Content library
Cyber security training
Staff guidance and training procedure in cyber security

Other tasks from the same security theme

Task name
Priority
Status
Theme
Policy
Other requirements
Staff guidance and training procedure in cyber security
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
48
requirements

Examples of other requirements this task affects

29. Processing under the authority of the controller or processor
GDPR
32. Security of processing
GDPR
7.2.1: Management responsibilities
ISO 27001
7.2.2: Information security awareness, education and training
ISO 27001
4 §: Tiedonhallinnan järjestäminen tiedonhallintayksikössä
TiHL
See all related requirements and other information from tasks own page.
Go to >
Staff guidance and training procedure in cyber security
1. Task description

Our organization has defined procedures for maintaining staff's cyber security awareness.These may include e.g. the following things:

  • staff receive instructions describing the general guidelines of digital security related to their job role
  • staff receive training to maintain the appropriate digital and cyber security skills and knowledge required for the job role
  • staff demonstrate through tests that they have the security skills and knowledge required for the job role

Training should focus on the most relevant security aspects for each job role and include often enough the basics, which concern all employees:

  • employee's personal security responsibilities (e.g. for devices and processed data)
  • policies relevant for everyone (e.g. security incident reporting)
  • guidelines relevant for everyone (e.g. clean desk)
  • organization's security roles (who to contact with problems)
Maintaining a log of cyber security trainings
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
23
requirements

Examples of other requirements this task affects

7.2.2: Information security awareness, education and training
ISO 27001
T11: Turvallisuuskoulutus ja -tietoisuus
Katakri
6.1: Tietojärjestelmien käyttäjiltä vaadittava koulutus ja kokemus
Omavalvontasuunnitelma
PR.AT-1: Awareness
NIST
HAL-13: Koulutukset
Julkri
See all related requirements and other information from tasks own page.
Go to >
Maintaining a log of cyber security trainings
1. Task description

A log is kept of the cyber security training events provided by the organization to its staff. The log can be used to show what kind of specific investments the organization has made towards staff's cyber security expertise.

For each training the documentation should include:

  • Time
  • Topics and duration of the training
  • Training method and trainer
  • Staff involved in the training
Ensuring coverage of relevant topics on personnel training and guidance processes
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
2
requirements

Examples of other requirements this task affects

2.1.3: Staff training
TISAX
See all related requirements and other information from tasks own page.
Go to >
Ensuring coverage of relevant topics on personnel training and guidance processes
1. Task description

The organisation should have a procedure for training and guidance of its personnel. These procedures should include and cover at least the following topics:

  • Information security policies.
  • Reporting of security incidents.
  • Response to malware incidents.
  • User account and login information policies (e.g., password policies).
  • Compliance with information security regulations.
  • Use of non-disclosure agreements (NDAs) when sharing sensitive information.
  • Use of external IT services.

The training program should identify specific groups of employees who require this training, such as administrators, those with access to customer networks, and manufacturing personnel.

The training concept must be approved by responsible management. Conduct training and awareness programs regularly and in response to specific events. Ensure that employees know who to contact for information security concerns.

Arranging specific data protection training for personnel
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
1
requirements

Examples of other requirements this task affects

9.7.2: Employee data protection training
TISAX
See all related requirements and other information from tasks own page.
Go to >
Arranging specific data protection training for personnel
1. Task description

The organization must have a training program defined for personnel regarding data protection. The trainings should take into account the protection need of data when determining the scope, frequency and content of the training.

Personnel who work in critical areas (e.g. IT administrators) must be trained and instructed taking into account their work. They should have specific training courses and instructions.

Top management cyber security training
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
2
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Top management cyber security training
1. Task description

The top management and the people responsible for the risk management system of the organization must take appropriate cyber security training. The training ensures that their skills and knowledge are sufficient for determining the risks, assessing the cyber security management practices and overall governing and leading the process.

The management body should undergo training at least every two years to keep their knowledge and skills relevant and up-to-date. The training should reflect the organizational needs and be kept in line with the organizational cyber security policies.

Establishing and maintaining security awareness training
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Establishing and maintaining security awareness training
1. Task description

The organization enhances security culture by developing comprehensive training materials, requiring onboarding and annual refresher training, and customizing sessions by role and department. It regularly updates training content, and tracks participation to ensure compliance and accountability.

Training workforce on causes of unintentional data exposure
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Training workforce on causes of unintentional data exposure
1. Task description

The organization enhances data security awareness by training employees on best practices for handling sensitive data securely, demonstrating the risks of portable device loss, guiding secure document sharing, and raising awareness about public sharing pitfalls. Regular security drills and open incident reporting channels further reinforce the importance of safeguarding data.

Training workforce on identifying and reporting of missing security updates
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Training workforce on identifying and reporting of missing security updates
1. Task description

The organization strengthens its security posture by training employees on the importance of software updates, instructing them on verifying updates, and recognizing automated process failures. Clear reporting procedures, real-world simulations, and fostering a proactive incident response culture further improve the workforce's ability to maintain system security and quickly address potential vulnerabilities.

