Have all physical and cybersecurity personnel been trained on and demonstrated understanding of their specific roles and responsibilities?
Explanation
Role clarity for security staff is what's being verified: whether physical and cybersecurity personnel have been trained on, and can demonstrate, their specific responsibilities. Without clear role definition and proper training, security personnel may respond inconsistently to incidents, miss critical security tasks, or create gaps in your security posture due to confusion about who handles what responsibilities.
Evidence could include: role-specific training materials, signed acknowledgments of role descriptions, completed training records, security response simulation results, or certification documentation relevant to specific security roles.
Context
- Function
- PR: PROTECT
- Category
- PR.AT: Awareness and Training
- Sub-Category
- Physical and cybersecurity personnel understand their roles and responsibilities
Related questions
- Does your organization provide cybersecurity awareness and training to all users with access to non-public resources?
- Does your organization provide comprehensive security awareness training that covers social engineering recognition, attack reporting procedures, acceptable use policies, and basic cyber hygiene practices?
- Does your organization clearly communicate the consequences of cybersecurity policy violations to all employees and stakeholders?
- Does your organization regularly assess employees' cybersecurity awareness through testing or evaluation?
- Does your organization require annual refresher training for all employees to reinforce existing security practices and introduce new ones?
- Has the organization identified specialized roles that require additional cybersecurity training beyond the baseline security awareness program?

