Introduction: Why Your Information Security Certification Matters More Than You Think
ISO/IEC 27001 is the internationally recognised standard for information security management. If you work in a medium-to-large enterprise, particularly in financial services, you've probably heard auditors mention it. Perhaps your organisation is pursuing certification, or you're already maintaining it. Either way, the certification is only half the battle. The real challenge lies in evidence collection and demonstrating that your security controls actually work.
Here's the uncomfortable truth that many compliance teams discover mid-audit: ISO 27001 certification isn't primarily about technology. Yes, you need firewalls, encryption, and access controls. But the standard explicitly recognises that the human factor is where information security truly succeeds or fails. People are both your greatest security asset and your most significant vulnerability.
At Solas Technologies, we've been through the ISO 27001 certification process ourselves. We understand firsthand what auditors scrutinise, what documentation they expect, and where organisations consistently struggle. Our experience has shaped how we built SolasOS, a platform designed to address one of the most painful aspects of maintaining certification: proving that your security controls are effective, particularly those involving human behaviour and organisational culture.
This article walks you through the evidence collection requirements for the people-focused clauses of ISO 27001. We'll show you what auditors actually expect, how organisations typically gather evidence today (spoiler: it's labour-intensive and unreliable), and how intelligent communication analysis can transform evidence collection into a continuous, automated process.
The Human Factor in Information Security
Technical controls fail when people make decisions. They share passwords. They click phishing links. They download suspicious attachments. They discuss sensitive information in public spaces. They leave devices unlocked. They ignore security warnings.
ISO 27001 recognises this reality through several critical clauses focused on people and culture. These aren't checkbox exercises. They require genuine, measurable evidence that your organisation has built security awareness, competence, and communication practices that reduce human risk.
The challenge is this: how do you measure whether security awareness has genuinely changed behaviour? How do you prove that incident communication protocols actually work during a crisis? How do you identify which employees are at risk of security misconduct before they cause damage? Traditional methods rely on surveys, training completion records, and incident logs. These approaches are fragmented, lagging, and often lack the granularity auditors expect.
The Clauses That Matter: A Detailed Breakdown
Clause 7.2: Competence
The Requirement
Clause 7.2 demands that your organisation determine competence criteria for people performing work affecting information security. You must ensure they're adequately competent through relevant education, training, or experience. You must also evaluate competence and take action where gaps exist.
What Auditors Look For
Auditors will ask: Do you have a defined competency framework? Can you map roles to competency requirements? Can you show evidence of competency evaluations? Do you have records of training delivered? Can you demonstrate that people actually understood what they were trained on?
The critical expectation here is evidence of competency assessment, not merely training completion. A certificate showing someone attended a three-hour security awareness module doesn't prove they understand threat identification or know how to respond to a phishing email.
Traditional Evidence Collection (Manual)
Today, most organisations gather evidence through:
Training completion records from learning management systems
Competency assessment questionnaires (often self-assessed)
Certificates of completion or passing scores on quizzes
Role-based training matrices
Training attendance logs
This approach is time-consuming to maintain, difficult to verify, and susceptible to gaming. Someone can complete training without absorbing the content. More problematically, you have no ongoing evidence that competency is maintained or applied on the job.
SolasOS Evidence Collection
SolasOS takes a fundamentally different approach. Rather than relying on point-in-time assessments, it continuously analyses how people communicate about security risks and incidents. The platform measures:
How frequently individuals reference security protocols in discussions
Whether security terminology and concepts appear in real communication patterns
How employees respond to potential security scenarios in actual workplace conversations
Whether particular teams or departments demonstrate higher security awareness through communication patterns
Trends in security-related vocabulary and understanding across roles
This provides auditors with dynamic, behaviour-based evidence that competence is real and applied. You can show that a finance team discussing data handling practices demonstrates genuine understanding of regulatory requirements, not just training completion.
Clause 7.3: Awareness
The Requirement
Clause 7.3 mandates that all people in your organisation are aware of their information security responsibilities and relevant policies. They must also understand the risks of non-compliance.
What Auditors Look For
Auditors will examine: How do you ensure awareness? Is it a one-off event or ongoing? Can you prove employees understand policies, not just that they've read them? Can you demonstrate that awareness is appropriate for different roles? Do you have evidence that people actually recognise security risks in their day-to-day work?
The emphasis here is on behaviour change, not information dissemination. Sending an email with a policy attachment is not awareness. Awareness is demonstrated when employees make different decisions because they understand the consequences.
Traditional Evidence Collection (Manual)
Typical approaches include:
Email confirmations that employees have read policies
Attendance records for awareness training sessions
Completion certificates for online modules
Survey responses about awareness topics
Sign-offs acknowledging understanding
These methods suffer from significant limitations. Surveys and sign-offs measure compliance with documentation requirements, not genuine awareness. Someone can confirm they've read a policy without absorbing it or remembering it when faced with a real decision.
