Does your organization provide cybersecurity awareness and training to all users with access to non-public resources?
Explanation
Cybersecurity awareness training helps users recognize and respond appropriately to security threats like phishing, social engineering, and data handling requirements. This training should be provided to all individuals with access to sensitive information, including employees, contractors, partners, and suppliers, as they all represent potential security vulnerabilities if not properly educated.
Evidence could include training materials, attendance records, completion certificates, training schedules, or screenshots of your learning management system showing cybersecurity courses assigned to different user types. An annual training calendar or policy document outlining training requirements for different user categories would also serve as supporting evidence.
Implementation Example
Provide basic cybersecurity awareness and training to employees, contractors, partners, suppliers, and all other users of the organization's non-public resources
ID: PR.AT-01.214
Context
- Function
- PR: PROTECT
- Category
- PR.AT: Awareness and Training
- Sub-Category
- Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind
Related questions
- Does your organization provide comprehensive security awareness training that covers social engineering recognition, attack reporting procedures, acceptable use policies, and basic cyber hygiene practices?
- Does your organization clearly communicate the consequences of cybersecurity policy violations to all employees and stakeholders?
- Does your organization regularly assess employees' cybersecurity awareness through testing or evaluation?
- Does your organization require annual refresher training for all employees to reinforce existing security practices and introduce new ones?
- Has the organization identified specialized roles that require additional cybersecurity training beyond the baseline security awareness program?
- Does your organization provide specialized cybersecurity training for employees and third parties (contractors, partners, suppliers) who perform roles with elevated security responsibilities?

