Training on Managing Social Engineering Threats
Staff handling user accounts learn to identify and handle social engineering threats.
Plain language
This control is about teaching the people who manage user accounts how to recognise and deal with social engineering threats, like phishing emails or fake phone calls. It's important because if these threats aren't managed correctly, bad actors could trick someone into giving away confidential information, potentially leading to data breaches or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for personnel securityOfficial control statement
Personnel dealing with user account details are advised of what social engineering attacks are, how to manage such situations and how to report them.
Why it matters
Without training on social engineering, staff handling account details may be tricked by phishing or impersonation, leading to credential compromise and unauthorised access to sensitive information.
Operational notes
Run annual training for staff handling account details; include phishing/impersonation examples and clear reporting steps. Refresh quarterly with updated scenarios and periodic mock-phishing drills.
Implementation tips
- Managers should organise regular training sessions for staff who handle user accounts. These sessions should cover examples of social engineering attacks, such as phishing emails or deceptive phone calls, and provide strategies to recognise and avoid them. Use role-playing scenarios and real-life examples to make the training engaging and memorable.
- HR should update onboarding processes to include social engineering awareness. Introduce new hires to basic concepts of social engineering during their first week, ensuring they know how to report any suspicious encounters or requests. Provide a user-friendly guide they can refer back to as needed.
- The IT team should develop a simple guide on identifying social engineering threats, tailored to the organisation's specific risks. This guide should be easily accessible on the intranet and include contact information for reporting incidents. Regularly update the guide with new tactics that attackers might be using.
- Department heads should establish a clear reporting procedure for any suspected social engineering attempts. Encourage staff to report without fear of blame. Ensure they know who to contact and how to escalate the issue if needed. Follow up on incidents to assess and improve response measures.
- Communications teams should regularly remind staff about the risks of social engineering through newsletters or bulletins. Highlight recent examples of attempted attacks and successful interventions by staff. This keeps the topic top-of-mind and encourages vigilance across the organisation.
Audit / evidence tips
- AskTraining attendance records: Request lists of employees who have completed training sessions on social engineering threats GoodIncludes comprehensive records showing regular training for all relevant staff
- AskThe onboarding training materials: Review the content for social engineering awareness included in new employee induction GoodShows a dedicated section on social engineering with up-to-date examples
- AskThe incident reporting procedure document: Request the official process for reporting suspected social engineering incidents GoodIncludes a straightforward, easy-to-follow process that all staff can access
- AskTo see communication samples: Request copies of newsletters or bulletins that mention social engineering GoodShows regular, engaging communications that keep the topic front and centre
- AskThe incident response log: Request logs of any reported social engineering incidents GoodDemonstrates prompt action and reflection to improve future responses
Cross-framework mappings
How ISM-2071 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 6.8 | ISM-2071 requires personnel who deal with user account details to be trained to recognise social engineering, manage attempted manipulati... | |
| link Related (1) expand_less | ||
| Annex A 6.3 | Annex A 6.3 requires the organisation to provide role-relevant information security awareness, education, and training with regular polic... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.