SolasOS Evidence Collection
SolasOS measures actual awareness through communication intelligence. The platform analyses:
Whether employees reference or discuss security policies in real conversations
How people talk about security risks in natural workplace communication
Whether security considerations appear in decision-making discussions
Sentiment around security topics (defensive resistance vs proactive engagement)
Whether communication patterns shift following security awareness initiatives
For example, if you launch a campaign about phishing awareness, SolasOS can measure whether employees' communication about email verification, suspicious links, and reporting procedures actually increases. You can show auditors that awareness initiatives moved the needle on behaviour, with real conversation data as evidence.
Clause 7.4: Communication
The Requirement
Clause 7.4 requires that your organisation establishes and implements an internal communication process for information security. This includes who communicates with whom, how communication happens, and when communication occurs.
What Auditors Look For
Auditors will investigate: Do you have defined communication channels for security matters? Do managers communicate security directives effectively? Can you prove that important security information reaches the right people? If a security incident occurs, do you have evidence that communication protocols worked? Can you show rapid, effective response communication?
Traditional Evidence Collection (Manual)
Organisations typically document:
Org charts showing reporting lines
Email templates for security communications
Records of security bulletins sent
Incident communication logs
Attendance records for security briefings
These documents exist, but they don't prove communication was effective. A security bulletin might be sent to all employees, but did they read it? Did they understand it? Did it change their behaviour? You have no concrete evidence.
SolasOS Evidence Collection
SolasOS provides comprehensive communication intelligence by:
Tracking how security information flows through your organisation's actual communication networks
Measuring whether security communications reach intended recipients and how quickly
Analysing engagement with security messages across departments and roles
Identifying communication gaps where critical information isn't reaching people who need it
Monitoring sentiment and comprehension in employee responses to security communications
Providing quantified evidence of communication effectiveness during security incidents
During an actual security incident, SolasOS can demonstrate that your incident response team communicated appropriately with stakeholders, that the communication cascade worked as intended, and that people understood and acted on information. This is exactly what auditors want to see: not a theoretical communication plan, but evidence of the plan working in practice.
Annex A.6: People Controls (A.6.1 through A.6.8)
The Requirement
Annex A.6 addresses people-focused security controls. These clauses cover information security roles and responsibilities, screening (during recruitment), confidentiality and non-disclosure agreements, security behaviour management, and incident reporting by staff. This section recognises that people are central to information security, not peripheral to it.
What Auditors Look For
For A.6.1 (roles and responsibilities), auditors verify that security responsibilities are clearly assigned and understood. For A.6.2 (screening), they check that your recruitment process assesses security-relevant background information. For A.6.3 (confidentiality), they verify that confidentiality agreements are in place and signed. For A.6.4 (behaviour management), they look for evidence that you address security misconduct constructively.
A.6.5 (incident reporting) is particularly important. Auditors want evidence that your employees actually report security incidents, near-misses, and vulnerabilities. They also want evidence that reporting channels are used and that the organisation responds appropriately.
Traditional Evidence Collection (Manual)
Organisations typically show auditors:
Job descriptions including security responsibilities
Signed confidentiality agreements and NDAs
Disciplinary records (when incidents occur)
Incident reports submitted through formal channels
Investigation outcomes
The weakness here is obvious: you're capturing incidents that made it into formal channels. But many security events are never formally reported. An employee notices a potential vulnerability but mentions it in a conversation instead of submitting a ticket. Someone observes suspicious behaviour but isn't sure if it's worth reporting. These incidents disappear from your evidence trail.
SolasOS Evidence Collection
SolasOS identifies security-relevant behaviour patterns across your entire communication network:
Recognises conversations containing references to security concerns, vulnerabilities, or suspicious activity
Identifies early warning signs of security risks through communication patterns (tone shifts suggesting disengagement, language patterns suggesting potential misconduct)
Measures incident reporting culture by tracking whether employees discuss and escalate security concerns naturally
Identifies unreported incidents or near-misses that surface in conversation but don't enter formal channels
Highlights communication patterns indicating burnout or disengagement that might increase security risk
Demonstrates that your culture actively encourages incident reporting and addressing of security concerns
This transforms how you evidence Annex A.6 controls. Rather than relying on formal incident counts (which auditors know is an incomplete picture), you can demonstrate that your entire organisational culture is oriented towards identifying and addressing security risks.
Annex A.8.7: Protection Against Malware
The Requirement
Annex A.8.7 requires that you implement and maintain technical measures against malware. However, the most effective malware protection includes human awareness. People need to recognise malware delivery vectors and know how to avoid clicking, opening, or executing malicious content.
What Auditors Look For
Auditors examine both technical controls (endpoint protection, email filtering) and human controls. They'll ask: Can you show evidence that people understand malware risks? Do you have ongoing awareness? Can you demonstrate that your organisation has a culture of vigilance around suspicious files, links, and attachments?
