Security Awareness Training

Why it matters

Untrained employees are the primary attack vector for phishing, social engineering, and credential compromise—incidents that often lead to unauthorized data access or breaches. Security awareness training measurably reduces susceptibility to these attacks and ensures employees understand their data handling obligations. Without documented training completion, the organization cannot demonstrate due diligence during incident response or regulatory inquiries.

Evidence to collect

• Training enrollment and completion report showing all employees trained within 30 days of hire and annually (filtered by hire date and training date)
• Phishing simulation campaign results showing click rates, reported emails, and failing users flagged for remedial training
• Remedial training completion records for employees who failed phishing simulations
• Training platform audit logs showing course content, assessment scores, and completion timestamps for a sample of 10–15 employees

Testing procedure

Request the training platform's completion report filtered by hire date to verify all employees completed training within 30 days of hire; spot-check 10–15 employee records to confirm assessment scores and timestamps. Review phishing simulation results from the past 12 months to identify failure rates and verify that failing employees were immediately enrolled in remedial training. Confirm remedial training completion. Verify that records are retained for at least 3 years by checking the platform's data retention settings and archive logs.

Common gotchas