What is a security awareness training program?

A security awareness training program is the documented set of activities a workforce completes so that staff can recognise and respond to security risks they encounter in their daily work. A working program defines the audiences, the content tracks each audience receives, the delivery cadence, the assessment that confirms understanding, the evidence trail that proves completion, and the metrics that show whether the program is changing behaviour. The program covers the general workforce and adds role-specific tracks for engineering, GRC, finance, executive leadership, support staff, and any role with privileged access. Compliance frameworks treat the program as a control rather than as a single training course, and the auditor will ask for evidence of design, completion, and operation.

How often should security awareness training be delivered?

Operate the program on a layered cadence rather than as an annual single event. New hires complete the baseline track in the first thirty days, before they are granted access to systems that handle restricted data. The full workforce refreshes the baseline annually with content that has been updated to reflect the current threat picture rather than recycled from the prior cycle. Privileged roles (engineers, GRC analysts, finance approvers, executives) receive additional role tracks at least annually, with shorter targeted updates when a control gap or incident creates a learning case. Phishing simulation exercises run on a separate cadence (typically monthly or quarterly) and feed back into content design rather than acting as the program itself.

What does SOC 2 require for security awareness training?

SOC 2 covers awareness training under Common Criteria CC2.2 (the entity communicates information about its objectives and the responsibilities of those involved with internal control), with implementation evidence drawn from CC1.4 (workforce competence) and the human-resources control set. The auditor will ask to see the training content, the audience assignment, completion records by user with timestamps, the corrective action taken when staff miss the deadline, the policy that defines the program, and evidence that new hires complete the baseline before they are granted production access. SOC 2 does not prescribe a vendor or a specific course; it asks the entity to evidence that the program is designed, completed, and operating as intended.

What does ISO 27001 require for security awareness training?

ISO 27001 references awareness, education, and training under control 6.3 (formerly A.7.2.2 in the 2013 edition) and weaves awareness obligations through the people and operations control set. The auditor will ask for the training plan, the evidence of delivery, the records of completion by individual, the disciplinary process for non-completion, the awareness materials covering the topics named in the policy, and evidence that staff are aware of their role in the information security management system. ISO assessors are particularly attentive to whether the program adapts when the risk picture changes (new threat patterns, control gaps from internal audit, lessons from incident review).

What does PCI DSS require for security awareness training?

PCI DSS Requirement 12.6 mandates a formal security awareness program for all personnel who could affect the security of the cardholder data environment. The program must include awareness on hire, ongoing reinforcement at least annually, materials that address the threats relevant to cardholder data, and acknowledgement that personnel have read and understood the security policy. The QSA will examine the program documentation, training content, completion records with dates by individual, the acknowledgement evidence, and the review history showing the program is updated as the threat picture evolves. PCI 12.6 sits alongside other personnel-facing controls including background screening (12.7) and incident response training (12.10.4 and 12.10.5).

How do you measure the effectiveness of a security awareness program?

Distinguish completion metrics from effectiveness metrics. Completion metrics (percentage of workforce trained, days to completion, overdue count, exception count) prove the program is operating but say nothing about behaviour change. Effectiveness metrics (phishing simulation click rate by track, reporting rate of suspicious emails, time to report, near-miss disclosures, security policy acknowledgement freshness, incident root causes attributable to awareness gaps) measure whether staff are acting differently as a result of the program. Operate both sets and avoid letting the completion percentage become a proxy for the program working. A 100 percent completion rate alongside a static phishing click rate means the training is happening but not landing.

What evidence does an auditor expect for security awareness training?

The auditor expects a defensible evidence trail across four artefacts. First, the program documentation: the policy, the audience map, the content matrix, the cadence schedule, and the change history. Second, the content evidence: the training material itself or a representative sample, with version control and dates of update. Third, the completion records: who completed which course, when, and with what assessment outcome, exportable to support a sample request. Fourth, the corrective action evidence: how non-completion is escalated, what remediation occurs, and how exceptions are tracked and approved. Audit findings on awareness training are usually about the absence of the trail, not the absence of the training itself.

Who should run the security awareness program?

The program is owned by the security or GRC function but runs as a partnership. The security or GRC team owns content quality, the audience map, the risk-driven update cycle, and the audit evidence trail. Human resources owns the workforce roster, hire-date triggers for new-hire training, and any disciplinary process tied to non-completion. Engineering, product, and other functions own the role-specific tracks for their staff. Internal communications owns the cadence of broader awareness campaigns and the cultural language. Naming the owners explicitly is what prevents the program from becoming an unsupported initiative that nobody is accountable for between cycles.

