — Generate audit-ready reports showing who has completed training, when, and any outstanding requirements
- Integration with incident management — Link training records to incident data, so you can identify whether training gaps contributed to PII incidents
- New starter onboarding — Automatically assign privacy training to new personnel as part of the onboarding workflow
FAQs
How often should privacy awareness training be refreshed?
The standard requires regular updates but does not prescribe a specific frequency. Most organisations deliver annual refresher training for all personnel, with additional training when significant policy changes occur. Personnel in high-risk roles handling sensitive PII may require more frequent training. The key is to demonstrate that training is ongoing and responsive to changes, not a one-time event.
Should training cover the consequences for PII principals?
Yes. The implementation guidance specifically requires that staff understand the consequences of privacy breaches across three dimensions: for the organisation, for themselves and for the PII principal. Including real-world examples of harm to individuals — such as identity theft, financial loss or emotional distress — helps staff understand why privacy controls matter beyond abstract compliance requirements.
Does this apply to contractors and temporary staff?
Yes. The control applies to personnel of the organisation and relevant interested parties. This includes contractors, temporary workers, consultants and any other individuals who access PII or systems that process PII. Training should be delivered before they begin processing PII and should be appropriate to their role and the duration of their engagement.
