Despite multi-million investments in technical security, the human factor remains the most important cause of security incidents. Phishing, social engineering, weak passwords and the unintentional sharing of sensitive information are responsible for the majority of successful cyber attacks. Security awareness training is therefore an indispensable part of every information security programme.
From an auditing perspective, security awareness is not a soft control but a hard requirement. ISO 27001 requires, in Annex A control 6.3, that employees receive awareness and training in the field of information security. NIS2 sets comparable requirements. SOC 2 assesses, under the Common Criteria, whether employees are trained in their security responsibilities.
An effective security awareness programme goes beyond an annual e-learning module. It includes regular communication about current threats, phishing simulations to test the ability to recognise attacks, role-specific training for employees at increased risk such as administrators and finance staff, and a culture in which reporting suspicious situations is encouraged.
When it comes to security awareness, the auditor assesses several aspects. Is there a documented awareness programme? Are all employees trained periodically, including new employees during onboarding? Are there measurable results, such as click rates in phishing simulations? Are the results used to adjust the programme?
Phishing simulations deserve particular attention. The auditor checks whether simulations are carried out regularly, whether they are realistic and cover different attack techniques, and whether employees who click receive targeted follow-up training. A downward trend in click rates is a positive signal for the auditor.
Management plays a crucial role. Security awareness must be supported by senior management and be part of the organisational culture. The auditor assesses whether management sets a good example, whether budget has been allocated for awareness activities, and whether security incidents caused by human action are analysed and used as learning moments.
Secure Audit assesses the effectiveness of security awareness programmes in its audits and advises on improvements. Contact us for advice on setting up or improving your awareness programme.
About the author
Partner | IT Auditor