Why security awareness training is audited harder than you expect
Security awareness training feels like a box-ticking exercise. Assign the annual training module, collect completion confirmations, move on. But it's one of the areas where SOC 2 and ISO 27001 auditors find more gaps than anywhere else — not because companies don't do training, but because they can't produce evidence that demonstrates the programme actually ran for the full audit period, that all employees completed it, and that the content was appropriate.
Human beings remain the largest attack surface. Verizon DBIR 2024: 68% of breaches involved the human element. Phishing drives the majority of initial access. Security awareness training is a primary preventive control — not a compliance checkbox.
What each framework requires
| Framework | Reference | Requirement |
|---|---|---|
| ISO 27001:2022 | A.6.3 | Information security awareness, education and training: all personnel and relevant interested parties receive appropriate awareness education and training, and regular updates of organisational information security policies and procedures relevant to their job function |
| SOC 2 | CC1.4 | COSO Principle 4: The organisation demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. Security training is primary evidence of "developing competent individuals" for security-relevant roles. |
| SOC 2 | CC2.2 | The entity internally communicates information — including security policies — to support the functioning of internal controls. Training delivery is evidence of policy communication. |
| HIPAA | §164.308(a)(5) | Security awareness and training: required implementation specification. Periodic reminders about security, protection from malicious software, log-in monitoring, and password management. All workforce members. |
| NIS2 | Art. 21(2)(g) | Human resources security, access control policies and asset management. "Cyber hygiene practices and training" explicitly called out as one of the 10 minimum security measures. |
| ISO 27001:2022 | A.6.1 | Screening — training on security expectations begins at onboarding, not after the first annual cycle |
| PCI DSS | Req 12.6 | Security awareness programme targeting all personnel covering: recognising and reporting potential threats, prohibited uses, social engineering, and updates when new threats emerge |
The minimum viable security awareness programme
Core training elements
| Training Element | Audience | Frequency | Evidence to Retain | Framework Driver |
|---|---|---|---|---|
| General security awareness (phishing, passwords, device security, clean desk) | All employees and contractors with system access | Annual minimum; onboarding within first 5 business days | Completion records with timestamps; employee roster match | ISO 27001 A.6.3, SOC 2 CC1.4, HIPAA §164.308(a)(5) |
| Data protection / GDPR / privacy training | All employees handling personal data | Annual; after significant regulatory change | Completion records; certificate of completion if platform supports | GDPR Art. 32 / ISO 27001 A.6.3 |
| Phishing simulation | All employees | Quarterly recommended; minimum semi-annual | Simulation launch date, click rate, follow-up training completion for those who clicked | ISO 27001 A.6.3, HIPAA §164.308(a)(5), PCI DSS Req 12.6 |
| Secure coding training (OWASP Top 10, language-specific) | All engineers and developers | Annual; after major OWASP update | Platform completion records; course/module reference | ISO 27001 A.6.3 / A.8.25, SOC 2 CC8.1 |
| Role-specific training (finance: wire fraud; HR: data handling; engineering: AppSec; leadership: BEC scams) | Specific roles as appropriate | Annual | Role-specific completion evidence | ISO 27001 A.6.3 |
| Incident response procedures | IR team and escalation contacts | Annual; tabletop exercise | Exercise record; updated runbooks | ISO 27001 A.5.24, SOC 2 CC7.3 |
Onboarding training — the gap most companies have
Annual training cycles mean new starters hired in month 2 may not receive security training until month 14. That's a 12-month gap during which they have full system access but no security training. ISO 27001 A.6.3 and the spirit of SOC 2 CC1.4 both require training to be appropriate and timely — auditors will ask "what about staff hired during the audit period?"
Fix: require all new starters to complete security awareness training within their first 5 business days. This should be a line-item in the onboarding checklist (tracked in your HR system), not an informal expectation. The onboarding training can be the same annual module — just required to be completed on joining.
Phishing simulations: doing them right
Running a phishing simulation once a year and reporting "5% click rate" doesn't move the needle. Effective phishing simulation programmes:
- Frequency: Quarterly is the industry standard. Once a year doesn't provide enough data or repetition for behaviour change.
