Question: Has the organization established a formal information-security and privacy awareness program?
Why This Matters
A structured awareness program builds a culture of shared responsibility. It reduces human-error incidents and supports compliance outcomes.
Maturity
0 — Unaware
No awareness activities or schedule.
No awareness activities or schedule.
1 — Ad Hoc
Occasional emails or posters.
Occasional emails or posters.
2 — Defined
Annual training calendar and policy established.
Annual training calendar and policy established.
3 — Managed
Completion tracked; refresher cycles defined.
Completion tracked; refresher cycles defined.
4 — Integrated
Program linked to risk, incidents, and onboarding.
Program linked to risk, incidents, and onboarding.
5 — Optimized
Adaptive, data-driven awareness with continuous learning.
Adaptive, data-driven awareness with continuous learning.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Send periodic awareness emails or posters. |
| 1 → 2 | Develop annual training plan approved by management. |
| 2 → 3 | Track completion metrics and refresher due dates. |
| 3 → 4 | Link awareness topics to recent incidents. |
| 4 → 5 | Adopt adaptive micro-learning based on risk trends. |
Enablers
- People: HR Head, CISO, Training Coordinator
- Process: Plan → Deliver → Track → Review
- Technology: LMS, survey platform, analytics dashboard
Evidence
- Annual training plan
- Completion reports
- Awareness materials
KPIs
- Completion rate per quarter
- Number of campaigns executed
- Average score in post-training quiz
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Training delivery | Moodle / Google Classroom | Free LMS platforms |
| Tracking | Airtable | Attendance register |
| Gamification | Kahoot / Mentimeter | Interactive quizzes |
Common Pitfalls
- One-time training without reinforcement
- No tracking or evidence
- Irrelevant content for roles
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001 | 7.3 (Awareness) |
| DPDP Act 2023 | Sec 10 (Accountability & Training) |
| NIST CSF 2.0 | GV.PO / PR.AT |
| NIRMATA Mapping | AC-Q01 anchors the organization-wide awareness program. |