HRS-004 Security Awareness Training
Description
All personnel complete a security awareness training program at onboarding and at least annually thereafter. Training content covers the organization's current threat landscape, security policies, phishing and social engineering awareness, acceptable use, incident reporting, and privacy obligations. Completion is tracked and reported.
Rationale
Humans are the most frequently exploited attack vector. Consistent, documented security awareness training reduces the likelihood of successful social engineering, phishing, and inadvertent policy violations.
Framework Mappings (7)
| HRS-11 | Security Awareness Training | full |
| HRS-12 | Personal and Sensitive Data Awareness and Training | partial |
| HRS-13 | Compliance User Responsibility | partial |
| 6.3 | Information security awareness, education and training | full |
| AT-2 | Literacy Training and Awareness | full |
| AT-4 | Training Records | partial |
| GOVERN 2.2 | AI Risk Management Training | partial |
Evidence (2)
Security awareness training completion records showing all personnel completed training at onboarding and annually thereafter.
Example: Training completion report from the LMS or security awareness platform (KnowBe4, Proofpoint Security Awareness, or equivalent), showing: employee name, training module, completion date, and score (if applicable) — filtered to the current training cycle.
Test: Export training completion records for the current annual training cycle. Verify: (1) completion rate is at or above the defined target (typically 95%+), (2) all new hires have a completion record dated within 30 days of their start date, (3) the training content includes phishing awareness, acceptable use, incident reporting, and privacy obligations, (4) non-completions have an open remediation action.
Training effectiveness report or phishing simulation results showing the awareness programme is evaluated for effectiveness.
Example: Annual security awareness report or phishing simulation report (KnowBe4 / Proofpoint campaign report PDF), showing: simulation frequency, click rate trend over the year, comparison to benchmark, and curriculum changes made in response to results.
Test: Request the most recent security awareness programme report or phishing simulation results. Verify: (1) simulations were conducted at least quarterly, (2) click rate trend over the year is tracked, (3) results informed training content updates (confirm a curriculum change or targeted follow-up training triggered by high-click-rate cohorts), (4) the report was reviewed by the security team.
Questions (3)
Do all personnel complete a security awareness training programme at onboarding and at least annually thereafter, with completion tracked and reported?
Training records from the LMS or awareness platform should show completion rates at or above the defined target (typically 95%+), with new hires completing within 30 days of their start date.
Which of the following topics are included in your annual security awareness training curriculum?
At minimum, phishing awareness, acceptable use, incident reporting, and privacy obligations should be covered. Training content should be updated to reflect the current threat landscape.
Does your organization evaluate the effectiveness of its security awareness programme (e.g. through phishing simulations, quiz scores, or click rate trends)?
Phishing simulation results showing click rate trends over the year, with curriculum changes triggered by high-risk cohorts, demonstrate programme effectiveness.