Overview
Security Awareness Training is the formal process of educating employees on security responsibilities, acceptable use, and threat awareness to support the organization’s control environment. It ensures personnel understand security expectations and reinforces management’s commitment to integrity, ethics, and risk awareness under SOC 2 CC1.
Step-by-Step Process
Define training scope and audience
The Security Lead identifies all in-scope personnel, including full-time employees, contractors, and interns with system access. The output is a documented training scope defining who must complete training and any role-based variations.
Role: Security Lead
Select training content
The Security Lead reviews and selects security awareness modules covering phishing, password hygiene, data protection, and acceptable use. The output is an approved training curriculum aligned to SOC 2 CC1.1 and CC1.4.
Role: Security Lead
Configure training campaign
The Security Lead sets up the annual training campaign in the selected tool, including due dates, reminders, and completion rules. The output is an active training campaign assigned to all in-scope users.
Role: Security Lead
Notify employees of training requirement
The Security Lead or IT Manager sends an initial notification explaining training expectations, deadlines, and consequences for non-completion. The output is a dated communication sent to all assigned users.
Role: Security Lead
Monitor training completion
The Security Lead monitors progress throughout the campaign and sends follow-up reminders to non-compliant users. The output is an up-to-date completion report showing individual training status.
Role: Security Lead
Address non-compliance
The Security Lead escalates overdue training to management and coordinates corrective actions, such as access suspension if required. The output is documented evidence of follow-up and resolution.
Role: Security Lead
Retain training records
The Security Lead exports and stores completion records in the compliance evidence repository. The output is retained evidence supporting annual SOC 2 audits.
Role: Security Lead
What You Need Before Starting
- Current employee and contractor user list
- Access to security awareness training platform
- Approved security policies (e.g., Acceptable Use, Information Security Policy)
- Annual compliance calendar or training schedule
Evidence Your Auditor Expects
- Training campaign configuration screenshot showing start and due dates
- Employee completion report exported as CSV or PDF with completion timestamps
- Copy of training notification email with sent date
- List of overdue users with documented follow-up actions and dates
How This Looks In Your Tools
KnowBe4
Log in to the KnowBe4 Admin Console and navigate to Training > Campaigns. Click “Create Training Campaign,” select the required modules, set the campaign start date and due date, and assign the campaign to the “All Users” or relevant user group.
Go to Training > Users to confirm all in-scope users are included. After launch, monitor progress under Training > Campaigns > [Campaign Name] > View Enrollments, and export the completion report using the “Download CSV” option for audit evidence.
Proofpoint
Sign in to the Proofpoint Security Awareness portal and navigate to Campaigns > Create Campaign. Choose the appropriate security awareness content, configure assignment rules, and set completion deadlines.
Track progress by navigating to Reports > Campaign Reports and selecting the active campaign. Export the User Completion Report with timestamps to retain as SOC 2 evidence.
Google Workspace
If using Google Workspace-hosted training, upload or link training materials in Google Drive and organize them in a shared folder named “Security Awareness Training – [Year].” Assign training by emailing users via Google Groups with clear completion instructions.
Collect completion attestations using Google Forms and review responses in Google Sheets. Retain the response sheet and email timestamps as evidence of completion.
Common Audit Findings
- Incomplete training coverage
- This occurs when contractors or new hires are excluded from the training audience. Prevent this by regularly reconciling the training user list with HR or IT access lists.
- Missing completion evidence
- Auditors flag this when reports lack dates or user-level detail. Always export completion reports with timestamps and retain them in a centralized evidence repository.
- Training not performed annually
- This happens when campaigns are not scheduled in advance. Use a compliance calendar with recurring annual reminders to ensure timely execution.
- No follow-up on overdue users
- Auditors may note a lack of enforcement if overdue users are ignored. Document reminder emails and escalation actions to demonstrate control enforcement.