cc1-4 Medium priority Security / Control Environment

Commitment to competence in security is demonstrated

People with security responsibilities need to actually know how to execute them. This control requires that the organization identifies what competencies are needed, assesses whether people have them, and fills gaps through hiring, training, or external support. An understaffed or undertrained security function is a systemic risk that undermines every other control.

8h estimated effort

training competency awareness human-resources

Complete first: cc1-3

Implementation steps

1

Define required security competencies for relevant roles

For each role with security responsibilities, document what knowledge or skills are expected. This can be informal for small teams but should be written. Examples: engineers should understand OWASP Top 10, IT admins should know how to configure MFA, the security lead should be able to run a tabletop incident exercise.

confluence notion google-docs
2

Assess current competency and identify gaps

Review whether current staff meet the defined competency requirements. For small teams this can be a simple self-assessment. Document any gaps and the plan to address them.

google-docs notion
3

Provide security training and track completion

Deliver security awareness training to all employees at least annually. For staff with specific security roles, provide role-appropriate training (e.g. secure coding, incident response, cloud security). Track completion records. Consider external certifications (CISSP, Security+, AWS Security Specialty) for key staff.

knowbe4 proofpoint sans coursera pluralsight