Question: Is role-based security and privacy training delivered for key functions (e.g., IT, HR, Legal, Finance, Developers)?
Why This Matters
Generic training alone is ineffective. Function-specific modules strengthen accountability where risk is concentrated.
Maturity
0 — Unaware
No differentiation in training content.
No differentiation in training content.
1 — Ad Hoc
Occasional deep-dives for IT only.
Occasional deep-dives for IT only.
2 — Defined
Role mapping performed; custom modules drafted.
Role mapping performed; custom modules drafted.
3 — Managed
Training assigned per role; completion tracked.
Training assigned per role; completion tracked.
4 — Integrated
Curriculum linked to job description and risk profile.
Curriculum linked to job description and risk profile.
5 — Optimized
Adaptive learning paths generated automatically by role data.
Adaptive learning paths generated automatically by role data.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Identify high-risk roles (IT, HR, Dev, Finance). |
| 1 → 2 | Draft custom modules for each function. |
| 2 → 3 | Assign courses in LMS with tracking. |
| 3 → 4 | Integrate training plan into HR onboarding. |
| 4 → 5 | Automate course assignment using role metadata. |
Enablers
- People: CISO, HR Manager, Department Heads
- Process: Identify → Design → Deliver → Track
- Technology: LMS, HRMS integration
Evidence
- Role-to-training matrix
- Completion reports by department
- Updated content repository
KPIs
- Number of roles with specific training
- Completion rate per function
- Average quiz score improvement
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| LMS | Moodle | Supports role-based courses |
| Tracking | Airtable | Custom role matrix |
| Automation | n8n | Assign courses from HR feed |
Common Pitfalls
- Same content for all employees
- No tracking of technical staff training
- Modules never updated for new roles
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001 | 7.2 / 7.3 |
| DPDP Act 2023 | Sec 10 (Accountability and Training) |
| NIST CSF 2.0 | PR.AT / GV.MA |
| NIRMATA Mapping | AC-Q05 implements role-specific learning. |