← Back to Blog

Compliance10 May 202617 min read

Security Awareness Training Program Guide: Design, Deliver, Evidence

Most security awareness training programs underperform for one of three reasons. They are stitched together from a vendor course nobody reviews, completion is treated as the outcome rather than as the proof of operation, or the audit evidence trail is reconstructed retroactively when the assessor arrives. The result is a program that consumes calendar time and budget without changing behaviour, that lands on the audit findings list under SOC 2 CC2.2 or ISO 27001 control 6.3 or PCI DSS Requirement 12.6, and that gets cited in incident post-mortems as a contributing factor. This guide walks security and GRC leaders through how to design a program that holds up under audit and actually moves the needle: how to map the audiences and content tracks, set the layered cadence, run the new-hire and annual refresh flows, treat phishing simulation as feedback rather than as the program itself, build the evidence trail across policy, content, completion, and corrective action, and operate the metrics set that distinguishes a program that runs from a program that works. The framework applies whether you are launching a first formal program, upgrading an existing one, or rationalising a sprawling set of training assets inherited from a previous owner.

Why Most Awareness Programs Underperform

The dominant failure mode is not the absence of training. Almost every regulated organisation has training of some kind. The failure mode is treating awareness training as a single-course annual event whose only evidence is the percentage of staff who watched a video. The program runs on the schedule, the completion percentage hits the threshold, and the work continues unchanged. The next phishing simulation clicks at the same rate as the last one. The next incident root-cause review still names a workforce knowledge gap as a contributing factor. The auditor still asks for the evidence trail and gets a screenshot of the LMS dashboard.

The pattern persists because awareness training is structurally easy to underperform at. Completion is countable; effectiveness is not. The vendor course is procured once and renewed automatically; the content review cadence is ambient. New hires are trained on a schedule that is not enforced by access provisioning; staff handle restricted data before the training closes. Role-specific risks are addressed inside the general training rather than as separate tracks; engineers, finance approvers, and executives sit through generic content that does not move their behaviour.

A working program inverts the pattern. Audiences are mapped explicitly; content is matched to audience risk; cadence is layered so new hires, the general workforce, and privileged roles each receive what they need; phishing simulation produces feedback that updates the content; and the evidence trail is structured at the moment of delivery rather than reconstructed at the moment of audit. The framework below describes that program.

Map the Audiences Before Selecting the Content

The first design decision is the audience map. A general-workforce track addresses the risks every employee encounters: phishing, password and credential hygiene, social engineering, mobile and remote-work practices, data classification and handling, incident reporting, and the policy stack the workforce is bound by. The general track is the largest population and the foundation of the program, but it is not the program. Layer role-specific tracks on top.

Audience 1General workforce (foundation track)

Audience 2Engineering, product, and platform staff

Audience 3Finance, payments, and authorised approvers

Audience 4Executives and assistants

Audience 5GRC, audit, and risk staff

Audience 6Customer support and operations staff with elevated access

Audience 7Contractors, third parties, and embedded vendors

Audience 2: Engineering, product, and platform staff

Engineers receive a track that goes beyond phishing and password hygiene. The content covers secure coding patterns relevant to the language and framework the team works in, handling of secrets and credentials in source control, the team policy on AI assistants and secure code review for AI-generated code, the dependency-management discipline (lockfiles, vulnerable component handling, supply chain risk), the local development security model (laptop posture, local network controls, isolation of customer data), and the change management discipline that the engineering organisation operates inside. The track is owned jointly with engineering leadership so the content lands as professional development rather than as compliance theatre.

Audience 3: Finance, payments, and authorised approvers

Finance staff receive a track that addresses business email compromise, payment authorisation discipline, vendor change verification, wire fraud patterns, invoice manipulation, and the dual-control rules for high-value transactions. This audience is the highest-value target for social engineering attacks and is consistently the most expensive audience to underserve. The track is paired with the finance department operating procedures so the awareness content reinforces the workflow rather than replacing it.

Audience 4: Executives and assistants

Executive staff and their assistants receive a track on whaling, deepfake-enabled impersonation, calendar-based social engineering, travel risk and remote-access discipline, handling of sensitive information in informal settings, and the protocol when a request arrives outside normal channels. Executive assistants are an underprotected population in many programs because they are not sized as a separate audience; the volume of executive request traffic that flows through them and the privileged access they enable makes them a named track in mature programs.

