We have started to use Advisera security awareness training (currently subscribed to a Company account up to 50 users) and several of our employees who have been notified about the program, are still not registered or their status in overdue.
In the light of the above, will that prevent us from being compliant to ISO 27001 (In that specific area)? Must all employees complete the program or is it enough to show there an ongoing activity?
I’m assuming you refer to a certification audit situation.
Considering that, to be compliant with clauses 7.2 Competence and 7.3 Awareness you need to ensure that at least the personnel in the main roles related to information security (e.g., the CEO, the CISO, IT Head, IT staff, internal auditor, etc.) had performed their training and awareness activities and that there are no overdue activities (i.e., you do not need that all employees complete the program by the time of the certification audit, only to evidence that the program is ongoing).
This article will provide you with a further explanation about awareness and training: