Teams pursuing both SOC 2 and ISO 27001 often end up with two training programs running in parallel because each framework's auditor has slightly different evidence expectations. Part of that duplication is unavoidable (the two frameworks really do ask for different things), but most of it is cost you don't need to pay. A single core training program, supplemented by a few activities each audit expects, can cover most of both. This guide maps the specific controls (ISO 27001:2022 Annex A.6.3 and the AICPA 2017 TSC CC1.4) side by side, explains where they actually diverge, and describes a program structure that passes both audits with as little duplication as possible.
This is written for a compliance-adjacent engineering leader who has already gone through one of the two audits and is now preparing for the other, or a team running both for the first time and looking for efficiency.
TL;DR
- ISO 27001 A.6.3 is explicit about what the organization must provide: awareness, education, AND training as three distinct categories, plus regular updates tied to the organization's policies. SOC 2 CC1.4 is principle-based; it requires "competence" and auditors infer training as the evidence pattern.
- The operational overlap is substantial but not total. A training platform with per-user records can be the primary evidence for SOC 2 and covers the training and education legs of A.6.3, but ISO's "awareness" leg typically requires additional activities (phishing simulations, newsletters, posters, reminders) that a training platform alone doesn't provide.
- ISO auditors increasingly expect effectiveness evidence (click rates on phishing simulations, reporting rates, behavior trends) on top of completion records. SOC 2 auditors generally accept completion records on their own.
- A single core training program plus a lightweight awareness layer and a documented policy tied to both frameworks satisfies the bulk of both audits. Split programs are usually a sign of running each audit in isolation rather than designing shared evidence.
- If you're doing ISO first, the transition to SOC 2 is smoother than the reverse, because the ISO evidence pattern generally exceeds the SOC 2 requirement.
The two control texts
ISO/IEC 27001:2022 Annex A.6.3 (Information security awareness, education and training)
From the ISO 27001:2022 standard (as quoted across reputable secondary sources; the normative text is only in the paid standard): "Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function."
Four textual commitments, each of which an auditor will specifically probe:
- Scope: "personnel of the organization and relevant interested parties" is broader than SOC 2's in-scope personnel; per ISO 27001 Clause 4.2 it includes employees, contractors, temporary staff, and relevant suppliers or vendors doing work under the organization's control.
- Content types: "awareness, education and training" are three distinct activities. ISO 27002:2022 implementation guidance for control 6.3 names five delivery methods (classroom training, online training, awareness campaigns such as emails and posters, simulation exercises such as phishing, and on-the-job training) and encourages combining them. Auditor commentary increasingly treats attendance logs alone as insufficient; effectiveness evidence (phishing click rates, reporting rates, behavior trends over time) is expected on top.
- Specificity: "as relevant for their job function" makes role-appropriate content explicit. A developer-focused curriculum for developers, an admin-focused curriculum for admins, and a general awareness layer for everyone is the common pattern; high-risk roles (sysadmins, finance, HR, executives) often get additional tailoring.
- Updates: "regular updates" is not defined as a specific cadence in the standard itself; annual is the de facto minimum in practice.
2017 Trust Services Criteria, CC1.4
From the AICPA 2017 TSC: "The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives." Points of focus include establishing policies and practices, attracting and developing competent individuals, providing mentoring and training, and evaluating competence.
The textual commitments are looser:
- Scope: the criterion applies to the entity's personnel. Contractors in scope for the system being audited are pulled in by the system boundary, not by the control text itself.
- Content types: "training" appears in the points of focus as one of several ways to demonstrate the principle. The criterion itself doesn't name training.
- Specificity: no explicit role-appropriate requirement. Implicit expectation that the training addresses the organization's actual risks.
Side by side mapping
| Requirement area | ISO 27001 A.6.3 | SOC 2 CC1.4 | How to satisfy both |
|---|---|---|---|
| Who must be trained | Personnel and relevant interested parties, including suppliers and vendors working under the organization's control | Personnel in scope for the system (implicit via scope) | Roster everyone with logical access, flag contractors and relevant vendors separately |
| Cadence | Regular updates (unspecified frequency; annual is de facto minimum) | No cadence specified; policy-driven | Annual refresh with new-hire onboarding training |
| Content types | Awareness, education, and training (three distinct categories per ISO 27002 guidance) | Training implied in points of focus | Training platform for the education and training legs; separate awareness activities (phishing simulations, security newsletters, reminders) for the awareness leg |
| Role specificity | Explicit ("as relevant for their job function") | Not explicit, but increasingly expected | Developer-focused curriculum for repository access, admin-focused for privileged access, general awareness for all, plus tailoring for high-risk roles (finance, HR, executives) |
| Policy documentation | ISMS training policy explicitly tied to A.6.3, reviewed annually | Training policy tied to CC1.4 | Single policy document referencing both controls |
| Evidence: completion records | Expected, not sufficient on their own | Generally sufficient as primary evidence | Per-user, timestamped, exportable CSV |
| Evidence: effectiveness | Increasingly expected (phishing click rates, reporting rates, behavior trends) | Not typically sampled | Track and retain phishing simulation results, security-incident reports, quiz pass rates over time |
| Evidence: attestations | Commonly requested | Occasionally requested | Signed attestation at completion (inexpensive to include) |
| Evidence: curriculum-to-risk mapping | Expected to tie content to the risk assessment | Helpful for auditor credibility | One-page mapping document, maintained yearly |
| Evidence: review cycle | Expected annually as part of ISMS management review | Expected to match stated policy cadence | Annual policy review with documented sign-off |
Where the frameworks meaningfully diverge
Four differences matter in practice.
1. Specificity of content
ISO A.6.3 requires "appropriate for job function." SOC 2 does not require role-appropriate content explicitly. An organization running a single generic security awareness program for all employees (including developers) has a harder time with ISO than with SOC 2. The fix is to split the curriculum into layers: a baseline awareness program for everyone, a developer-focused layer for engineers with code repository access, and additional layers for administrators, finance, HR, and anyone else whose role carries distinct risk.
2. Awareness as a named content type
ISO treats awareness as a named content type alongside education and training. SOC 2 doesn't. ISO auditors reading A.6.3 expect to see ongoing reinforcement activities (phishing simulations, security newsletters, posters, periodic reminders) in addition to structured training courses. A training platform by itself covers the education and training legs; it does not cover the awareness leg. You'll need a lightweight awareness channel (even quarterly emails referencing recent incidents suffice) to complete the A.6.3 picture. For SOC 2, those same awareness activities are supporting evidence under CC2.2 (internal communication) rather than CC1.4 (competence).
3. Effectiveness evidence, not just completion
ISO 27001 auditors are increasingly expected to look beyond completion records and attestations for evidence that training is effective. Phishing simulation click rates, incident reporting rates, and behavior trends over time are the typical effectiveness signals. Completion of an annual course, absent any behavior-change evidence, is a thinner story under ISO than under SOC 2. Retain phishing simulation results, track incident-reporting rates, and save them alongside the completion records.
4. Documentation tied to the framework
ISO 27001 auditors look for documentation that explicitly references the ISMS and its controls. A training policy that doesn't mention A.6.3 will trigger a request for clarification. SOC 2 auditors are more flexible; a training policy that describes the program without citing CC1.4 still works, though auditors appreciate the mapping.
The practical fix is to include a "Control mapping" section in your training policy that lists the frameworks and their relevant controls. One page, maintained once.
One core program that supports both
The structural pattern we recommend (and use ourselves) is one shared core, layered with a few framework-specific additions:
- One training policy, referencing both A.6.3 and CC1.4 in a control-mapping section, reviewed annually. Retained in your policy repository.
- One structured curriculum, with at minimum two layers: a baseline layer for all personnel covering phishing, data handling, incident reporting, and acceptable use; and a developer-focused layer covering OWASP Top 10:2025 and secure coding fundamentals. Add admin-focused, finance-focused, HR-focused layers as your role inventory and risk assessment demand.
- One roster, sourced from the HRIS (for employees) and contractor management system (for external parties), with suppliers and vendors added for ISO's broader "interested parties" scope.
- One completion-tracking system, producing per-user, timestamped records exportable as CSV.
- One attestation flow, capturing acknowledgment at the end of each course.
- A lightweight awareness channel (quarterly security newsletter, phishing simulation program, or both). This is the piece a training platform alone doesn't provide; it's also where most of the ISO-specific effectiveness evidence gets generated. Platforms like KnowBe4, Hoxhunt, or a managed service from a consulting firm are the common approaches.
- One annual review cycle, reviewing the policy, updating the curriculum for new risks (OWASP revisions, changes to the product), refreshing the risk-to-content mapping, and summarizing effectiveness metrics.
This structure shares the training platform, the policy, the roster, and the tracking across both audits. The awareness channel is additional work driven mostly by ISO. Done this way, the overall effort is meaningfully less than running two separate programs, even though it isn't a one-program story.
A practical consideration: which audit to do first
If you're pursuing both and have flexibility on sequencing, ISO 27001 first has operational advantages:
- ISO's explicit requirement for role-appropriate content forces you to build the curriculum structure that SOC 2 auditors increasingly expect.
- ISO's ISMS-based documentation pattern (control-referenced policies, annual review, management sign-off) produces artifacts that also satisfy SOC 2's governance criteria.
- The annual surveillance audit cycle under ISO creates the maintenance habit; SOC 2 Type II audits want to see similar continuity.
The reverse is workable but usually means retrofitting the ISO specificity requirements onto a program that was built looser.
Why we built our curriculum this way
When we ran our own pre-product discovery (on a 60-person engineering team with a $5,000 training budget), we were looking for training that worked for SOC 2 but would also hold up when we pursued ISO 27001 a year later. Almost every platform we evaluated was built for one framework or the other, and the better ones cost more than our budget. Our own curriculum is structured to cover what the training platform layer of both audits wants: role-appropriate content (developer-focused OWASP plus General Security Awareness), attestations, per-user timestamped records, and quizzes that produce pass-rate trends usable as effectiveness evidence. We don't pretend a training platform alone satisfies ISO 27001 end-to-end; it covers the training and education legs, and you'll still pair it with a phishing-simulation or awareness channel and your own documented policy to close A.6.3 out. The design decision we made is to do the training-platform part well at a price that leaves budget for the other pieces.
Further reading
- ISO/IEC 27001:2022: the governing ISO standard, with A.6.3 in Annex A.
- AICPA 2017 Trust Services Criteria (2022 revision): the governing SOC 2 criteria.
- ISO/IEC 27002:2022: implementation guidance for the Annex A controls. 6.3 is covered in detail.
- AICPA SOC 2 reporting framework overview: broader SOC 2 context.
- Our own SOC 2 developer security training requirements guide: the SOC-2-only companion piece.
FAQ
Can I pass both audits with a single annual training?
The structured-training portion, yes. ISO 27001 auditors also expect awareness activities (phishing simulations, newsletters, or equivalent reinforcement) and increasingly look for effectiveness evidence on top of completion records, so the full A.6.3 picture is rarely "just one annual course." The practical answer is: one annual structured training, plus a lightweight awareness channel, plus a policy tying it all back to both framework controls, satisfies the bulk of both audits.
Does ISO 27001 require more detailed evidence than SOC 2?
Generally yes, on documentation. ISO auditors expect the ISMS to be explicitly structured with policies tied to specific controls. SOC 2 auditors are less formal about documentation structure but sample evidence more directly. Both expect per-user completion records; ISO additionally expects a link from the policy to A.6.3.
Do ISO auditors accept awareness emails as evidence of the "awareness" component of A.6.3?
Most do, if the emails are documented, archived, and distributed to the full roster. Treating awareness as "training that happens to be lightweight" (rather than as a separate category) sometimes works with flexible auditors, but the cleaner pattern is to name awareness activities explicitly and track them separately from formal training.
Is signed attestation required for ISO 27001?
The standard doesn't explicitly require it. Auditor practice varies; attestations are commonly requested and easy to produce, so including them is the default recommendation. An organization passing ISO without attestations would need to compensate with stronger evidence elsewhere.
How does the 2022 revision of ISO 27001 affect training requirements?
A.6.3 in the 2022 revision is substantively the same as A.7.2.2 in the 2013 version. The main change is structural (controls renumbered and reorganized). Organizations with training programs built for the 2013 version generally transition without re-engineering; they do need to update policy references to the new control numbers.
Do I need separate training for contractors under ISO vs SOC 2?
No, the same training works. ISO A.6.3 explicitly names "relevant interested parties," which includes contractors; SOC 2 pulls contractors in via the system scope. One roster, one curriculum, applied to both employees and in-scope contractors, satisfies both.
If my auditor is pushing for developer-specific content and we don't have it, what's the fastest path?
Two options. Add a developer-focused module to your existing curriculum and have developers complete it within the next quarter (defensible; demonstrates continuous improvement). Or adopt an existing developer-focused program and map it into your ISMS documentation. The second is faster if the existing program produces the right evidence format.
Will ISO 42001 (AI management systems) affect training requirements?
ISO 42001, published in 2023, includes its own awareness and competence requirements for personnel involved in AI system development and operation. Teams building or operating AI systems should expect an additional training layer specific to AI risks. The existing A.6.3 program doesn't go away; an AI-specific module gets added for AI-adjacent roles.