Security Awareness Training: SOC 2 and ISO 27001 Guide 2026

The most expensive security breach a SaaS company can experience rarely starts with a sophisticated zero-day exploit or a nation-state-level attack. It starts with an employee clicking a phishing link, reusing a password across personal and work accounts, sending sensitive data to the wrong email address, or granting excessive access to a third-party application without understanding what they are authorizing. Human error is consistently the leading cause of security incidents across all industries and company sizes. Security awareness training is the organizational control designed to reduce that risk — and it is a formal requirement under both SOC 2 and ISO 27001.

What separates companies that satisfy security awareness training requirements on paper from those that build programs that genuinely reduce risk is the difference between treating training as a compliance checkbox and treating it as an ongoing operational investment. A once-annual video that employees click through in twelve minutes and immediately forget satisfies neither the letter nor the spirit of what SOC 2 and ISO 27001 require. A well-designed program that delivers relevant, role-appropriate content, tests employee understanding, tracks completion, and evolves as the threat landscape changes, satisfies both, and actually makes your organization more secure.

This guide covers what SOC 2 and ISO 27001 specifically require for security awareness training, what a compliant program must contain, how to structure training for different employee roles, what evidence auditors look for, and how to build a program that delivers genuine risk reduction rather than compliance theater.

What SOC 2 Requires for Security Awareness Training

SOC 2 addresses security awareness training under the Common Criteria, specifically within the Control Environment and Human Resources sections, which feed into the broader security posture evaluated by the Trust Services Criteria.

CC1.4 requires that the organization demonstrate a commitment to competence. In practice, this means the organization ensures employees have the knowledge and skills to perform their responsibilities in ways that support information security. Security awareness training is the mechanism by which this commitment is operationalized across the employee population — ensuring that every employee understands the security risks relevant to their role and the organization's expectations for managing those risks.

CC1.1 requires that the entity demonstrate a commitment to integrity and ethical values. Training that covers acceptable use of company systems, data-handling expectations, and the consequences of security policy violations supports this criterion by ensuring employees understand organizational standards and the rationale behind them.

CC2.2 requires that the organization communicate information internally, including objectives and responsibilities for internal control. Security awareness training is one of the primary mechanisms for communicating security policies and employee responsibilities across the organization. An organization that has written a comprehensive information security policy but has made no effort to ensure employees have read, understood, and acknowledged it has a communication gap that SOC 2 auditors will identify.

CC9.2 addresses vendor and business partner management but also captures the concept of ensuring that individuals who interact with your systems — including contractors and temporary employees — understand their security obligations. Your training program should have a defined approach to ensure that non-employees with access to in-scope systems receive appropriate security orientation.

While SOC 2 does not specify a mandatory training frequency or a defined curriculum, auditors evaluating your security awareness training will look for evidence that the program is systematic, that coverage is comprehensive across the employee population, that completion is tracked, and that the content is relevant to the actual threats your organization faces. A training program that is clearly designed for a different type of organization, that uses generic content unrelated to your specific environment, or that has significant gaps in employee completion will generate findings.

What ISO 27001 Requires for Security Awareness Training

ISO 27001 is considerably more explicit than SOC 2 about security awareness training requirements. The 2022 version of the standard addresses training in multiple locations across its clauses and Annex A controls.

Clause 7.2 — Competence requires that the organization determine the necessary competence of persons doing work under its control that affects its information security performance, ensure those persons are competent on the basis of appropriate education, training, or experience, take action to acquire the necessary competence where gaps are identified, and retain documented evidence of competence. This clause requires that competence requirements be defined for different roles, not just that generic security training be provided to everyone.

Clause 7.3 — Awareness requires that persons doing work under the organization's control are aware of the information security policy, their contribution to the effectiveness of the information security management system, the implications of not conforming with the ISMS requirements, and the benefits of improved information security performance. Awareness is distinct from competence — competence is about having the skills to do something, awareness is about understanding why it matters and what the consequences of failure are.

Annex A Control 6.3 — Information Security Awareness, Education and Training requires that personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education, and training, and regular updates on the organization's information security policies and procedures, as relevant to their job functions. The phrase relevant to their job function is significant — ISO 27001 explicitly recognizes that different roles have different training needs and that a one-size-fits-all training program does not satisfy the standard's intent.

