Security Awareness Training & Compliance — Know Your Standards

Security awareness training programs are vital for helping today's businesses tackle human cyber risk and reduce user-related breaches, but they're are also a must-have for many regulations and controls that your business might need to adhere to.

Problem is, the sheer number of regulations across the globe make it a tricky area to understand and navigate.

Here, we guide you through some of the most common standards and legislations that may require your business to implement a security awareness training program (please note - this list isn't exhaustive and there may be standards that you need to comply with which aren't covered).

Standards & Frameworks

Industry Codes

US Federal Laws & Regulations

International Laws & Regulations

US State Privacy Laws


Standards & Frameworks

ISO/IEC 27001 & 27002

The ISO 27001/2 clause 7.2.2 states that "all employees of the organization and, where relevant, contractors and third-party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function".

NCSC's Cyber Assessment Framework (CAF)

The National Cyber Security Centre's (NCSC) framework offers guidance on how to implement a security awareness training program that "appropriately supporting staff to ensure they make a positive contribution to the cyber security of essential functions."

The NCSC has also released some free security awareness training content, which you can find embedded in usecure uLearn platform.

NIST 800-53

As one of the most comprehensive security standards out there, NIST 800-53 requires federal agencies to develop, implement, and update a complete security training and awareness strategy to ensure that personnel understands privacy responsibilities and procedures.


COBIT (Control Objectives for Information and Related Technology) was developed by the IT Governance Institute (ITGI) and Information Systems Audit and Control Association (ISACA).

Although this standard doesn’t have a dedicated security awareness training section, it does reference the following:

  • PO6 Communicate management aims and direction.
  • PO7 Manage IT human resources.
  • DS7 Educate and train users.


The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Standard (CIP) states that "The Responsible Entity shall establish, document, implement, and maintain a security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets receive ongoing reinforcement in sound security practices. The program shall include security awareness reinforcement on at least a quarterly basis".

Industry Codes


Under the PCI DSS (Payment Card Industry Data Security Standard) requirement 12.6.1, each organization within the payment card industry is required to implement a formal security awareness program to make all employees aware of the importance of cardholder data security.

Employees must be educated upon hire and then at least annually to keep staff up-to-date on new, amended or updated policies.

Federal Laws & Regulations

HIPAA (Health Insurance Portability & Accountability Act)

According to HIPAA’s (Health Insurance Portability and Accountability Act) Privacy and Security Rules, covered entities and business associates must implement a security awareness and training program for all members of its workforce, including management.

Gramm-Leach-Bliley Act (GLBA)

GLBA's security awareness training requirement encourages basic steps to maintain the security, confidentiality, and integrity of customer information.

These steps include:

  • Locking rooms and file cabinets where records are kept
  • Not sharing or openly posting employee passwords
  • Identify and report suspicious attempts to obtain customer information to designated personnel

FACTA – FTC Red Flags Rule

Under the FACTA, the FTC created the Red Flags Rule that requires financial institutions and creditors to train their employees about the various red flags they should be looking out for, and/or any other relevant aspect of the organization’s Identity Theft Prevention Program.

Federal Information Security Management Act (FISMA)

FISMA requires federal agencies to inform all personnel, contractors and other users of information systems, of the information security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks.

Sarbanes-Oxley (SOX)

SOX requires public companies in the US to keep all business records for a minimum of five years. This means that it is vital for employees to be trained in securely collecting, accessing and backing up sensitive corporate data in order to comply with the regulation.

International Laws & Regulations

General Data Protection Regulation (GDPR)

Under the GDPR, it is mandatory to implement a security awareness training program that trains staff on the risks related to personal information that is processed, stored, or transmitted by companies, as well as the employees’ own responsibility to ensure data protection.

US State Privacy Laws

Many states in the US have their own individual privacy laws, and there are potentially thousands of local, state and federal standards that your organization might need to comply with. Here are some examples:

Texas Health Privacy Law - Texas’s Health Privacy Law requires employees to be trained about both the state’s law and HIPAA.

Massachusetts Data Security Law - This law mandates ongoing training to permanent and temporary staff in order to maintain a comprehensive information security program. The training should focus on reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing personal information.

The California Consumer Privacy Act of 2018 (CCPA) - With the CCPA, security awareness training needs to be provided to its employees regarding information security and risks. Any company doing business in California has to comply with the CCPA regulations related to the processing of personal data of California residents, even if they aren't located in California or the US.

Need security awareness training to ensure compliance?

Achieve security awareness training compliance standards with usecure, the leading Human Risk Management (HRM) platform:

Launch with ease: Assess each employees' security posture with a 10-minute gap analysis quiz that, from their answers, crafts user-tailored security awareness training programs.

Save time: Learning retention is maximised and productivity is left unhindered with bite-sized training courses that are automatically deployed each month.

Make compliance a breeze: Training performance, progress and adoption are tracked and demonstrated through granular reporting and ongoing human risk scoring.

Learn how usecure can help you achieve compliance