A.6.3 — Do all staff receive IS awareness, education and training relevant to their role?
Demonstrate that all staff receive documented, role-appropriate information security awareness training at induction and through regular refreshers, with completion tracked and content aligned to current threat landscape and organizational security policies.
Description
What this control does
This control ensures all personnel receive role-appropriate information security awareness training covering organizational policies, acceptable use, threat recognition, incident reporting, and secure working practices. Training programs must be tailored based on job responsibilities, updated regularly to address emerging threats, and delivered through induction processes and ongoing refresher activities. Effective training reduces human error as an attack vector by equipping staff with knowledge to recognize phishing, social engineering, malware, and policy violations before they cause security incidents.
Control objective
What auditing this proves
Demonstrate that all staff receive documented, role-appropriate information security awareness training at induction and through regular refreshers, with completion tracked and content aligned to current threat landscape and organizational security policies.
Associated risks
Risks this control addresses
- Employees fall victim to phishing campaigns due to lack of recognition training, leading to credential theft and initial access compromise
- Privileged users mishandle sensitive data or credentials because they lack role-specific security training on access control and data classification
- Staff fail to report suspected security incidents promptly because they are unaware of reporting channels or cannot recognize indicators of compromise
- Social engineering attacks succeed through manipulation of untrained personnel who disclose confidential information or grant unauthorized physical access
- Third-party contractors and temporary staff operate without security awareness, creating gaps in the security culture and inconsistent security practices
- Security policy violations occur due to staff unfamiliarity with acceptable use policies, remote work requirements, or data handling procedures
- Outdated training content fails to address current threat vectors such as deepfake attacks, QR code phishing, or supply chain compromise tactics
Testing procedure
How an auditor verifies this control
- Obtain the information security awareness training policy, curriculum documentation, and role-specific training matrices defining required content for each job function
- Request training completion records for the most recent 12-month period including induction training logs and annual refresher attendance rosters
- Select a stratified sample of at least 25 employees across different departments, seniority levels, and hire dates to verify individual training completion
- Review training content materials including modules, presentations, and assessments to verify coverage of phishing recognition, password security, data classification, incident reporting, acceptable use, and physical security
- Interview a subset of sampled employees to assess retention and practical understanding of key security concepts such as identifying suspicious emails and reporting procedures
- Verify role-specific training delivery for privileged users such as system administrators, developers, and HR staff handling sensitive data
- Examine evidence of training content updates within the past 12 months to confirm incorporation of emerging threats and lessons learned from recent incidents
- Cross-reference new hire onboarding records with training completion dates to confirm security awareness training occurs during the induction period before system access is granted