Does your organization require annual refresher training for all employees to reinforce existing security practices and introduce new ones?
Explanation
Regular refresher training helps maintain security awareness and ensures employees stay updated on evolving threats and organizational security practices. Annual refreshers can address common security mistakes observed throughout the year, introduce new security tools or procedures, and reinforce critical security behaviors that may have weakened over time.
Evidence of compliance could include training completion records, annual training calendars showing scheduled refresher sessions, training materials with timestamps showing annual updates, or a formal policy document specifying the requirement for annual security refresher training.
Implementation Example
Require annual refreshers to reinforce existing practices and introduce new practices
ID: PR.AT-01.218
Context
- Function
- PR: PROTECT
- Category
- PR.AT: Awareness and Training
- Sub-Category
- Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind
Related questions
- Does your organization provide cybersecurity awareness and training to all users with access to non-public resources?
- Does your organization provide comprehensive security awareness training that covers social engineering recognition, attack reporting procedures, acceptable use policies, and basic cyber hygiene practices?
- Does your organization clearly communicate the consequences of cybersecurity policy violations to all employees and stakeholders?
- Does your organization regularly assess employees' cybersecurity awareness through testing or evaluation?
- Has the organization identified specialized roles that require additional cybersecurity training beyond the baseline security awareness program?
- Does your organization provide specialized cybersecurity training for employees and third parties (contractors, partners, suppliers) who perform roles with elevated security responsibilities?

