Security awareness training
Demonstrate that all personnel receive timely, role-appropriate security awareness training, that completion and effectiveness are monitored, and that the program content reflects current threat landscapes and organizational risks.
Description
What this control does
Security awareness training programs deliver recurring, role-based education to employees, contractors, and privileged users covering topics such as phishing recognition, password hygiene, physical security, data handling, social engineering, and incident reporting. Training is delivered through instructor-led sessions, computer-based modules, simulated phishing campaigns, and tailored exercises for high-risk roles such as developers, administrators, and executives. Effective programs track completion rates, test comprehension, measure behavior change through simulated attacks, and refresh content at least annually to address evolving threats and organizational changes.
Control objective
What auditing this proves
Demonstrate that all personnel receive timely, role-appropriate security awareness training, that completion and effectiveness are monitored, and that the program content reflects current threat landscapes and organizational risks.
Associated risks
Risks this control addresses
- Employees fall victim to phishing or social engineering attacks due to inability to recognize malicious messages or pretexting techniques
- Privileged users misconfigure systems or mishandle credentials because they lack training on secure administration practices
- Personnel inadvertently exfiltrate sensitive data through unauthorized cloud services, personal email, or removable media without understanding data classification policies
- Contractors or third-party users bypass security controls due to unfamiliarity with organizational policies and acceptable use requirements
- Insider threats emerge from users who do not understand monitoring, acceptable use boundaries, or consequences of policy violations
- Incident detection and response delays occur because employees fail to recognize or report suspicious activity to security teams
- Compliance violations result from personnel not understanding regulatory obligations such as GDPR, HIPAA, or PCI-DSS data handling requirements
Testing procedure
How an auditor verifies this control
- Obtain the current security awareness training policy, including documented roles, training frequency, content scope, and mandatory completion requirements.
- Request training curriculum materials for baseline awareness and specialized role-based modules, verifying coverage of phishing, password security, physical security, data classification, acceptable use, and incident reporting.
- Review the training delivery platform or learning management system (LMS) to confirm tracking capabilities for enrollment, completion dates, quiz scores, and acknowledgment records.
- Select a sample of 25-30 employees across departments, roles, and tenure levels, then pull their training completion records for the current audit period.
- Verify that each sampled employee completed required baseline training within the defined timeframe (e.g., within 30 days of hire and annually thereafter).
- For sampled users in privileged or specialized roles (e.g., developers, system administrators, finance personnel), confirm completion of role-specific supplemental training modules.
- Review records of simulated phishing campaigns conducted during the audit period, including click rates, reporting rates, and remedial training for users who failed simulations.
- Interview the security awareness program owner to confirm how training content is updated in response to new threats, incidents, or regulatory changes, and review evidence of updates made in the past 12 months.