HRS-11: Security Awareness Training

Control Family:

Human Resources

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: HRS-09: Training / Awareness, HRS-10: User Responsibility.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain a security awareness training program for all employees of the organization and provide regular training updates.

Implementation Guidance

Security awareness training should educate personnel about their responsibilities and the necessary means for securing corporate assets. Security awareness training should consider the roles and responsibilities of organizational members. Training may include a test to measure personnel’s understanding of the responsibilities and protections required to secure corporate assets. This evaluation may be used to improve training and verify that relevant knowledge transfer occurs. Additionally, a training attendance registry should be maintained.

Auditing Guidance

  1. Examine the security awareness training program for adequacy, currency, communication, and effectiveness.
  2. Verify, by Interviews or otherwise, that the training program has been implemented.
  3. Verify that the scope of the training program extends to all employees.
  4. Examine policy and procedures for evidence of review.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.