Annual Cyber Security Awareness for Personnel
All staff receive yearly training on using and protecting systems, and reporting incidents.
Plain language
Cyber security awareness training is like giving everyone in your organisation the knowledge they need to safely use and protect computers and data. It's important because if staff aren't aware of cyber threats and how to report them, your organisation could be at risk of data breaches, financial loss, or damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Cyber security awareness training is undertaken annually by all personnel and covers: - the purpose of the cyber security awareness training - security appointments and contacts - authorised use of systems and their resources - protection of systems and their resources - reporting of cyber security incidents and suspected compromises of systems and their resources.
Why it matters
Without annual cyber security awareness training, personnel may misuse systems, miss incident reporting steps and contacts, and increase risk of compromise and data loss.
Operational notes
Deliver and track annual training for all personnel, covering purpose, contacts, authorised use, protection of resources, and how to report incidents and suspected compromises.
Implementation tips
- HR should schedule annual training sessions: Ensure all staff are notified about mandatory cyber security awareness sessions. Create a calendar invite with clear details on timing and location, and send reminders.
- The IT team should develop the training content: Focus the training on why cyber security matters, how to use systems safely, and how to spot and report potential threats. Use simple examples and relatable scenarios.
- Managers should encourage attendance and participation: Explain to your team why this training is critical for protecting our organisation. Offer incentives or recognition for those who contribute ideas and questions during the session.
- Appoint a security contact person: Identify a dedicated person or team who staff can approach with questions or to report security issues. Clearly communicate their contact details during the training.
- Gather feedback and improve each year: After the training, survey the attendees to gather their input on how engaging and useful the content was. Use this feedback to refine next year's training materials.
Audit / evidence tips
- AskThe training schedule: Request the calendar entries or communications sent out for the cyber security training GoodSchedule shows clear dates, mandatory attendance notes, and has reminders sent out
- AskHow the training content was delivered and what they learned GoodIs the HR manager explains the process and a staff member can recall key learnings and understand their importance
- GoodSet includes plain language explanations of risks, system use, protection strategies, and incident reporting
- GoodSession uses interactive and relatable examples, with active participation from attendees
- AskAny surveys or feedback forms given post-training GoodShows areas for improvement identified and specific actions taken in response
Cross-framework mappings
How ISM-0252 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 6.3 | Annex A 6.3 requires personnel and relevant interested parties to receive appropriate information security awareness, education, and trai... | |
| handshake Supports (1) expand_less | ||
| Annex A 6.8 | Annex A 6.8 requires the organisation to provide defined channels and mechanisms so people can promptly report security events and suspec... | |
E8
| Control | Notes | Details |
|---|---|---|
| extension Depends on (1) expand_less | ||
| E8-MF-ML2.10 | E8-MF-ML2.10 requires prompt reporting of cyber security incidents to the CISO (or delegate) | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.