Annex A Control 6.4 — Disciplinary Process requires that a disciplinary process be formalized and communicated to take action against personnel who have committed an information security policy violation. This is adjacent to training — employees need to understand not just what the policies are, but what happens when they are not followed. Your training program should address the consequences of policy violations as part of its curriculum.

The ISO 27001 requirement for documented evidence of competence means that your training program must produce records — completion records, assessment results, acknowledgment signatures — that demonstrate individual employees have received and understood security training. Generic training completion statistics are insufficient. You need the ability to demonstrate that specific named individuals completed specific training on specific dates.

Designing a Security Awareness Training Program That Satisfies Both Frameworks

Because SOC 2 and ISO 27001 both require security awareness training, companies pursuing both frameworks can build a single program that meets both sets of requirements. The ISO 27001 requirements are more specific, so a program designed to satisfy ISO 27001 will generally satisfy SOC 2 as well.

A compliant security awareness training program has six structural components.

Component 1 — Onboarding Training

Every new employee should complete security awareness training as part of their onboarding process before being granted access to production systems or sensitive data. Onboarding training serves two purposes: it ensures that new employees understand security expectations from the start of their employment, and it creates an evidentiary record demonstrating that every employee received training at the point of access provisioning.

Onboarding training should cover the organization's information security policy and its implications for employee behavior, the data classification system and how employees should handle different categories of information, acceptable use of company systems and devices, password requirements and multi-factor authentication setup, phishing and social engineering awareness, the process for reporting suspected security incidents, and the consequences of security policy violations.

Completion of onboarding training should be a prerequisite for provisioning full system access — a requirement captured in the SOC 2 readiness checklist for SaaS startups. This is both a security control and an evidence requirement — it ensures that access is not granted until the employee has demonstrated awareness of their security obligations, and it creates a documented link between training completion and access provisioning that auditors can verify.

Component 2 — Annual Refresher Training

Annual refresher training ensures that the entire employee population maintains current security awareness regardless of how long they have been with the organization. It also provides an opportunity to address new threats, update policies, and share lessons learned from security incidents from the previous year.

Annual refresher training should not simply repeat onboarding content. Employees who have been with the organization for two or three years do not need to be told again what phishing is. Annual refresher training should build on foundational knowledge with content that is current, specific to recent threats and incidents in your industry, and relevant to the evolving threat landscape. Practical exercises — simulated phishing campaigns, scenario-based assessments, and tabletop discussions — are more effective at reinforcing security behavior than passive video content.

The annual training cycle should be documented in your compliance calendar, with a defined completion deadline, a process for tracking completion, and an escalation process for employees who do not complete training by the deadline. Auditors will look for evidence that annual training completion is tracked and that non-completion is followed up on, not just that training was made available.

Component 3 — Role-Specific Training

ISO 27001 explicitly requires that training be relevant to the job function. A comprehensive security awareness program must go beyond generic all-employee training to provide role-specific content that addresses the security risks and responsibilities unique to each role.

Engineering and development teams need training that covers secure coding practices, the secure development lifecycle, identifying and reporting security vulnerabilities in code, the security implications of infrastructure configuration choices, and handling security-sensitive data in development and testing environments. Generic security awareness training that does not address development-specific risks is insufficient for engineering teams who have privileged access to production systems and who make daily decisions that affect security.

Finance and accounting teams need training that covers financial fraud risks — business email compromise, invoice fraud, and wire transfer fraud — as well as data-handling requirements for financial records and the specific phishing techniques that target finance functions. Finance teams are disproportionately targeted by social engineering attacks because they have access to financial systems and often have the authority to authorize payments — a risk explored further in the SOC 2 for fintech audit scope guide.

HR and people operations teams need training that covers handling sensitive employee personal data, background check data, payroll information, and health-related information, as well as the risks associated with onboarding and offboarding processes — particularly the risk of delayed access revocation when employees leave.

Customer-facing teams — sales, customer success, support — need training that covers how to handle customer data shared in the course of their work, the risks of phishing attacks that use customer relationship context as social engineering bait, and the process for escalating customer-reported security concerns.