Audience 5: GRC, audit, and risk staff

The GRC track is partly a reinforcement of the foundation track and partly a deeper treatment of the policy stack, the regulatory landscape the entity operates in, the evidence patterns auditors expect, and the discipline of writing exceptions and attestations that hold up under scrutiny. The track is short relative to the engineering track but high signal because the audience reads policies for a living and benefits from content that respects that.

Audience 6: Customer support and operations staff with elevated access

Support and operations staff often hold privileged access in production systems for legitimate operational reasons. The track covers the customer-data handling discipline, social engineering attempts originating from customer accounts, the impersonation patterns customers and attackers use, and the escalation protocol when a request looks unusual. The track is paired with the support tooling permission model so that the awareness content and the access control model agree on what good looks like.

Audience 7: Contractors, third parties, and embedded vendors

Contractors and embedded vendors complete the foundation track on the same cadence as staff, with adjusted content where the contract relationship changes the expectations. Skipping contractors is a recurring audit finding because PCI DSS, ISO 27001, and SOC 2 all treat contractor awareness as in scope when the contractor has access to the relevant environment. The track delivery cadence is enforced by the procurement and onboarding workflow so contractors do not slip through the audience map.

Choose Content That Matches the Risk Picture

Content selection is where most programs settle for the vendor default and pay for it later in audit findings and incident reviews. The vendor default is fine as a starting point for the foundation track. It is not a substitute for the content review cadence that keeps the program adapted to the current threat landscape and the lessons your own incidents are generating.

Operate content selection on three principles. First, the content matches the audience risk rather than being interesting in general. Engineers do not need an introduction to phishing; they need depth on credential handling and secrets discipline. Finance staff do not need a primer on password complexity; they need pattern recognition for business email compromise variants. Second, the content is updated when the threat picture moves. A ransomware tactic shift, a new social engineering pattern observed in incident review, a regulator advisory, or a sector-specific advisory all warrant a content refresh inside the cycle rather than at the next annual review. Third, the content is measurable. Each module ends with an assessment that captures whether the staff member has retained the practical content rather than just clicked through.

Audit attention has shifted in recent years toward whether the content reflects current threats. ISO 27001 surveillance auditors now routinely ask for the change history of the awareness materials and how the program responded to specific events the organisation documented. SOC 2 Type 2 reports increasingly include a content-update test alongside the completion test. Programs that operate a written content refresh schedule and keep the change history aligned to their threat intelligence and incident review record produce a cleaner audit narrative than programs that rely on a vendor renewal cycle.

Operate a Layered Cadence, Not a Single Annual Event

A program that runs once a year is a program that decays for fifty weeks of every fifty-two. A working program runs on a layered cadence that combines a baseline new-hire flow, an annual full-workforce refresh, role-specific updates, just-in-time content tied to incidents and threat intelligence, and a phishing simulation cadence that produces feedback into the rest of the program.

Cadence 1New-hire baseline

Every new hire and contractor completes the foundation track in the first thirty days and before access is granted to systems handling restricted data. The completion is a gate on the access provisioning workflow, not an aspiration. New hires who change role during the first cycle pick up the role-specific track at the role change.

Cadence 2Annual full-workforce refresh

The full workforce refreshes the foundation track annually with content that has been reviewed and updated against the current threat picture. The refresh window is bounded (commonly four to six weeks) so that completion data is comparable across cycles and the auditor sees the program operate inside a defined period rather than drift across the year.

Cadence 3Role-specific updates

Each role-specific audience completes its track at least annually, paired with shorter targeted updates when a control gap, audit finding, or incident creates a learning case. The update is short (ten to fifteen minutes), tied to a specific scenario, and evidenced separately from the annual refresh.

Cadence 4Just-in-time content

When an event warrants immediate workforce attention (a new phishing pattern observed in the wild, a vendor incident with disclosure obligations, a regulator advisory, a near-miss from incident review), the program issues a short focused message rather than waiting for the next refresh window. The message is logged so the audit narrative can show the program adapts in real time.

Cadence 5Phishing simulation

Phishing simulation runs on its own cadence (typically monthly or quarterly), with rotating templates calibrated to the audience and the current threat picture. The simulation produces feedback into the content cycle and the role-specific tracks. It is feedback, not the program. Treating phishing simulation alone as the program is a recurring failure pattern.

