Skip to main content
← All controls
AT-2 / A.6.3 / CIS-14.1 NIST SP 800-53 Rev 5

Has the team had any cyber awareness training in the last year?

Demonstrate that all employees and relevant contractors have completed documented cybersecurity awareness training within the trailing twelve-month period.

Description

What this control does

This control validates that all team members have completed cybersecurity awareness training within the past twelve months. Organizations deliver this training through formal programs covering topics such as phishing recognition, password hygiene, social engineering tactics, data handling, incident reporting, and acceptable use policies. Regular annual refresher training ensures personnel remain current on evolving threats and organizational security expectations, reducing human-factor risk across the enterprise.

Control objective

What auditing this proves

Demonstrate that all employees and relevant contractors have completed documented cybersecurity awareness training within the trailing twelve-month period.

Associated risks

Risks this control addresses

  • Employees falling victim to phishing attacks due to inability to recognize malicious emails or links
  • Unintentional data exfiltration or exposure through poor handling of sensitive information
  • Credential compromise from weak password practices or password reuse across accounts
  • Failure to report security incidents promptly, allowing threats to propagate undetected
  • Social engineering exploitation due to lack of awareness about manipulation tactics
  • Insider threat enablement through ignorance of acceptable use policies and monitoring practices
  • Non-compliance with regulatory requirements mandating periodic security awareness training

Testing procedure

How an auditor verifies this control

  1. Request the organization's cybersecurity awareness training policy and supporting documentation defining frequency, scope, and required participants.
  2. Obtain a complete roster of all current employees, contractors, and third-party personnel with system access as of the audit date.
  3. Request training completion records from the learning management system (LMS) or training platform covering the trailing twelve-month period.
  4. Generate a comparison report matching personnel roster against training completion records to identify any individuals without documented training.
  5. Select a stratified random sample of 15-25 individuals across departments and roles to validate training completion details.
  6. For sampled individuals, verify training completion dates, module topics covered, assessment scores (if applicable), and certificate issuance.
  7. Interview human resources and security team members to confirm processes for onboarding training and tracking overdue completions.
  8. Review evidence of follow-up actions taken for personnel who missed training deadlines or failed assessments.
Evidence required Collect the cybersecurity awareness training policy document, complete personnel roster with access dates, LMS-generated completion reports showing training dates and assessment results for all personnel, training certificates or completion records for sampled individuals, automated reminder notifications for overdue training, and escalation procedures for non-compliance. Interview notes with HR and security personnel documenting enforcement processes should also be retained.
Pass criteria 100% of current personnel with system access have documented completion of cybersecurity awareness training within the trailing twelve months, with evidence of systematic tracking and escalation for non-compliance.