The Training and Awareness module supports ISO 27001 Clause 7.2 (Competence) and Clause 7.3 (Awareness). Clause 7.2 requires the organisation to determine the necessary competence of persons doing work that affects information security performance, ensure those persons are competent, and retain documented evidence of competence. Clause 7.3 requires that all persons working under the organisation's control are aware of the information security policy, their contribution to ISMS effectiveness, and the implications of not conforming.
Creating a Training Record
Click "Add Training" and enter the training title, select the training type, and set the date and duration.
Enter the trainer or provider name, and select attendees from your organisation's users. You can select multiple attendees.
Provide a summary of the training content and learning objectives in the Content Summary field.
Enter the assessment score if applicable. Set the completion status.
Attach evidence such as attendance sheets, certificates, presentation slides, or assessment results.
Click "Save" to add the training record to the register.
Form Fields Reference
| Field | Type | Required | Description |
|---|---|---|---|
| Training Title | Text input | Required | Descriptive name for the training activity. Example: "New Joiner Security Induction", "2026 Annual Security Awareness Campaign", "Secure Coding for Developers" |
| Training Type | Select dropdown | Optional | The category of training. Select from: Induction, Role-Based, Awareness Campaign, Technical Skills, Phishing Simulation, Policy Acknowledgement (see detailed descriptions below) |
| Date | Date picker | Optional | The date the training was delivered or is scheduled |
| Duration | Text input | Optional | Length of the training. Free-text format. Examples: "30 minutes", "2 hours", "Full day" |
| Trainer / Provider | Text input | Optional | Name of the person or organisation delivering the training. Example: "Internal - IT Security Team", "KnowBe4", "SANS Institute" |
| Attendees | Multi-select | Optional | Select participants from your organisation's user list. Multiple selections allowed. The system tracks individual completion for reporting. |
| Content Summary | Textarea | Optional | Description of the training content, learning objectives, and key topics covered. This documents what competence or awareness the training addresses. |
| Assessment Score | Number (0–100) | Optional | Average score achieved on any post-training assessment, quiz, or test. Used to measure knowledge retention and training effectiveness. |
| Completion Status | Select dropdown | Optional | Current status: Scheduled (planned but not yet delivered), In Progress (currently running, e.g., multi-session programme), Completed (delivered and all participants finished), Cancelled (no longer taking place) |
| Evidence | File upload | Optional | Upload supporting evidence: attendance sheets, signed registers, completion certificates, presentation materials, quiz results, screenshots of e-learning completion |
Training Type Options
| Type | Description | ISO 27001 Reference | Typical Audience |
|---|---|---|---|
| Induction | Security induction training for new joiners. Covers the information security policy, acceptable use, incident reporting, and individual responsibilities. Delivered within the first week of employment. | Clause 7.3 (Awareness), A.6.2, A.6.3 | All new employees, contractors, and temporary staff |
| Role-Based | Specialised training for specific roles with particular information security responsibilities. Tailored to the competence requirements of the role. | Clause 7.2 (Competence), A.6.3 | System administrators, developers, incident responders, risk managers, data protection officers |
| Awareness Campaign | Organisation-wide security awareness activities. May include presentations, posters, newsletters, videos, or interactive sessions on specific topics. | Clause 7.3 (Awareness), A.6.3 | All employees |
| Technical Skills | Technical training to develop or maintain specific cybersecurity skills. Examples: secure coding, penetration testing, cloud security, forensics. | Clause 7.2 (Competence) | IT and security team members |
| Phishing Simulation | Simulated phishing exercises to test employee awareness and response to social engineering attacks. Tracks click rates, report rates, and provides targeted training for those who fail. | A.6.3, A.5.24 | All employees with email access |
| Policy Acknowledgement | Formal acknowledgement that employees have read and understood key information security policies. Typically conducted annually or when policies are updated. | Clause 7.3 (Awareness), A.5.1 | All employees |
Awareness Metrics
The module provides metrics dashboards to measure the effectiveness of your training and awareness programme:
Completion Rates
Track the percentage of required training completed across your organisation. Filter by training type, department, or time period. Identify employees with outstanding training requirements.
Assessment Averages
View average assessment scores across training sessions and types. Identify topics where scores are consistently low, indicating areas needing additional focus or different training approaches.
Phishing Test Results
For phishing simulation exercises, track:
- Click rate — percentage of recipients who clicked the simulated phishing link
- Report rate — percentage who correctly reported the phishing email
- Trend over time — are click rates decreasing and report rates increasing?
- Repeat offenders — employees who fail multiple simulations requiring targeted intervention
Annual Training Plan
Create an annual training plan by scheduling training records with future dates and "Scheduled" status. This provides:
- A calendar view of planned training activities
- Coverage analysis — ensuring all required training types are planned
- Resource planning for training budgets and time allocation
- Evidence of a planned and systematic approach (required by auditors)