Conducting role-specific security awareness and skills training
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Conducting role-specific security awareness and skills training
1. Task description

The organization enhances its security training by developing role-specific modules, providing secure system administration courses for IT staff, offering OWASP Top 10 vulnerability training for developers, and delivering advanced social engineering awareness for high-risk roles.

Reminding personnel about their cyber security responsibilities
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
8
requirements

Examples of other requirements this task affects

21.2.g: Cyber hygiene practices and training
NIS2
2.1.3: Staff training
TISAX
9.11 §: Perustason tietoturvakäytännöt ja henkilöstön vastuu
Kyberturvallisuuslaki
See all related requirements and other information from tasks own page.
Go to >
Reminding personnel about their cyber security responsibilities
1. Task description

The organization needs to remind employees of their roles and security responsibilities. The reminder reinforces staff security awareness, safe practices and compliance with guidelines and legal requirements related to their job role.

Arranging training and guidance during orientation (or before granting access rights)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
22
requirements

Examples of other requirements this task affects

7.3: Termination and change of employment
ISO 27001
7.3.1: Termination or change of employment responsibilities
ISO 27001
9.2.2: User access provisioning
ISO 27001
4 §: Tiedonhallinnan järjestäminen tiedonhallintayksikössä
TiHL
PR.IP-11: Cybersecurity in human resources
NIST
See all related requirements and other information from tasks own page.
Go to >
Arranging training and guidance during orientation (or before granting access rights)
1. Task description

Before granting access rights to data systems with confidential information employees have:

  • received appropriate guidance on their security responsibilities (including reporting responsibilities and responsibility for their own devices)
  • received appropriate guidance on their security roles related to their own role (including digital security rules related to their role and information systems and their acceptable use)
  • received information from cyber security contacts who can be asked for more information
Evaluating the efficiency of arranged training
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
7
requirements

Examples of other requirements this task affects

7.2.2: Information security awareness, education and training
ISO 27001
6.3: Information security awareness, education and training
ISO 27001
21.2.f: Assessing effectiveness of security measures
NIS2
9.1 §: Toimien vaikuttavuuden arviointi
Kyberturvallisuuslaki
See all related requirements and other information from tasks own page.
Go to >
Evaluating the efficiency of arranged training
1. Task description

The effectiveness of cyber security training is regularly evaluated. The evaluation may include e.g. the following perspectives:

  • Is the competence of the staff deep enough?
  • Are the training methods and amounts correct?
  • Are different units trained in the right things?
  • Is the staff motivated to learn?
  • Does the staff understand the reasons for the training (e.g. what kind of negative effects can a cyber security breach have?


Regular unit-based cyber security communication
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
6
requirements

Examples of other requirements this task affects

7.2.2: Information security awareness, education and training
ISO 27001
CC2.2: Internal communication of information
SOC 2
PR.AT-1: All users are informed and trained.
CyberFundamentals
4.4.4: Communicate and share findings with relevant stakeholders
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Regular unit-based cyber security communication
1. Task description

By informing the units on the most important cyber security issues for them and in the language they understand, great strides can be made at the level of cyber security as staff have a better understanding of why different policies and rules apply. Informing can include distributing cyber guidelines in small chunks, various campaigns (e.g. “Security Day”), leaflets, newsletters, competitions or other similar elements.

Security informing may also be referred to as an "awareness program".

Training personnel with a changed role
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
8
requirements

Examples of other requirements this task affects

7.3: Termination and change of employment
ISO 27001
7.3.1: Termination or change of employment responsibilities
ISO 27001
PR.IP-11: Cybersecurity in human resources
NIST
6.5: Responsibilities after termination or change of employment
ISO 27001
PR.IP-11: Cybersecurity is included in human resources practices (deprovisioning, personnel screening…).
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Training personnel with a changed role
1. Task description

Training arranged before granting access rights applies not only to new employees but also to those who move to new tasks or roles, especially when the data systems used by the person and the security requirements related to the job role change significantly with the change of job role. The training is arranged before the new job role becomes active.

Training the use of security systems and reporting of malware attacks
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
4
requirements

Examples of other requirements this task affects

12.2: Protection from malware
ISO 27001
7.2.2: Information security awareness, education and training
ISO 27001
12.2.1: Controls against malware
ISO 27001
8.7: Protection against malware
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Training the use of security systems and reporting of malware attacks
1. Task description

Our organization has defined procedures and responsibilities for protecting systems from malware and trains staff to use the protections and to report and recover from malware attacks.

Incorporating real-life security incidents in staff training
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
1
requirements

Examples of other requirements this task affects

4.4.4: Communicate and share findings with relevant stakeholders
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Incorporating real-life security incidents in staff training
1. Task description

The organization should use real-life scenarios of security incidents in its training materials to train staff and raise awareness. By simulating actual events, employees can better understand potential risks, identify vulnerabilities, and respond more efficiently during real incidents.

Universal cyber compliance language model: Comply with confidence and least effort

In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.

Security frameworks tend to share the common core. All frameworks cover basic topics like risk management, backup, malware, personnel awareness or access management in their respective sections.
Cyberday’s universal cyber security language technology creates you a single security plan and ensures you implement the common parts of frameworks just once. You focus on implementing your plan, we automate the compliance part - for current and upcoming frameworks.
Start your free trial
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.