Traditional Evidence Collection (Manual)
Typical evidence includes:
Antivirus deployment records
Email gateway configuration documentation
Training records for malware awareness
Counts of blocked malware incidents
User awareness programme metrics
SolasOS Evidence Collection
SolasOS provides a unique angle on malware awareness by analysing communication patterns:
Measures whether employees discuss or mention suspicious files, links, or attachments in real conversations
Tracks whether people naturally reference malware risks and demonstrate understanding of threat vectors
Identifies whether communication demonstrates a culture of "healthy scepticism" around unexpected files
Provides evidence that security training about malware vectors actually shaped behaviour and decision-making
Shows sentiment and confidence in your organisation's ability to recognise and respond to malware risks
Comparative Evidence Collection: Manual vs SolasOS
ISO 27001 Clause | Manual Evidence Collection | SolasOS Evidence Collection |
7.2 Competence | Training records, completion certificates, quiz scores | Continuous measurement of security terminology and protocols in actual workplace communication; behaviour-based competency indicators |
7.3 Awareness | Policy acknowledgements, survey responses, training attendance | Real-time tracking of security awareness language in communication; sentiment analysis of security topic engagement; behaviour change measurement |
7.4 Communication | Email templates, communication plans, incident logs | Network analysis of information flow; engagement tracking with security communications; effectiveness measurement during live incidents |
A.6 People Controls | Confidentiality agreements, incident reports, disciplinary records | Detection of unreported incidents through communication analysis; early warning signals for security risk behaviour; culture assessment through communication patterns |
A.8.7 Malware Protection | Training records, antivirus logs, malware counts | Measurement of security vigilance in communication; assessment of whether threat awareness translates to actual behaviour |
Why the Human Factor Matters
Organisations that successfully maintain ISO 27001 certification recognise a fundamental truth: controls are only as strong as the people implementing them. Technical controls can be evaluated objectively (does the firewall work? Yes or no). Human controls require ongoing measurement and evidence that behaviour is actually changing.
This is where most organisations struggle. They invest in security awareness programmes, assume completion equals competence, and hope people internalise the message. When auditors dig deeper, asking for evidence that awareness actually changed behaviour, organisations struggle to provide it.
SolasOS bridges this gap. By continuously analysing how people communicate about security, the platform provides real evidence that:
Your team genuinely understands security responsibilities
Awareness initiatives are changing behaviour
Communication protocols are working in practice
Your culture is oriented towards identifying and addressing security risks
Security competency is applied consistently across your organisation
Getting Started: Implementing These Controls
If your organisation is pursuing ISO 27001 certification (or already holds it), consider this roadmap:
Audit your current evidence collection for each clause. Identify gaps where you rely on proxy measures (training completion) rather than behaviour-based evidence.
Assess your communication infrastructure. Do you have tools that can analyse how security information flows through your organisation?
Identify your highest-risk roles. Finance, HR, and IT typically handle the most sensitive information. Ensure competence and awareness is strongest in these areas.
Evaluate your awareness programmes. Are they one-off events or ongoing? Are you measuring behaviour change or just information dissemination?
Consider intelligent evidence collection. For medium-to-large enterprises, manual evidence gathering becomes increasingly untenable. Tools that continuously measure security culture through communication intelligence significantly reduce the audit burden while improving the quality of evidence.
Conclusion
ISO 27001 certification is a journey, not a destination. The standard evolves, auditors' expectations increase, and the threat landscape changes. What doesn't change is the central role of people in information security.
At Solas Technologies, we earned our ISO 27001 certification by understanding that compliance isn't about documentation; it's about culture. We built SolasOS to help other organisations measure and improve their security culture in real time, generating the evidence auditors need while simultaneously making your organisation more secure.
If you're managing information security in a medium-to-large enterprise, you know that the traditional approach to evidence collection is unsustainable. Surveys lie. Training completion doesn't prove competence. Incident counts don't capture the full picture. Communication plans don't prove communication works.
It's time to measure what actually matters: whether your people genuinely understand security, whether awareness is translating to behaviour change, and whether your organisation has a culture where security is everyone's responsibility.
That's where SolasOS comes in.
Ready to Transform Your ISO 27001 Evidence Collection?
Managing ISO 27001 compliance doesn't have to mean endless spreadsheets and post-audit scrambling for evidence. SolasOS provides the continuous, behaviour-based measurement that auditors expect and your organisation needs.
Discover how SolasOS helps medium-to-large enterprises in financial services and beyond meet their ISO 27001 requirements through intelligent communication analysis. Request a demonstration today to see how your organisation's security culture looks when you measure what actually matters.
[CTA Button: Schedule Your SolasOS Demonstration]
About Solas Technologies
Solas Technologies analyses communication data to measure workplace culture, identify top performers, provide early warnings for talent risks, and map organisational networks. With ISO 27001 certification, Solas Technologies understands firsthand what it takes to build and maintain a security-conscious organisation. SolasOS provides retroactive and real-time analysis of communication patterns, helping enterprises make better decisions about people, culture, and security.