Aller au contenu principal

ISO 27001: How to Prove Your Team's Security Awareness During an Audit

Published on November 25, 2025

During an ISO 27001 audit, one question comes up systematically: "How do you prove that your employees have read the security policy?"

If your answer is "we sent them an email," you risk a non-conformity. Here's why—and how to fix it simply.

What ISO 27001 says

Clause 7.3 (Awareness) of ISO 27001:2022 is explicit:

Persons doing work under the organization's control shall be aware of the information security policy.

And clause 7.5 (Documented information) requires keeping evidence of this awareness.

Concretely, the auditor expects:

  • A nominal list of people who received awareness training
  • A timestamp for each acknowledgement
  • The document version concerned
  • The ability to verify this information

Why email isn't enough

Sending the security policy by email has several problems:

  1. No proof of reading: a read receipt proves delivery, not reading
  2. No consolidated traceability: impossible to see who read what at a glance
  3. Unclear versioning: which version of the document was sent?
  4. Difficult export: how do you present this evidence to the auditor?

The solution: timestamped acknowledgement

Acknowledgement (read confirmation) solves these problems:

  1. The employee receives a link to the document
  2. They authenticate (OAuth2, enterprise SSO)
  3. They click "I have read and understood"
  4. The action is recorded with a cryptographic signature

Result: unfalsifiable, timestamped, exportable proof.

What Ackify brings to your ISMS

Complete traceability

Each confirmation generates a record with:

  • User identity (email, OAuth ID)
  • UTC date and time
  • Document hash (guaranteed integrity)
  • Ed25519 signature

Tracking dashboard

Visualize in real-time:

  • Who has confirmed reading
  • Who hasn't read yet
  • History by document

Export for audit

Generate a CSV or JSON report with all evidence—ready for the auditor.

Self-hosting

Your data stays on your servers. No dependency on US third parties. Total sovereignty.

Concrete example: ISSP update

Your CISO updates the Information System Security Policy. Here's the workflow with Ackify:

  1. Upload the new document (or link to your internal wiki)
  2. Send an acknowledgement campaign to relevant teams
  3. Track confirmations in real-time
  4. Remind latecomers automatically
  5. Export evidence for the ISMS registry

During the audit, you present the report: name, date, cryptographic signature. Compliance demonstrated.

Other relevant documents

Acknowledgement applies to all ISMS documents:

  • Information Security Policy (ISSP)
  • IT Charter
  • Incident management procedures
  • Data classification policy
  • Mobile device usage rules
  • Remote work policy

Conclusion

ISO 27001 requires proof of awareness. Email isn't enough. Timestamped acknowledgement is the appropriate answer—simple for teams, robust for audit.

Ackify is designed for this precise need: an open-source, self-hosted tool with Ed25519 cryptographic signatures.

➡️ Discover Ackify — awareness traceability for your ISMS.

Ready to secure your proofs of acknowledgment?

Create your account in 30 seconds and start tracking reading of your critical documents.