Programs that operate this layered cadence consistently produce an audit narrative the assessor can verify quickly. Programs that rely on a single annual event end up reconstructing the cadence retrospectively from email threads and screenshots, and end up negotiating with the auditor about whether ad hoc reminders constitute a control.

Phishing Simulation Is Feedback, Not the Program

Phishing simulation is the most measurable component of the program and therefore the component most often overpromoted into the centre of it. The instinct is understandable. Click rate is countable; behaviour change is hard to demonstrate; the click-rate trend line is the easiest chart to put on a slide. The trap is that programs that promote phishing simulation to the centre tend to optimise for the click-rate number rather than for the behaviour the program is meant to produce.

Operate phishing simulation as a feedback instrument that informs three things. The content cycle: which patterns the workforce is missing and what to teach next. The audience map: which audiences are over-clicking relative to baseline and need targeted reinforcement. The role-specific tracks: where the click pattern reveals a gap that general training will not close. The simulation cadence is monthly or quarterly depending on the size of the workforce, the templates rotate so staff cannot pattern-match on a single sender, and the report-rate metric is treated as at least as important as the click-rate metric.

Avoid the punitive failure mode. Phishing simulations that treat clicks as a disciplinary event rather than as a learning event tend to produce a workforce that hides incidents and avoids reporting suspicious messages. The same simulations operated as learning events with calm escalation produce a workforce that reports more, reports faster, and protects the rest of the program in doing so. The cultural setting around the simulation is part of the program design, not an afterthought.

Map the Program to the Compliance Stack

A program that satisfies one framework while leaving another exposed is a program that will be rebuilt under audit pressure. Map the program once against the full compliance stack the entity is subject to, and let the same program produce evidence for each framework rather than building parallel programs.

The mapping below is illustrative for the most common frameworks. Frameworks the entity does not operate under are removed; frameworks the entity is adding are evaluated against the same program design before assuming a rebuild is required.

SOC 2

Common Criteria CC1.4 (workforce competence) and CC2.2 (communication of objectives and responsibilities) anchor the program. Evidence is the policy, the audience map, content samples with version history, completion records by user with timestamps, and the corrective action trail for non-completion. See the SOC 2 compliance guide for startups for the wider control mapping.

ISO 27001

Control 6.3 (information security awareness, education, and training) plus the people-control set under clause 7. The auditor expects training plan, delivery evidence, completion records by individual, disciplinary process for non-completion, and content alignment to the risk treatment plan. See the ISO 27001 audit checklist for adjacent control evidence.

PCI DSS

Requirement 12.6 mandates the formal awareness program for personnel who could affect cardholder data. The QSA examines program documentation, content, completion records with dates, acknowledgement evidence, and review history. Cross-reference with the PCI DSS compliance software guide for the wider control surface.

HIPAA

The Security Rule administrative safeguards under 164.308(a)(5) require a security awareness and training program for all members of the workforce, with periodic security updates. The OCR investigator looks for the program documentation, the evidence of periodic delivery, and the records of who completed what.

NIST 800-53

Control family AT (Awareness and Training) covers AT-1 (policy and procedures), AT-2 (literacy training and awareness), AT-3 (role-based training), AT-4 (training records), and AT-5 (contacts with security groups and associations). The same evidence trail satisfies the FedRAMP, CMMC, and federal-adjacent programs that inherit the NIST control set.

NIST CSF 2.0

The Govern (GV) and Protect (PR) functions reference awareness and training under outcomes such as PR.AT and GV.RR. Programs that map to the CSF use the same evidence trail as the underlying NIST 800-53 controls and can be cited at the framework-target conversation with the executive team.

DORA and NIS2

European financial sector and critical-entity regulations include explicit awareness obligations as part of the operational resilience and information security requirements. The same program serves both, with content adjustments to reflect the sector-specific scenarios the regulator references.

One program. One evidence trail. Multiple frameworks. The discipline of mapping once and evidencing once is what keeps the program operating instead of being torn apart for each audit cycle.

Build the Evidence Trail at Delivery, Not at Audit

Audit findings on awareness training are usually about the absence of the trail rather than the absence of the training. The training happened; the records are scattered across an LMS export, a chat thread, an email confirmation, a screenshot, and a personal recollection of who was reminded when. The auditor asks for the evidence in a structured way and the program produces a reconstructed answer that is harder to defend than a structured one.

