How often do users receive phishing-specific awareness training?
Demonstrate that the organization delivers phishing-specific security awareness training to all users at a defined, documented frequency and maintains records proving consistent adherence to that schedule.
Description
What this control does
This control establishes the frequency at which users receive targeted training on recognizing and responding to phishing attacks. Organizations define a recurring schedule (e.g., quarterly, annually) for delivering phishing-specific education that covers tactics such as email spoofing, malicious links, credential harvesting, and social engineering techniques. Regular cadence ensures users maintain currency with evolving phishing methods and reinforces secure behaviors throughout the user lifecycle.
Control objective
What auditing this proves
Demonstrate that the organization delivers phishing-specific security awareness training to all users at a defined, documented frequency and maintains records proving consistent adherence to that schedule.
Associated risks
Risks this control addresses
- Users lacking recent phishing training click malicious links or attachments, leading to malware infection or credential compromise
- Stale training fails to address emerging phishing techniques such as QR code phishing, adversary-in-the-middle, or deepfake social engineering
- Inconsistent training schedules create knowledge gaps where high-risk user populations remain vulnerable for extended periods
- Absence of documented training frequency prevents measurement of program effectiveness and identification of at-risk cohorts
- Users who receive infrequent training develop false confidence or forget proper incident reporting procedures, delaying threat response
- Organizations fail regulatory or contractual obligations requiring periodic security awareness education, resulting in audit findings or penalties
- New employees or contractors onboarded between training cycles operate without phishing awareness, creating exploitable attack surface
Testing procedure
How an auditor verifies this control
- Obtain the organization's security awareness training policy or procedure document that specifies the defined frequency for phishing-specific training.
- Review training curriculum materials to verify phishing-specific content is distinct and substantive, covering email indicators, link validation, attachment handling, and reporting procedures.
- Request the training platform's system-generated report or learning management system (LMS) export showing all users, training completion dates, and phishing module identifiers for the past 18 months.
- Select a representative sample of at least 25 users across different departments, roles, and hire dates to validate individual training histories.
- For each sampled user, verify completion timestamps align with the documented frequency requirement and identify any gaps exceeding the defined interval.
- Cross-reference the sampled users against HR or identity management system records to confirm active employment status during the review period and validate no excluded populations exist without justification.
- Interview the security awareness program owner to confirm processes for tracking overdue training, escalating non-compliance, and handling exceptions such as leave of absence or role changes.
- Review remediation records or follow-up training logs for users who failed simulated phishing exercises to verify the organization adjusts training frequency or content based on risk indicators.