Executive and leadership teams need training that covers the specific social engineering techniques targeting executives — CEO fraud and spear phishing for wire transfers or credential theft — as well as their responsibilities in the event of a significant security incident, including their role in breach notification decisions.

Component 4 — Phishing Simulation

Phishing simulation — sending simulated phishing emails to employees to test whether they click malicious links, enter credentials, or download attachments — is the most widely used practical security awareness exercise and is increasingly expected by SOC 2 and ISO 27001 auditors as evidence that training translates into behavioral change.

A phishing simulation program should run continuously — not as a one-time test but as an ongoing low-frequency program that sends simulated phishing emails to employees on a randomized schedule throughout the year. The goal is not to catch employees failing but to provide a realistic, low-stakes environment where employees can practice recognizing phishing attempts and receive immediate feedback when they fall for a simulation.

Simulation results should be tracked by the employee over time. An employee who clicks a simulated phishing link should receive immediate just-in-time training on how to identify the phishing indicators they missed. Employees who repeatedly fall for simulations should receive additional targeted training. Aggregate simulation results over time — click rates, credential submission rates, report rates — provide a measurable indicator of security culture improvement.

Phishing simulation results are audit evidence. Your auditor will want to see that phishing simulations are conducted, that results are tracked, and that employees who fail simulations receive follow-up training. The trend in your simulation results over time — declining click rates, increasing report rates — demonstrates that your security awareness program is producing behavioral change.

Component 5 — Policy Acknowledgment

Security awareness training should be paired with formal policy acknowledgment — a documented record that each employee has read and understood the organization's key security policies. Policy acknowledgment serves both as evidence that policies have been communicated and as a mechanism to prevent employees from claiming ignorance of policy requirements when a violation occurs.

Policy acknowledgment should be obtained for the information security policy, the acceptable use policy, the data handling and classification policy, and any other policies that create specific obligations for employees. Acknowledgment should be renewed annually — aligned with the annual refresher training cycle — to ensure employees acknowledge any policy updates.

The acknowledgment record should include the employee's name, the specific policy or policies acknowledged, the version of each acknowledged policy, and the date of acknowledgment. This level of specificity is required to demonstrate to auditors that acknowledgment is genuine and current rather than a one-time signature that covers all future policy changes.

Component 6 — Security Culture Measurement

A mature security awareness program goes beyond training completion metrics to assess whether training produces genuine behavioral change. Security culture measurement — assessing employee attitudes toward security, their confidence in recognizing threats, and their behavior in security-relevant situations — provides a more meaningful indicator of program effectiveness than completion rates alone.

Practical indicators of security culture include the rate at which employees report suspected phishing emails through the official reporting channel, the number of security incidents attributed to employee error over time, the results of phishing simulations over time, the frequency and quality of security questions raised by employees during onboarding and training, and the rate at which employees voluntarily flag potential security concerns before they become incidents.

Annual security culture surveys — brief questionnaires that assess employee awareness, confidence, and attitude toward security — provide a qualitative complement to the quantitative metrics above. Survey results over time can identify departments or roles where security culture is weaker and where targeted training investment is most needed.

Evidence Your Auditor Will Look For

Both SOC 2 and ISO 27001 auditors evaluate security awareness training through a combination of document review and evidence testing. Understanding what auditors look for allows you to build your evidence collection process to produce exactly what is needed.

Training program documentation includes your written security awareness training policy or program description, the curriculum for onboarding training and annual refresher training, role-specific training content, phishing simulation program documentation, and policy acknowledgment procedures. Your auditor will review this documentation to assess whether your program is designed to satisfy the framework requirements.

Individual completion records are the primary operational evidence for security awareness training. Your auditor will select a sample of employees — typically including recent hires, long-tenured employees, and employees in different functional roles — and verify that each selected employee completed the required training within the required timeframe. Completion records must be specific — employee name, training module, completion date — not aggregate statistics.

Policy acknowledgment records for the same sample of employees will be reviewed to confirm that acknowledgments are current and specific.

Phishing simulation records, including the frequency of simulations conducted during the audit period, aggregate results, and evidence of follow-up training for employees who failed simulations.

Evidence of training for non-employees — contractors, temporary workers, and other individuals with access to in-scope systems — demonstrates that your program extends beyond direct employees to all relevant personnel.

