AuditRubric
pr-at-1 high Protect / Awareness and Training

Personnel are provided with security awareness training to perform their work with cybersecurity risks in mind

Most breaches start with a human action: clicking a phishing link, using a weak password, or mishandling sensitive data. Security awareness training turns your employees from a vulnerability into a layer of defense. A well-trained workforce catches and reports threats that technical controls miss.

Estimated effort: 6h
security-awarenesstrainingphishingsocial-engineering

Implementation steps

  1. 1

    Deploy a security awareness training platform

    Select and deploy a training platform that provides role-appropriate modules on topics like phishing recognition, password hygiene, social engineering, and secure data handling. Assign training to all employees on hire and annually thereafter.

    knowbe4proofpoint-security-awarenesssans-security-awarenesscurricula
  2. 2

    Run regular phishing simulations

    Send simulated phishing emails to all employees monthly. Track click rates and credential submission rates over time. Employees who fail a simulation should receive immediate targeted training, not punishment.

    knowbe4proofpoint-security-awarenessgophish
  3. 3

    Establish a clear process for reporting suspicious activity

    Make it easy for employees to report suspected phishing, unusual behavior, or security concerns. Provide a reporting button in the email client, a dedicated Slack channel, or a simple email alias. Acknowledge every report.

    knowbe4cofensemicrosoft-defender
  4. 4

    Track completion and measure effectiveness

    Require 100% completion of annual training. Track phishing simulation metrics over time to confirm the program is reducing susceptibility. Report results to leadership quarterly.

Evidence required

Training completion report

Documentation showing all employees have completed security awareness training in the last 12 months.

  • · KnowBe4 training completion report export
  • · LMS completion report showing percentage of staff trained
  • · HR records showing security training as part of onboarding checklist

Phishing simulation results

Results from recent phishing simulations showing click rates and trends over time.

  • · KnowBe4 phishing campaign results showing click rate by department
  • · Proofpoint simulation report with trend line
  • · Monthly phishing metrics report shared with leadership

Security reporting process documentation

Evidence that employees have a clear, easy way to report suspected threats.

  • · Email client screenshot showing a phishing report button
  • · Slack channel or email alias for security reports
  • · Employee handbook excerpt describing how to report security concerns

Related controls

pr-at-2 high

Individuals in specialized roles receive role-specific cybersecurity training

Awareness and Training
pr-aa-2 critical

Identities are proofed and bound to credentials based on the context of interactions

Identity Management, Authentication, and Access Control
pr-aa-1 critical

Identities and credentials are managed for authorized users and devices

Identity Management, Authentication, and Access Control
pr-aa-3 critical

Users, services, and hardware are authenticated

Identity Management, Authentication, and Access Control