Question: Is onboarding training provided to new employees, contractors, and interns before granting system access?
Why This Matters
Embedding security culture from day one reduces onboarding risk and ensures staff understand obligations before handling data.
Maturity
0 — Unaware
No onboarding security training.
No onboarding security training.
1 — Ad Hoc
Awareness shared verbally by supervisors.
Awareness shared verbally by supervisors.
2 — Defined
Formal onboarding module mandatory for new staff.
Formal onboarding module mandatory for new staff.
3 — Managed
Completion tracked by HR before system access.
Completion tracked by HR before system access.
4 — Integrated
Content updated with latest threats and policy changes.
Content updated with latest threats and policy changes.
5 — Optimized
Gamified interactive onboarding with behavior metrics.
Gamified interactive onboarding with behavior metrics.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Add basic security slides to orientation. |
| 1 → 2 | Develop mandatory module with quiz. |
| 2 → 3 | Link completion to HR system before account creation. |
| 3 → 4 | Refresh content quarterly for new risks. |
| 4 → 5 | Use interactive LMS with scenario-based learning. |
Enablers
- People: HR Manager, Training Lead, IT Admin
- Process: Enroll → Train → Assess → Grant Access
- Technology: HRMS integration, LMS, certificate generator
Evidence
- Training records for new hires
- Access approval logs
- Quiz scores and certificates
KPIs
- Completion rate before access granted
- Average score in quiz
- Number of late completions
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| LMS | Moodle | Automated onboarding module |
| Tracking | Airtable | Link to employee IDs |
| Certificates | Canva template + Mail merge | Issue PDF certificates |
Common Pitfalls
- Training after access granted
- No evidence for contractors and interns
- Quiz never updated
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001 | 7.2 (Competence) / 7.3 (Awareness) |
| DPDP Act 2023 | Sec 10 (Accountability & Training) |
| NIST CSF 2.0 | PR.AT |
| NIRMATA Mapping | AC-Q03 ensures secure onboarding awareness. |