Build the trail at the moment of delivery. Four artefacts cover most audit requests.

Program documentation. The policy that defines the program, the audience map, the content matrix linking each audience to its content modules, the cadence schedule, the change history, and the named owners across security or GRC, HR, and engineering. The document is reviewed annually and the change history shows the review.
Content evidence. The training material itself or a representative sample, with version control, dates of update, and a written record of what changed and why. The version history reflects the content review cadence and the just-in-time updates so the auditor can verify the program adapts to events.
Completion records. Who completed which course, when, and with what assessment outcome, exportable to support a sample request. New-hire training is timestamped against the hire date and the access provisioning event so the gate on access can be verified.
Corrective action evidence. How non-completion is escalated, what remediation occurs, the disciplinary process where applicable, the exception register entries with expiry dates, and the named approver for each exception. Programs without this artefact tend to find that 10 percent of the workforce is perpetually overdue and nobody is accountable for closing the gap.

The trail is structured at the moment the work happens, not at the moment the auditor asks. Programs that operate this discipline tend to produce evidence requests in hours rather than days, and tend to receive cleaner audit reports because the assessor can verify the control rather than negotiate about it.

Metrics: Completion vs Effectiveness

Awareness programs that report only completion metrics measure operation, not impact. Programs that report only phishing click rate measure one slice of impact and miss everything else. A working metrics set runs both alongside each other and reads them as complementary rather than substitutable.

Completion metrics

Workforce completion rate by audience and track.Held against the cycle window rather than the calendar year, so trend comparisons are meaningful.
New-hire completion rate against the thirty-day target.Tracked separately because the new-hire population turns over and skews aggregate completion if mixed in.
Days to completion distribution. The median day of completion is more informative than the percentage at the deadline. A program with a 90 percent completion rate but a median completion on day 28 of a 30-day window is a program with a deadline-driven workforce that is vulnerable to a hire-rate change.
Overdue count by audience and time bucket. Older overdue records signal a corrective-action gap rather than a normal operating tail.
Exception register size and expiry distribution.Exceptions that have outlived their original justification are a recurring audit finding pattern.

Effectiveness metrics

Phishing simulation click rate by audience and template.Read at the audience level rather than the workforce level so the trend signal is not washed out by audience-mix effects.
Phishing simulation report rate. The rate at which staff report suspicious messages, not just the rate at which they avoid clicking. A program that drives reporting up is producing a signal the security operations function can act on.
Time to report. The median time between message receipt and staff report. Faster reporting compresses incident detection windows and is the cleanest measurable behaviour the program drives.
Near-miss disclosures. The volume of voluntary disclosures of credential exposure, suspected social engineering, lost devices, or accidental data handling errors. A program that drives this number up is producing a culture that protects the organisation.
Incident root-cause attribution to awareness gaps.The proportion of incidents whose post-mortem cites a workforce-knowledge gap as a contributing factor. A program that is working drives this number down over time.
Policy acknowledgement freshness. The proportion of the workforce with a current acknowledgement of the security policy stack, with expiry-based refresh tied to the program cadence.

The same metrics framework that produces the broader programme indicators applies here. A consolidated indicator set that distinguishes operation from effectiveness is what the security program KPIs and metrics framework describes; the awareness program is one of the cleanest places to apply it.

Report the Program to Leadership and the Audit Committee

Awareness training reports tend to suffer from the opposite problem of most security reports. Where the rest of the program struggles to produce numbers, awareness produces so many numbers that the audience disengages from the report. The discipline is the same discipline as the rest of leadership reporting: lead with the outcome, present a small set of indicators, and reserve depth for the supporting record.

A working report has four sections. Section one names the operating state: the completion rate, the new-hire gate state, the cycle window, and any material exceptions. Section two presents the effectiveness indicators: phishing click and report rates, time to report, and the trend against the prior two cycles. Section three names the events that updated the program inside the cycle: incidents that produced a learning case, threat intelligence that triggered just-in-time content, and audit findings that drove a content refresh. Section four identifies the next-cycle priorities: which audiences need additional reinforcement, which content modules need refresh, and any change to the program design under consideration.

The same operating record that powers leadership reporting elsewhere in the programme powers this report. The completion data, the exception register, the corrective action trail, and the related incident and finding records all live alongside the rest of the engagement evidence rather than in a separate vendor portal. The security leadership reporting workflow describes the broader pattern; awareness is one section of the same report structure rather than a separate artefact.