- Difficulty variation: Rotate between easy (obvious phishing) and difficult (spear-phishing, BEC-style, vendor impersonation) templates. Track which template types generate the highest click rates.
- Immediate training: When someone clicks, they should be immediately redirected to a brief training module (2–5 minutes) explaining what the phishing indicators were. This is the teachable moment.
- No blame culture: Frame simulations as a training tool, not a gotcha. Publicly shaming clickers reduces reporting of real phishing.
- Track improvement: The metric that matters is click rate trend over time, not a single snapshot. Declining click rate over 12 months is the evidence of programme effectiveness.
- Report to leadership: Quarterly phishing metrics reviewed by CISO and board — demonstrates the programme is actively managed.
Platforms: KnowBe4, Proofpoint Security Awareness Training, Cofense, Hoxhunt (AI-adaptive), Curricula, Wizer. Most offer integrated phishing simulation + training module delivery. Choose based on team size and budget — Wizer and Curricula are cost-effective for early-stage companies.
The evidence auditors actually want
SOC 2 auditors testing CC1.4 will typically request:
- Training completion records for the audit period — a report showing each employee's training completion date. This must be exportable from your training platform. Test this export before your audit begins.
- Employee roster cross-reference — they will compare your training completion list against your HR system / payroll / Okta directory to identify employees who did NOT complete training. Non-completion is a finding. Have a process for chasing exceptions.
- Training content evidence — what was the training about? A screenshot of the training module or course outline showing security-relevant content (phishing, passwords, data handling) is sufficient.
- New hire onboarding evidence — for employees hired during the audit period, evidence they completed training within the stated onboarding SLA.
- Phishing simulation results — not required by all auditors, but increasingly expected. Click rate trends and follow-up training for clickers.
Common audit finding: training completion rate is 85%, not 95%+. 5 people out of 60 didn't complete the training. The auditor samples 5 employees — and selects one of the non-completers. That's a CC1.4 exception in the report. Solution: automated reminders at 14 days, 7 days, and 2 days before the training deadline; escalation to line manager at deadline; non-completion treated as a policy violation (see HR Security Policy).
Training programme documentation
A training programme that isn't documented doesn't exist from an audit perspective. Your Security Awareness Training Policy should specify:
- Training elements required (by role/audience), frequency, and completion SLA
- Onboarding training requirement and timeline
- Evidence to be retained and retention period
- Phishing simulation schedule and follow-up training requirement
- Programme owner and governance (who reviews completion rates)
- Consequences of non-completion (reference to disciplinary process)
- Training platform and how completion records are exported for audit
Linking training to your overall security programme
Awareness training doesn't work in isolation. The most effective security awareness programmes connect training to real events and policies:
- After an incident: When you have a real phishing attempt (reported or clicked), send a company-wide security reminder with the actual indicators. Real examples land harder than simulations.
- After a policy change: When you update the password policy, AUP, or data classification policy, send a brief training update. ISO 27001 A.6.3 requires "regular updates" — this is how you evidence it.
- After major threat news: When Log4Shell, MOVEit, or a similar major vulnerability hits, send a brief status update to all staff explaining the threat and what the company is doing. This demonstrates active security communication (SOC 2 CC2.2).
Generate your HR Security Policy
Use the HR Security Policy Generator to create a complete personnel security policy covering pre-employment screening, employment contract security clauses, security awareness training requirements, offboarding procedures, and disciplinary process.
Related generators: Security Awareness Training Policy Generator, Information Security Policy, Access Control Policy, SOC 2 Gap Assessment, ISO 27001 Gap Assessment.
Related reading: HR Security Policy Guide, Access Control Policy Guide, SOC 2 Gap Analysis Guide, ISO 27001 Annex A Controls Guide.
⚠️ This guide is for informational purposes only and does not constitute legal or compliance advice. Training requirements vary by framework, industry, and jurisdiction. Always work with your qualified auditor to confirm evidence expectations before your audit period begins.