Good Morning. I hope that you are able to answer a question for me please. Control A.7.2.2 states that "All employees of the organisation and, where relevant, contractors shall receive appropriate awareness education training and regular updates in organisational policies and procedures, as relevant for their job function."
We are a small Company and currently deliver IT Security Awareness sessions via in person presentations once or twice a year. The attendance is mandatory and captured to provide evidence of provision. Are you able to advise please if this would be sufficient to satisfy an ISO 27001 audit or would the frequency of this training need to be increased and/or delivered through something more formal, such as an online training portal, with a test at the end of each session. Thank you in advance for your advice.
Your scenario is not enough to be compliant with the standard, because it is not clear that you identified the necessary competencies for awareness and training (i.e., which topics you need to cover, which in general are based on perceived risks, turnover rate, or legal requirements), and while you captured evidence of provision, it is not clear that effectiveness of the actions taken is evaluated (e.g., by means of a test at the end of each session).
ISO 27001 does not prescribe the frequency of training, so organizations can define it according to their needs.
The standard also does not prescribe ways of delivering training and awareness, so organizations can define them according to their needs.