Is cybersecurity training delivered to all staff annually with role-based content (Art 21.2.g)?
Demonstrate that the organization delivers annual cybersecurity training to 100% of staff with role-appropriate content aligned to NIS2 Article 21.2.g requirements, and maintains verifiable records of completion and content.
Description
What this control does
This control requires that all personnel within the organization receive cybersecurity training at least annually, with content tailored to their specific roles and responsibilities. Training must be documented, delivered consistently, cover NIS2-relevant topics including incident response and secure practices, and differentiate between general staff awareness and specialized training for technical, privileged, or high-risk roles. The control ensures the human element of cybersecurity is continuously reinforced, reducing organizational vulnerability through education.
Control objective
What auditing this proves
Demonstrate that the organization delivers annual cybersecurity training to 100% of staff with role-appropriate content aligned to NIS2 Article 21.2.g requirements, and maintains verifiable records of completion and content.
Associated risks
Risks this control addresses
- Phishing attacks succeed due to staff inability to recognize social engineering tactics and malicious emails
- Privileged users mishandle administrative credentials or bypass security controls due to lack of role-specific secure administration training
- Insider threats materialize when employees lack awareness of acceptable use policies, data handling requirements, and reporting obligations
- Incident response delays occur because staff do not recognize security events or understand escalation procedures
- Regulatory non-compliance penalties arise from failure to meet NIS2 mandatory training requirements under Article 21.2.g
- Third-party or supply chain compromises succeed when staff grant inappropriate access or share sensitive information without verification
- Configuration errors and mishandling of security tools occur when technical staff lack role-specific training on secure development, infrastructure hardening, or security operations
Testing procedure
How an auditor verifies this control
- Obtain the complete roster of current employees, contractors, and privileged users as of the audit date, segmented by role category (general staff, technical, administrative, management, third-party).
- Request the organization's annual cybersecurity training policy, training curriculum documentation, and role-based training matrix showing content differentiation by role type.
- Review training completion records for the current audit period (past 12 months), including learning management system (LMS) reports, attendance logs, and completion certificates.
- Select a stratified sample of at least 25 personnel across different role categories and verify individual training completion dates, content accessed, and assessment scores if applicable.
- Examine training content modules to confirm coverage of NIS2-relevant topics including phishing awareness, password hygiene, incident reporting, data protection, and role-specific topics such as secure coding, privileged access management, or supply chain security.
- Interview a sample of 5-10 personnel from different roles to validate they received training, can recall key concepts, and confirm the content was relevant to their duties.
- Verify the organization's process for delivering training to new hires within a defined onboarding period and confirm records exist for personnel hired during the audit period.
- Review tracking mechanisms for non-completion, escalation procedures for overdue training, and evidence of remedial actions taken for non-compliant personnel.