Training content currency — evidence that your training content has been reviewed and updated to reflect current threats, updated policies, and lessons learned from incidents. Training content that has not been updated in three or more years raises questions about whether the program is genuinely maintained or merely exists on paper.

Common Audit Findings in Security Awareness Training

Across SOC 2 and ISO 27001 audits, security awareness training yields consistent findings — many of which overlap with the top 10 compliance audit findings of 2025.

Incomplete completion records. The organization has a training program, but completion records are maintained in a spreadsheet or an informal system that cannot produce individual-level evidence for auditor sampling. The remediation is to implement a training platform that produces automated, individual-level completion records and that makes those records easily exportable for audit purposes.

No role-specific training for high-risk roles. Generic all-employee training exists, but engineering, finance, and executive teams have not received role-specific training on the security risks relevant to their roles. ISO 27001 auditors in particular will flag this gap because the standard explicitly requires role-appropriate training.

Phishing simulation not conducted. The organization has written security awareness training, but has never conducted a phishing simulation. Auditors increasingly treat phishing simulation as an expected operational control rather than an advanced practice. This finding is straightforward to remediate by implementing a phishing simulation platform — most training platforms include simulation capabilities.

Policy acknowledgment not current. Employees acknowledged security policies at onboarding, but acknowledgment has not been renewed annually to reflect policy updates. Implement an annual policy acknowledgment cycle aligned with your annual refresher training.

Training content not updated. The training curriculum was developed when the company first pursued compliance certification and has not been meaningfully updated since. Training content should be reviewed annually and updated to reflect new threats, regulatory changes, and lessons learned from internal incidents and industry events.

Contractors and third parties are not covered. The training program covers direct employees, but individuals who access in-scope systems under contract — consultants, temporary workers, managed service providers — have not been required to complete equivalent training. Define your training requirements for non-employee individuals with system access, and implement a mechanism to track their completion.

No evidence of follow-up for incomplete training. Completion tracking exists, but non-completion is not followed up on. Employees who miss the training deadline continue to have system access without completing the required training. Implement a defined escalation process — automated reminders followed by manager notification and, if necessary, access suspension — to ensure completion rates remain high and are consistently enforced.

Choosing a Security Awareness Training Platform

Manual security awareness training — sending policy documents by email, tracking completion in a spreadsheet, running ad hoc phishing tests — is not sustainable beyond a small team. A dedicated security awareness training platform automates curriculum delivery, tracks completion at the individual level, runs phishing simulations on a defined schedule, manages policy acknowledgment, and produces the audit-ready reports that make evidence collection straightforward.

When evaluating platforms, the most important functional requirements are individual-level completion tracking with audit-ready reporting, a phishing simulation module with a library of templates and automatic follow-up training for failures, role-based training assignment capabilities, policy acknowledgment workflows with version control, integration with your HR platform for automatic enrollment of new hires and offboarding of departing employees, and content currency — platforms that update their content library regularly to reflect new threats and regulatory changes.

The HR integration requirement deserves particular emphasis. Security awareness training completion gaps most commonly occur at onboarding — new hires who join between training cycles miss the standard program — and at offboarding — departing employees who complete training records that inflate your completion statistics after they have left. A platform that automatically enrolls new hires in onboarding training on their start date and removes departed employees from active tracking eliminates both operational gaps.

Content quality matters more than content volume. A platform with two thousand training modules that are generic, dated, and produced with low production values is less effective than a platform with two hundred modules that are current, engaging, relevant to the threats your employees actually face, and produced in a format that employees will pay attention to. Evaluate content quality by reviewing sample modules for the specific roles and topics most relevant to your organization before committing to a platform.

Security awareness training is one of the highest-return compliance investments a SaaS company can make. The cost of a training program — platform subscription, employee time, program management — is a fraction of the cost of a single phishing-related security incident, a data breach caused by credential compromise, or an audit finding that delays a compliance certification. More fundamentally, it is the control that most directly addresses the human dimension of security risk — the reality that your organization's security posture is only as strong as the least security-aware person with access to your systems on any given day.

dsalta helps SaaS companies build and maintain security awareness training programs that satisfy SOC 2 and ISO 27001 requirements, produce audit-ready evidence, and generate measurable improvements in security culture over time.