Develop and Maintain Cyber Security Training Register
Maintain a record of all cyber security awareness training activities within an organisation.
Plain language
This control is about keeping track of who in your organisation has been trained on cyber security awareness. It's important because if you don't know who's been trained, your staff might miss out on vital information, leading to mistakes that could harm your business, such as data breaches or loss of customer trust.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
A cyber security awareness training register is developed, implemented and maintained.
Why it matters
Without a cyber security training register, staff training gaps go untracked, increasing phishing success and accidental data disclosure.
Operational notes
Update the training register for new starters and completions; track overdue training and run refreshers when threat guidance changes.
Implementation tips
- Business owners or managers should create a training schedule and registration list. Identify who needs cyber security awareness training and set up a timetable. Use a simple spreadsheet to keep track of who attends the sessions and what topics are covered.
- Office manager or HR should ensure new staff are added to the register. Whenever new employees join, make it a part of the onboarding process to add them to the training schedule. This can be done using the same spreadsheet or software where you track ongoing training.
- IT team should collaborate with managers to update training materials. Regularly check with the Australian Cyber Security Centre (ACSC) for the latest threats and update your training sessions accordingly. This ensures that training is relevant and on point.
- The compliance officer or equivalent should review and update the register quarterly. Look over the register every three months to ensure it is accurate and up-to-date. This involves checking entries against employee records and upcoming training schedules.
- The organisation's leadership should promote the importance of cyber security training. Encourage staff to see cyber security as a shared responsibility by regularly talking about why it matters and acknowledging those who actively participate in training.
Audit / evidence tips
- AskThe cyber security training register: Request access to the document or system where training attendance is recorded
- AskA sample communication about training: Request to see how upcoming training sessions are communicated to staff. Check that the communication is clear and reaches all intended participants. Good practice includes emails or notices sent to all staff with detailed session information
- GoodWould show at least 80% attendance with make-up sessions for those who missed
- AskEvidence of regular review of the training register: Request any meeting notes or reports where the training register was discussed
Cross-framework mappings
How ISM-2022 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 6.3 | ISM-2022 requires an organisation to develop, implement and maintain a cyber security awareness training register to record all awareness... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.