Training and awareness for information security

Posted on by Ruchi Kandpal

if you want to evaluate that all the employees have completed the information security awareness training, we can ask the following evidence as an auditor:

  1. Completion transcripts showing employee names, training dates, and scores
  2. Attendance records from training platforms
  3. total number of users
  4. Policy acknowledgement form, signed by the employees
  5. Training schedules aligned with Onboarding, preferably within 30 days and annual refreshers

Metrics

A. Fed Rate: Total employees targeted vs. organization size (use campaign enrollment lists)

B. Click Rate: (Clicked links / Emails delivered) × 100. Validate via phishing simulation tools

C. Report Rate: (Reported emails / Emails delivered) × 100. Check platform logs or CSV exports

If given an Excel export of users
• Cross-verify against HR records to ensure all employees are included.
• Filter for incomplete training or repeated phishing failures.
• Check timestamps for compliance with onboarding/annual deadlines

Those were tracking matrix

1. Phishing simulation: Proofpoint

2. Learning management systems (LMS): Melimu

What is the difference between training and awareness?

Training and awareness serve distinct purposes in a security program. Awareness is about fostering a security-conscious culture, using methods like newsletters, posters, and regular reminders to keep security top-of-mind for employees. It focuses on building general understanding and mindfulness regarding security practices. On the other hand, training is more structured and skills-oriented. It involves formal sessions like webinars, bootcamps, or interactive modules with defined goals, tailored content, and practical exercises to equip employees with specific competencies needed to handle security-related tasks effectively. While awareness shapes attitudes, training develops abilities.

Training: social engineering defense training: handling physically intruders, and visitors, telephone calls and enquiries, phishing emails, USB drop attacks, recognising legitimate and fraudulent websites, job specific training,

Leave a comment

Unknown's avatar

Published by Ruchi Kandpal

Fun loving and fact loving. I love soaking in new information. A conscientious, rational individual with attention to details. Sphinx. An enigmatic and a mysterious person with several interests.