Do staff know what to do if they get a suspicious email or click something they shouldn’t have?
Demonstrate that employees can identify suspicious emails, understand the organization's incident reporting process, and know the immediate response actions required when a potential security incident occurs.
Description
What this control does
This control ensures that staff are trained to recognize phishing and social engineering attempts, understand the organization's reporting procedures, and know the immediate steps to take if they suspect compromise (e.g., clicking a malicious link or opening a suspicious attachment). It typically includes documented incident reporting workflows, accessible helpdesk or security team contact channels, and periodic awareness training that covers real-world attack scenarios. The control reduces dwell time after user-initiated compromise and enables rapid containment before lateral movement or data exfiltration occurs.
Control objective
What auditing this proves
Demonstrate that employees can identify suspicious emails, understand the organization's incident reporting process, and know the immediate response actions required when a potential security incident occurs.
Associated risks
Risks this control addresses
- Phishing emails leading to credential theft go unreported, allowing attackers prolonged access to user accounts
- Malware delivery via email attachment results in endpoint compromise without timely isolation or remediation
- Business email compromise (BEC) attacks succeed because staff fail to verify unusual payment or data requests
- Ransomware spreads laterally across the network due to delayed reporting of suspicious activity
- Users attempt to hide mistakes rather than report incidents, preventing security teams from containing breaches
- Lack of clear reporting channels causes delays in escalation, increasing attacker dwell time
- Spear-phishing targeting high-privilege users succeeds because staff lack awareness of advanced social engineering techniques
Testing procedure
How an auditor verifies this control
- Obtain the current security awareness training curriculum and verify it includes phishing recognition, reporting procedures, and post-click response actions.
- Review training completion records for a representative sample of staff across departments to confirm recent completion dates within the policy-defined interval.
- Examine documented incident reporting procedures including contact channels, escalation workflows, and expected response timeframes for user-reported suspicious emails.
- Interview a sample of 8-10 employees across different roles and departments to assess their knowledge of how to report suspicious emails and what immediate actions to take if they click a malicious link.
- Request records of user-reported phishing or suspicious email incidents from the past 12 months, including timestamps, reporter identities, and security team response actions.
- If available, review results from simulated phishing exercises including click rates, reporting rates, and time-to-report metrics.
- Verify the existence and accessibility of reporting mechanisms such as a dedicated security email address, helpdesk ticketing system category, or integrated email client reporting button.
- Validate that post-incident guidance is documented and accessible to staff, covering actions such as disconnecting from network, notifying IT/security, changing passwords, and preserving evidence.