A Reconcilable Operating Record for the Awareness Program

SecPortal does not deliver training content. It is the operating record that holds the evidence trail, the corrective action history, and the relationship to the rest of the security workflow so the awareness program is reconcilable with the rest of the programme evidence.

Document management holds the program policy, the content matrix, version-controlled training material, and acknowledgement records alongside the rest of the engagement documents. The activity log captures every state change with user and timestamp, exportable to CSV when an auditor or GRC reviewer asks for the operating record behind a completion claim. Team management with role-based access grounds the audience map in the same workspace where engagement work, scanner output, and finding lifecycle live, so the awareness owner can see the full operating context. Compliance tracking gives the program a place inside the broader control evidence map rather than as a standalone artefact.

For programs that already operate a learning management system, SecPortal is the evidence consolidation layer that connects the LMS completion record to the engagement record, the incident record, the audit cycle, and the broader control evidence trail. For programs running on spreadsheets and shared documents, SecPortal is the place the evidence stops being scattered and starts being reconcilable. The discipline is the same as the broader pattern described in the security budget allocation framework: a reconcilable operating record is what makes leadership and audit reporting defensible across cycles.

Common Failure Modes in Awareness Programs

Most underperforming awareness programs fail in a small number of recurring ways. Naming them up front makes them easier to avoid.

The annual single-event program. One vendor course completed once a year, with completion treated as the outcome. Decays for fifty weeks of every fifty-two and produces no behaviour change.
The ungated new-hire flow. New-hire training is scheduled but not enforced as a gate on access provisioning. Staff handle restricted data before the training closes and the audit narrative cannot defend the gate.
Generic content for privileged audiences. Engineers, finance approvers, and executives sit through the foundation track without role-specific tracks layered on. The audiences whose behaviour is highest leverage receive the lowest-leverage content.
Phishing simulation as the program. Click rate is the only number reported, the simulation cadence is the only operating cadence, and the workforce optimises for the simulation rather than for the underlying behaviour.
Punitive simulation handling. Clicks treated as disciplinary events. Reporting rate drops, the workforce hides incidents, and the security operations function loses signal.
The reconstructed evidence trail. Completion evidence assembled retrospectively from screenshots, email confirmations, and chat threads when the auditor asks. Produces audit findings on the trail rather than on the training.
The unreviewed content. Vendor content renewed on auto-renewal with no review against the current threat picture or the lessons from incident review. The auditor asks for the change history and finds nothing useful.
The contractor blindspot. Contractors and embedded vendors omitted from the audience map. Audit finding patterns under PCI DSS and ISO 27001 are consistent on this point.
Completion as the only metric. Effectiveness indicators absent or buried. Leadership reads a 100 percent completion rate alongside a static phishing click rate and treats the program as working when it is not.

Key Takeaways for Security Awareness Training

Map audiences before selecting content. A foundation track plus role-specific tracks for engineering, finance, executives, GRC, support, and contractors. Generic content for high-leverage audiences is the program underperforming by design.
Operate a layered cadence. New-hire baseline, annual full-workforce refresh, role-specific updates, just-in-time content, and phishing simulation feedback. Annual single-event programs decay.
Treat phishing simulation as feedback. Click rate and report rate inform content and audience design. Promoting simulation to the centre produces optimisation for the simulation rather than for behaviour.
Map once to the full compliance stack. One program, one evidence trail, multiple frameworks. SOC 2, ISO 27001, PCI DSS, HIPAA, NIST 800-53, CSF 2.0, DORA, and NIS2 all draw from the same record.
Build the evidence trail at delivery. Program documentation, content evidence, completion records, and corrective action history. Reconstructed trails produce audit findings on the trail rather than on the training.
Read completion and effectiveness together.Completion proves operation; effectiveness proves impact. A 100 percent completion rate alongside a static phishing click rate is a program that runs without working.
Bind awareness to the broader operating record.Document, activity log, audience assignment, and corrective action live alongside the rest of the engagement evidence so leadership and audit reporting are reconcilable across cycles.

Hold the awareness evidence trail alongside the rest of the security record

SecPortal consolidates the program documentation, version-controlled content, completion evidence, and corrective action history alongside engagement findings, scanner output, and audit evidence so the awareness program is reconcilable with the rest of the security operating record across leadership and audit cycles.

Start Free Trial See Compliance Tracking

Free tier available. No credit card required.