Question: Is the awareness and culture program periodically reviewed for effectiveness and improvement?
Why This Matters
A review cycle ensures the program evolves with new threats, business priorities, and user feedback.
Maturity
0 — Unaware
No review or evaluation of program effectiveness.
No review or evaluation of program effectiveness.
1 — Ad Hoc
Feedback collected informally after sessions.
Feedback collected informally after sessions.
2 — Defined
Annual review meeting scheduled.
Annual review meeting scheduled.
3 — Managed
Metrics and survey results evaluated for improvement.
Metrics and survey results evaluated for improvement.
4 — Integrated
Review inputs from risk, HR, and incident functions.
Review inputs from risk, HR, and incident functions.
5 — Optimized
Automated dashboards and continuous feedback loops.
Automated dashboards and continuous feedback loops.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Gather basic participant feedback. |
| 1 → 2 | Schedule annual review session. |
| 2 → 3 | Analyze metrics and identify gaps. |
| 3 → 4 | Include risk and incident data in review. |
| 4 → 5 | Implement continuous learning dashboard. |
Enablers
- People: CISO, HR Training Manager, Comms Lead
- Process: Collect → Review → Plan → Improve
- Technology: Survey tool, dashboard platform
Evidence
- Review meeting minutes
- Updated training plan
- Metrics comparison year on year
KPIs
- Number of actions implemented post-review
- Program score improvement
- Feedback rating increase
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Feedback | Google Forms | Survey collection |
| Dashboards | Metabase | Trend analytics |
| Scheduling | Google Calendar | Annual review reminders |
Common Pitfalls
- Feedback collected but never acted upon
- No multi-department inputs
- Metrics not tracked year to year
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001 | 9.1 / 9.3 / 10.2 |
| DPDP Act 2023 | Sec 10 (Accountability Review) |
| NIST CSF 2.0 | GV.MA / PR.AT |
| NIRMATA Mapping | AC-Q12 closes the loop on culture program improvement. |