Managers, admins, and users know the risks and the rules.
What it actually means
Security awareness training for everyone who touches the environment — not a one-time slideshow, but ongoing awareness of the risks in their day-to-day work and the policies they're expected to follow. It's a 5-pointer because people are the most-exploited part of any system.
Pass or fail — an assessor needs a "yes" to each
- All users (incl. managers and admins) receive security awareness training.
- Training covers the real risks of their activities and the applicable policies.
- Training is delivered on a recurring basis and completion is tracked.
What to have ready
- Awareness training content/curriculum
- Completion records per user
- Policy requiring recurring training
Where teams trip up
- Onboarding-only training, never refreshed
- No completion tracking
- Admins/managers exempted
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →