Annual Cyber Security Awareness for Personnel
All staff receive yearly training on using and protecting systems, and reporting incidents.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Cyber security awareness training is undertaken annually by all personnel and covers: - the purpose of the cyber security awareness training - security appointments and contacts - authorised use of systems and their resources - protection of systems and their resources - reporting of cyber security incidents and suspected compromises of systems and their resources.
Source: ASD Information Security Manual (ISM)
Plain language
Cyber security awareness training is like giving everyone in your organisation the knowledge they need to safely use and protect computers and data. It's important because if staff aren't aware of cyber threats and how to report them, your organisation could be at risk of data breaches, financial loss, or damage to your reputation.
Why it matters
Without annual cyber security awareness training, personnel may misuse systems, miss incident reporting steps and contacts, and increase risk of compromise and data loss.
Operational notes
Deliver and track annual training for all personnel, covering purpose, contacts, authorised use, protection of resources, and how to report incidents and suspected compromises.
Implementation tips
- HR should schedule annual training sessions: Ensure all staff are notified about mandatory cyber security awareness sessions. Create a calendar invite with clear details on timing and location, and send reminders.
- The IT team should develop the training content: Focus the training on why cyber security matters, how to use systems safely, and how to spot and report potential threats. Use simple examples and relatable scenarios.
- Managers should encourage attendance and participation: Explain to your team why this training is critical for protecting our organisation. Offer incentives or recognition for those who contribute ideas and questions during the session.
- Appoint a security contact person: Identify a dedicated person or team who staff can approach with questions or to report security issues. Clearly communicate their contact details during the training.
- Gather feedback and improve each year: After the training, survey the attendees to gather their input on how engaging and useful the content was. Use this feedback to refine next year's training materials.
Audit / evidence tips
-
Ask: the training schedule: Request the calendar entries or communications sent out for the cyber security training
Good: schedule shows clear dates, mandatory attendance notes, and has reminders sent out
-
Ask: how the training content was delivered and what they learned
Good: is the HR manager explains the process and a staff member can recall key learnings and understand their importance
-
Good: set includes plain language explanations of risks, system use, protection strategies, and incident reporting
-
Good: session uses interactive and relatable examples, with active participation from attendees
-
Ask: any surveys or feedback forms given post-training
Good: shows areas for improvement identified and specific actions taken in response
Cross-framework mappings
How ISM-0252 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (1) | ||
| Annex A 6.3 | Annex A 6.3 requires an organisation-wide information security awareness, education and training programme with regular updates aligned t... | |
| Supports (1) | ||
| Annex A 6.8 | Annex A 6.8 requires the organisation to provide defined channels and mechanisms so people can promptly report security events and suspec... | |
E8
| Control | Notes | Details |
|---|---|---|
| Depends on (1) | ||
| E8-MF-ML2.10 | E8-MF-ML2.10 requires prompt reporting of cyber security incidents to the CISO (or delegate) | |