Is security awareness training delivered consistently across the organisation?
Demonstrate that security awareness training is delivered with uniform content, frequency, and tracking across all organizational units, roles, and employment categories.
Description
What this control does
This control ensures security awareness training is delivered uniformly to all personnel across business units, locations, and employment types (full-time, contractors, third-parties with access). A consistent training program includes standardized content, defined frequency (typically annual with onboarding), tracking mechanisms, and evidence of completion. Without consistency, coverage gaps emerge where certain groups remain unaware of phishing indicators, data handling requirements, or incident reporting procedures, creating exploitable human vulnerabilities.
Control objective
What auditing this proves
Demonstrate that security awareness training is delivered with uniform content, frequency, and tracking across all organizational units, roles, and employment categories.
Associated risks
Risks this control addresses
- Attackers exploit untrained or inconsistently trained user populations through social engineering campaigns targeting departments with weaker awareness coverage
- Personnel in remote offices or acquired business units fail to recognize phishing emails, leading to credential compromise and lateral movement
- Contractors and third-party users with system access lack training on acceptable use policies, resulting in unintentional data exfiltration or policy violations
- Inconsistent training frequencies allow knowledge decay, reducing vigilance against current threat tactics between training cycles
- New hires operate without security awareness during critical onboarding periods, creating windows of vulnerability during account provisioning
- Legal and regulatory non-compliance due to inability to demonstrate organization-wide security education for data protection requirements
- Incident response delays occur when untrained personnel fail to recognize or report suspicious activity through proper channels
Testing procedure
How an auditor verifies this control
- Obtain the security awareness training policy and procedure documentation defining scope, frequency, content standards, and target populations
- Request a complete roster of active personnel including employees, contractors, and third-party users with system access, segmented by department, location, and employment type
- Obtain training completion records from the learning management system (LMS) or tracking database for the most recent training cycle, including completion dates and training module versions
- Calculate training coverage rates by comparing completion records against the personnel roster for each organizational segment (department, location, employment type)
- Select a stratified sample of at least 25 individuals across different business units, locations, and roles to verify training completion records match individual certificates or LMS transcripts
- Review training content modules delivered to different populations to verify consistency in core topics (phishing, password security, data classification, incident reporting, acceptable use)
- Interview training coordinators from three different business units or locations to validate delivery timelines, content versioning, and escalation procedures for non-completion
- Examine evidence of onboarding training for new hires by reviewing 10 personnel records from the past 90 days to confirm training completion within defined onboarding windows