Framework Category

Awareness and Training

Awareness and Training equips all personnel—including specialized roles, executives, and third-party stakeholders—with the knowledge and skills needed to recognize and manage cybersecurity risks relevant to their responsibilities.

It promotes a shared understanding of security roles across the organization.

Implementation Questions

PR.AT-01

Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind

Does your organization provide cybersecurity awareness and training to all users with access to non-public resources?

Cybersecurity awareness training helps users recognize and respond appropriately to security threats like phishing, social engineering, and data handling requirements. This training should be provided to all individuals with access to sensitive information, including employees, contractors, partners, and suppliers, as they all represent potential security vulnerabilities if not properly educated.

Does your organization provide comprehensive security awareness training that covers social engineering recognition, attack reporting procedures, acceptable use policies, and basic cyber hygiene practices?

Security awareness training is essential for creating a human firewall against common attacks like phishing, vishing, and pretexting. Employees should be trained to identify suspicious emails, messages, or calls, know how to report security incidents, understand acceptable use of company resources, and perform basic security practices such as using strong passwords, enabling multi-factor authentication, and keeping software updated.

Does your organization clearly communicate the consequences of cybersecurity policy violations to all employees and stakeholders?

This question assesses whether your organization has established and communicated clear consequences for violating cybersecurity policies. Employees and stakeholders should understand both personal consequences (e.g., disciplinary actions, termination) and organizational impacts (e.g., data breaches, financial losses, reputational damage, regulatory penalties) of non-compliance with security policies.

Does your organization regularly assess employees' cybersecurity awareness through testing or evaluation?

Regular assessment of employee cybersecurity knowledge helps identify gaps in understanding and ensures staff can recognize and respond appropriately to security threats like phishing, social engineering, and data handling requirements. These assessments establish accountability and reinforce the importance of security practices in daily operations.

Does your organization require annual refresher training for all employees to reinforce existing security practices and introduce new ones?

Regular refresher training helps maintain security awareness and ensures employees stay updated on evolving threats and organizational security practices. Annual refreshers can address common security mistakes observed throughout the year, introduce new security tools or procedures, and reinforce critical security behaviors that may have weakened over time.

PR.AT-02

Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind

Has the organization identified specialized roles that require additional cybersecurity training beyond the baseline security awareness program?

Different roles within an organization face different security risks and responsibilities. Specialized roles such as finance personnel who handle sensitive financial data, IT administrators with elevated system privileges, or executives with access to strategic information require targeted training beyond basic security awareness. Identifying these roles is the first step in developing role-specific security training programs that address unique threats and responsibilities.

Does your organization provide specialized cybersecurity training for employees and third parties (contractors, partners, suppliers) who perform roles with elevated security responsibilities?

Role-based cybersecurity training ensures that individuals with specialized responsibilities receive targeted education beyond basic awareness training. For example, developers should receive secure coding training, system administrators should learn about secure configuration, and procurement staff should understand third-party risk management.

Does your organization conduct regular assessments or tests to evaluate employees' understanding of role-specific cybersecurity practices?

Role-specific cybersecurity assessments help ensure that employees understand the security requirements unique to their job functions, which can significantly reduce the risk of security incidents caused by human error. These assessments should be tailored to different departments and roles, as security responsibilities vary across the organization (e.g., developers should be tested on secure coding practices, while finance personnel should be tested on recognizing financial fraud attempts).

Does your organization require annual refresher training for all employees to reinforce existing security practices and introduce new ones?

Regular security refresher training ensures employees maintain awareness of security policies, procedures, and best practices while also introducing them to emerging threats and countermeasures. Annual refreshers help combat the natural decay of security knowledge over time and ensure staff are updated on new security requirements or organizational changes.

PR.AT-03

Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities

Have you established a formal program to ensure third-party stakeholders (suppliers, customers, partners) understand their cybersecurity roles and responsibilities?

This question assesses whether your organization has implemented structured processes to educate and inform external parties about their security obligations when accessing or handling your systems and data. Effective third-party security awareness helps prevent incidents caused by external stakeholders who may not be familiar with your security requirements or who might inadvertently introduce risks.

PR.AT-04

Senior executives understand their roles and responsibilities

Have senior executives been formally trained on and demonstrated understanding of their specific cybersecurity roles and responsibilities?

This question assesses whether the organization has established clear cybersecurity accountability at the executive level and ensured executives understand their specific responsibilities in the security governance structure. Senior executives must comprehend their decision-making authority, oversight responsibilities, and accountability for security incidents that may impact the organization.

PR.AT-05

Physical and cybersecurity personnel understand their roles and responsibilities

Have all physical and cybersecurity personnel been trained on and demonstrated understanding of their specific roles and responsibilities?

This question assesses whether security staff clearly understand what they are responsible for and how they should respond in various security scenarios. Without clear role definition and proper training, security personnel may respond inconsistently to incidents, miss critical security tasks, or create gaps in your security posture due to confusion about who handles what responsibilities.

Awareness and Training

Implementation Questions

Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind

Does your organization provide cybersecurity awareness and training to all users with access to non-public resources?

Does your organization provide comprehensive security awareness training that covers social engineering recognition, attack reporting procedures, acceptable use policies, and basic cyber hygiene practices?

Does your organization clearly communicate the consequences of cybersecurity policy violations to all employees and stakeholders?

Does your organization regularly assess employees' cybersecurity awareness through testing or evaluation?

Does your organization require annual refresher training for all employees to reinforce existing security practices and introduce new ones?

Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind

Has the organization identified specialized roles that require additional cybersecurity training beyond the baseline security awareness program?

Does your organization provide specialized cybersecurity training for employees and third parties (contractors, partners, suppliers) who perform roles with elevated security responsibilities?

Does your organization conduct regular assessments or tests to evaluate employees' understanding of role-specific cybersecurity practices?

Does your organization require annual refresher training for all employees to reinforce existing security practices and introduce new ones?

Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities

Have you established a formal program to ensure third-party stakeholders (suppliers, customers, partners) understand their cybersecurity roles and responsibilities?

Senior executives understand their roles and responsibilities

Have senior executives been formally trained on and demonstrated understanding of their specific cybersecurity roles and responsibilities?

Physical and cybersecurity personnel understand their roles and responsibilities

Have all physical and cybersecurity personnel been trained on and demonstrated understanding of their specific roles and responsibilities?

ResponseHub is the product I wish I had when I was a CTO